I have recently built a homelab system with TrueNAS Scale 25.04 and I want to try to get https going for accessing the server and its apps through the web ui. I have a few questions about how to do this that are interconnected and not fully answered for me by online tutorials.
I already have a .com domain name for my personal webpage which is hosted on Google Sites. Can I make it so that I have a cert that will only apply to say truenas (dot) mydomain (dot) com and not have that break the Google Site configuration?
Related to this, it seems from the TrueNAS documentation that I need to have my DNS through Cloudflare or similar to be able to use Certbot with LetsEncrypt. However since my personal site is a google site I don’t want my site behind Cloudflare, is there a way for me to have my DNS through Cloudflare while also having it point to the google site and not use the Cloudflare reverse proxy stuff?
Will the same SSL cert allow me to access other ports on the same machine for app management? ie port 8080 for the qBit admin page, etc?
Basically I want to have it so that the behavior of my www (dot) mydomain (dot) com personal site on Google Sites is unchanged while also allowing me to have a browser trusted SSL cert to access the NAS over my local network.
Yes. Though I recommend using a subdomain for resources on your LAN, so it’d be more like truenas.lan.mydomain.com.
There’s no reason to use Certbot with TrueNAS (or with anything else IMO, though that’s a side issue).
Of course; Cloudflare works well in DNS-only mode.
Certs aren’t tied to ports, but they are tied to hostnames and also to applications. Some of the apps in the catalog directly support TLS, but most don’t. The way to handle TLS for most catalog apps is to use a reverse proxy like Nginx Proxy Manager:
I saw a reply from you, but it looks like the forum died and lost it, along with my second post. But nonetheless…
You could, but the better way to go IMO is to put its UI behind a reverse proxy (probably with a wildcard cert). That handles TLS termination, and also avoids the use of weird custom ports for that UI.
Another option is to apply for multiple certificates, then assign one to each device / app. That works better for me because my password manager gets confused by tons of passwords for the same FQDN / IP address. Plus, as a side benefit you also get to use the default ports for a WebGUI, etc.
This only works for some Apps as some like PiHole are not configured to pull a certificate from the TrueNAS host. Thank you, @dan for identifying where it should be stored!
There’s no need for multiple certs for this purpose, though; a single wildcard will do just as well.
That’s what I do, and also what I recommend in the NPM guide: get a single wildcard cert (*.lan.whatever), assign individual FQDNs to each app (qbittorrent.lan.whatever, radarr.lan.whatever, etc.), and use that wildcard cert for all of them.
I’m planning to go down this route with your nginx tutorial, does that tutorial end up setting up the autorenewal for the certificate as well via some ACME setup?
Is it also possible for me to have the NPM admin page use https? Your guide doesn’t mention doing that. I’ve successfully set up all of the other services on my NAS to use https so far so NPM is the last one.
I’d expect you could do it by setting up a proxy host to localhost:30020. If that doesn’t work, I’d check the NPM docs and/or whatever support channels they have.
