Using nginx certificate for TrueNAS Scale instance

Hi there, I searched for a solution for hours but couldn’t find any good information.

I have installed Nginx Proxy Manager from the app list and added a wildcard certificate via Let’s Encrypt. Now I tried to add the TrueNAS UI as a Proxy Host, using the IP of the server / localhost, port 80 and http in the nginx settings. As the domain for this I use somedomain,duckdns,org (commas, so it wont be recognized as an url by the forum), where somedomain,duckdns,org points to the local IP address of my server (I am going to access it via a VPN at all times Im not in the network).
When accessing somedomain,duckdns,org, I will get a “Your connection is not private” error, as the certificate is not valid. The certificate used is the internal self-signed certificate… The same happens for other applications like nextcloud. How can I make trunas scale use the nginx certificate (and update it automatically if it changes).

Thanks for any advice. If my setup needs more explanation, let me know.

It’s the not the solution you’re asking for, but I:

  • have configured TrueNAS to request it’s own LetsEncrypt cert specifically for it’s webUI (via the Credentials->Certificates section of the webUI)
  • only use nginx-proxy-manager to provide certs for apps in the k3s/docker subsystem

I think nginx-proxy-manager can only proxy connections to services running on the internal bridge network. What you’re trying to do is hairpin traffic in via whatever public address npm is running on, then back out to the TNS webUI on whatever port you have it running on. I don’t think that’s possible.

On a side note: you shouldn’t really need a valid CA cert on your TrueNAS webui, because you’re not exposing it to the Internet, right?

Right? :smiley:

I am not too sure if my solution even makes sense, so thank you for your suggestion, It sounds reasonable to do it like you described. I got the TrueNAS webUI certificate to work but the problem is still the same. For all the proxy hosts defined by nginx with the nginx certificate, the truenas certificate is used instead. Am I missing an option to tell the apps installed on the trunas system to use the certificate assigned by nginx?

Sounds like you have “Web Interface HTTP → HTTPS Redirect” ticked in System Settings → General → GUI

If you click the help icon next to that option it will^w used to explain why

It implements a rule that redirects all port 80 traffic to the webUI’s HTTPS port and breaks things like npm

I finally have everything set up.

This was actually not the problem. After accepting this, I gave in to using jails instead of the official nginx app. I used this excellent video to create a docker jail in which I am running nginx proxy manager on a dockge instance, just as shown in the mentioned video. With this I created my wildcard certificate and was able to set proxy hosts after creating a bridge interface. This is so I can reference the ip of the host machine, running the jail.
Now I only encountered one last problem: Nextcloud. When accessing it via the proxy host, it resolved the host to the local ip address of the truenas instance. To solve this, I used this solution. Note, that the OVERWRITEHOST variable can only be set if no Hostname is specified. See here for the forum post. After ensuring the self-signed certificate was used by nextcloud, https worked as expected. This also means I dont need a second certificate for the webUI besides the self-signed one. I only need the nginx certificate to use for all the proxy hosts, including the webUI.

One last thing:

You’re right. I redirect my domain to the local ip address of my truenas server. So all of this setup only works when connected to my local network (or via a VPN). I simply wanted to figure this out for the sake of it and to have these pesty “This connection is insecure” messages dissapear haha

I hope this will help some people trying to figure this out faster than I did :smiley:

1 Like