TLS certificates from a local certificate authority

A few years ago, I wrote a resource with an accompanying script for obtaining a certificate for your FreeNAS server from Let’s Encrypt. The script has worked well for me, with some updates, since then.

More recently, I’ve come to think that, for LAN resources that will only be used by local clients, a local certificate authority would make more sense. I ran across this site:

from another post here, and decided to follow the guide, and it works well to set up a local CA with an ACME front-end. But when I wanted to obtain certificates for my TrueNAS systems, I ran into a bit of a problem. I’d obtained certs from Let’s Encrypt using DNS validation, which doesn’t require any HTTP connection to the server itself. But I wasn’t sure how to make that work with my local CA, so I needed to figure out how make HTTP validation work instead.

To get a cert using HTTP validation, the server needs to respond to a request for http://server_name/.well-known/acme-challenge/longcryptotoken with certain contents. But TrueNAS directs this request to the GUI, which means the challenge fails. In discussions with @Constantin and some discussion on another thread, I settled on replacing nginx.conf with a temporary version, whose only purpose is to serve the challenge file. The result was this script:

This script will back up your existing nginx.conf file, replace it with a temporary config file, and then call (which must already be installed) to obtain a certificate. Once the cert is obtained, it will replace the temporary config file with the original one. This script doesn’t install your new cert in FreeNAS, though–for that, I’d recommend using my deployment script: