Websocket API - change app certificate in EE+?

dan · March 7, 2025, 3:54pm

As I noted in another thread, I’m working on updating my deploy-freenas script to use the new websocket API. The current script performs the following operations:

Import the specified cert using the API
Set the UI to use the new cert
Optionally, set other services to use that cert
Optionally, set apps to use that cert
Delete old certs

I’m having a little trouble figuring out the “set apps to use that cert” piece. I can, I think, iterate through the installed apps to determine which ones currently have a cert assigned. I’m assuming it’d take some sort of invocation of app.update with the app name and the numeric cert ID–but I can’t find any indication in the API docs of what that would look like; I don’t see any mention in the docs for the app.update endpoint of a certificate.

Here’s what I have to ascertain whether an installed app has a cert in the first place. Any suggestions on how to specify a new cert for the app?

    if APPS_ENABLED==True:
        apps = c.call("app.query")
        for app in apps:
            config = app.config(app["id"])
            if config('ix_certificates') != None:
                # Update config to use new cert

ChatGPT’s answer involved a chart.release.update endpoint, which I’m 99% sure is unique to the Kubernetes-based app ecosystem.

essinghigh · March 7, 2025, 7:09pm

Went down a bit of a rabbit hole with this one. Took me so much longer than I’d hoped to figure it out, but it’s as follows:

midclt call app.certificate_choices – Get available certs

In my case:

root@truenas[~]# midclt call app.certificate_choices                                              
[{"id": 4, "name": "CF_TRUENAS_WEBUI"}]

midclt call app.update appname '{"values": {"network": {"certificate_id": 4}}}' – Update with certificate ID obtained from previous output.

You can remove the certificate by changing the certificate_id value to null

I tested this with dockge but have not had a chance to test this with other apps, I can’t imagine why they wouldn’t all be the same.

dan · March 7, 2025, 11:13pm

That was enough of a pointer, thanks. That section of the code now reads:

    if APPS_ENABLED==True:
        # Update apps.  Any app whose configuration includes "ix_certificates" where
        # that dictionary includes any content are updated to use the cert we just
        # uploaded.  This should mean any catalog apps for which a certificate has been
        # configured.
        apps = c.call("app.query")
        for app in apps:
            app_config = c.call("app.config", (app["id"]))
            # if app_config.get("ix_certificates") != None:
            if ix_certificates in app_config and app_config['ix_certificates']:
                c.call("app.update", app["id"], {"values": {"network": {"certificate_id": cert_id}}}, job=True)