Managing certificates

dan · April 8, 2025, 9:35am

I can’t link to that method specifically, but it’s here:
https://www.truenas.com/docs/api/scale_websocket_api.html#certificate

jjrushford · April 8, 2025, 5:52pm

@dan, the document you linked to says certificate.create is a job and I see in your script that you give the full path name to the certificate and private key, not the actual content. So this must mean that the files need to be on the actual TrueNAS host for a job to read them right?

dan · April 8, 2025, 6:03pm

Nope. Here’s the relevant code:

# Load cert/key
def read_file(path, description):
    try:
        with open(path, 'r') as file:
            return file.read()
    except Exception as e:
        logger.critical(f"Error reading {description}: {e}")
        sys.exit(1)

priv_key = read_file(PRIVATEKEY_PATH, "Private key")
full_chain = read_file(FULLCHAIN_PATH, "Full chain")

. . . 
    args = {"name": cert_name, "certificate": full_chain, "privatekey": priv_key, "create_type": "CERTIFICATE_CREATE_IMPORTED"}
    try:
        cert = c.call("certificate.create", args, job=True)
        logger.debug(cert)
        logger.info(f"Certificate {cert_name} imported.")

Importantly, full_chain and priv_key contain the contents of those files, not just the paths to them. Most of my testing has been on a remote Debian VM.

jjrushford · April 8, 2025, 7:31pm

ok, I see that now. I skipped over the read_file function.

thanks

jjrushford · April 26, 2025, 12:35am

Dan, I ran across the truenas go API on GitHub, truenas/api_client_golang and was interested in learning to use it. I re-wrote your tool deploy_truenas.py in go. I thought you might be interested in it. See tnascert-deploy

dan · April 26, 2025, 1:35am

Nice thing with Go is that you get a statically-linked binary that can run anywhere with no external dependencies–it’d save a bit of prep work compared to my Python version.

jjrushford · April 26, 2025, 2:05am

Yes I’ve built and tested it on FreeBSD, MacOS, and Debian Linux. I’ve copied the linux build to both my TrueNAS hosts and am setup to automatically install my next set of lets encrypt certificates.

John

dan · May 1, 2025, 9:42pm

Any chance of making pre-built binaries available in the repo? I understand GitHub can automate that process, though that isn’t something I’ve ever worked with myself.

jjrushford · May 1, 2025, 11:23pm

@dan I built a version on a Debian bookworm x86_64 VM. I created a 1.1 release with a tar file containing the binary, tnascert-deploy and a sample tnas-cert.ini file. I did that so that you can try it out. I’m not so sure that I want to support binary releases going forward though. So give it a try and let me know how it works out for you.

Goto https://github.com/jrushford/tnascert-deploy and then select “Release version 1.1” to download the binary.

jjrushford · May 1, 2025, 11:48pm

@dan let me know how it works out for you. I don’t think you’ll have any issues but if you do, send me debug logging. I’ve used and tested it on my TrueNAS 25.04 machines with no issues.

jjrushford · May 2, 2025, 1:05am

What the heck, I added builds for macOS arm64, and FreeBSD x86_64. See https://github.com/jrushford/tnascert-deploy and select the Release version 1.1 link

awalkerix · May 2, 2025, 1:34am

That’s incorrect and somewhat FUD. /websocket is legacy path since FreeNAS 11. Correct path going forward will be /api/current (current API for that version) or /api/<version>.

Starting in 25.04 we require wss (secure) for API key authentication. You will get alerts and your key disabled if you do it via ws. If you are using our python API client you can specify to not validate certs.

dan · May 2, 2025, 1:41am

/websocket was the documented path as recently as 24.10. But yes, the text you quoted (and what surrounded it) had the paths reversed and was thus incorrect–I’ve edited the post to note this.

dan · May 2, 2025, 11:29am

This should be implemented now.

dan · May 2, 2025, 12:19pm

OK, this is odd: just for grins, I built your client on Windows (and Go being Go, it built without issue). Then I ran it, expecting a usage message or something. Instead, I got this:

 tnascert-deploy-master  .\tnascert-deploy.exe                                                                        2025/05/02 07:53:50 verified the certificate key pair
2025/05/02 07:53:50 using test environment
2025/05/02 07:53:50 installing certificate: tnas-cert-deploy-2025-01-01-0101683628
2025/05/02 07:53:50 successfully logged in
2025/05/02 07:53:50 started the certificate creation job with ID: 101
2025/05/02 07:53:52 Job progress: 100.00%
2025/05/02 07:53:52 Job completed successfully!
2025/05/02 07:53:52 found new certificate, tnas-cert-deploy-2025-01-01-0101683628, id: 3
2025/05/02 07:53:52 certificate tnas-cert-deploy-2025-01-01-0101683628 deployed successfully
2025/05/02 07:53:52 the FTP service certificate updated successfully to tnas-cert-deploy-2025-01-01-0101683628
2025/05/02 07:53:52 deleting old certificate tnas-cert-deploy-2024-12-31-0801683628, with job ID: 101
2025/05/02 07:53:54 Job progress: 100.00%
2025/05/02 07:53:54 job completed successfully, certificate tnas-cert-deploy-2024-12-31-0801683628 was deleted
2025/05/02 07:53:54 the UI has been restarted

That’s, um, unexpected?

jjrushford · May 2, 2025, 12:43pm

@dan It ran the unit tests using the tnas-cert.ini in your current directory, the repository clone. The “default” tag in tnas-cert.ini, is for the unit tests. So, yes, that’s expected. Note the first log message, “2025/05/02 07:53:50 using test environment”

For usage use, “tnascert-deploy -h”

dan · May 2, 2025, 1:21pm

I’ve linked your tool in my README as an alternative.

jjrushford · May 2, 2025, 3:37pm

I don’t normally use windows but, I put up a zip file on GitHub with a Windows 11 x86_64 executable and sample_tnas-cert.ini. See:

https://github.com/jrushford/tnascert-deploy/releases/tag/v1.1

jjrushford · May 28, 2025, 10:36pm

I have a new version up on GitHub, 1.2. It’s been refactored so that unit tests are no longer compiled in. You can run them though with ‘make run-tests’. I also added a --version option. You can build either with ‘go build’ or ‘make’. There are binary releases for FreeBSD, Linux, Windows 11, and macOS at:

tnascert-deploy-1.2

The repository is at:

tnascert-deploy

I’ve been using certbot on my domain apache web server to install and automate my wildcard certificate installation and I now use the certbot deployment hooks on that web server to automate deployment of my certificate to both of my TrueNAS instances. Works great.

zari90 · June 21, 2025, 8:11pm

Hi guys,

Know this is an old thread but has anyone experienced issues with cert creation below is the error I am getting. initial validation complete and then an error
I’ve verified my internet connection is working on the box and the process I’m using is correct as well by using my other TrueNAS server to replicate the steps, I have also used this setup “Howto: ACME DNS-Authenticator shell script using acmesh project” to see if it just an issue with cf dns authenticator but still completes the CSR process then doesn’t complete issuing cert