Not sure if this is the right place or not, sorry if I got it wrong.
I have just setup a trueNAS pc on my network and I’d like to enable HTTPS for the web interface, as I already have my domain registered, I want to use certificates from my provider for *.domain use. I know it’s on my local network and HTTPS isn’t required, but I’m trying to learn about zero trust environments.
My domain provider (Porkbun) isn’t supported, so I’m writing a program to get the certificates via their API. I can get the data, cert chain, public and private keys. But what’s the format that trueNAS wants, pem for example?
Where should the certs be saved and what filenames should I use?
BTW, I know there’s a Bash script that does this, but I couldn’t get it to work.
I don’t know if my script (in Python) is what you’re talking about, but if so, I’m happy to help on the resource thread for it.
But fundamentally, if you want TrueNAS to use your cert, you need to import it through the API. My script is one way to automate that; @jjrushford’s tnascert-deploy is another.
Here’s more detail on using my script with acme.sh to obtain and import a cert:
You can store the certificates on your TrueNAS volume. To import them into the UI, there are two tools you may use, tnascert-deploy. Download the linux binary here and use it from your NAS, tnascert-deploy 2.1 download. Also deploy_truenas.py is available as well.
I just cheat. I use a reverse proxy with the cert for the server on it, and point DNS at that reverse proxy. So “mynas.mydomain.com” points at 192.168.1.20 port 8443 and anything on the Lan will trust and believe the cert even if it’s a wildcard.
Not helpful for this scenario, but nginx proxy manager and caddy are neat ways to solve this problem. Especially if your discount registrar makes getting certs a hassle, I use cloud flare to manage my domains for free and get real certs from them. Glad you asked though, sometimes I wonder about bolting the cert directly to the server.
@Dan is definitely the resident guru regarding SSL (among many other topics). I used his scripts successfully in the past and still use a version of another one of his to pull and distribute SSLs to all my network equipment.
Cloudflare makes it relatively easy to pull FQDN SSL certificates for everything at zero cost. The only downside is the 90-day life for such certificates.
I too use cloudflare for my domain and lets encrypt. I don’t consider the 90-day life cycle a problem as I use certbot to automate deployment using its post deployment hooks. acme.sh also has deployment hooks. So the entire process is automated. The 90-day lifecycle is intended to increase security of your TLS encryption
Totally. It’s been a super reliable service and the API token approach makes it also secure.
Internally, my DNS is happy, ditto all browsers. Plus, there are some upsides, such as the UniFi app being easier to secure via TrueNAS-pulled certificates than the cloudkey 2.
Not all apps are easily secured, however. Some like pihole are a PITA every time you update the app. But even there a script and a certificate pulled by TrueNAS makes it relatively easy.
If the automation is working properly, the cert lifespan really is a non-issue. I’ve gone to the new short-lived (~6 day) certs for most of my LAN resources, and they’re renewing just fine.
acme.sh includes a script to deploy certs to UnifiOS, which has worked well for my CloudKey 2 for a number of years now.
I’ve always liked Caddy, even if the switch from Caddy v1 to v2 was very disruptive. It’s now replaced Traefik as the reverse proxy for Docker apps on my NAS. Here’s how I use it (including the short-lived certs, if desired):
Yeah I’m using caddy mainly now because the NPM TN app kept having update issues, got tired of fighting it. And it’s a plug in for my opnsense firewall/router, so even better. Having internal DNS and caddy on the same box in the same window makes standing up new reverse proxy hosts super streamlined. I can go from new app in truenas to a new named host with a valid cert in less than 60 seconds now.
NPM is probably better especially for beginners but development essentially died on it. Dude made it and moved on. I like apps with someone working on it regularly.
I might do another screenshot howto for it or a video to add to the few out there now.
I think NPM+ is actively maintained. I don’t especially pay attention to it, though. But there’s an app for it too; maybe I should do a guide for that (I already have one for NPM). NPM (and presumably NPM+) are nice if you want a GUI to set up the reverse proxy, but a recurring problem with NPM is that its logging completely sucks if you have trouble getting a cert.
I think I’ve seen a GUI plugin for Caddy, but haven’t used it at all.
Just a note, that can save you some headaches later. This is a wrong way to think of TrueNAS in general. Whatever can be configured through the GUI, is stored in a blackbox and needs to be passed through the API, period, no exceptions. The only place you are supposed to think of file paths is if the GUI expects you to provide one (like in cron, init/shutdown, …). The same is true for e.g. pfSense or OPNsense and many other appliance-like setups.
I have found it helpful to read the API documentation and/or looking through the browser’s developer tools to the communication when configuring interesting things. The client (both-command line and a Python library) is available for scripting, if you are into it.
That’s interesting, so rather than getting my cert data via Porkbun’s API and then saving it to the file system, I should be instead feeding it to trueNAS’s api?
Sounds fun. Not sure if I mean that ironically or not at the moment
Thank you for the information none the less! Having the right mindset and expectations is always important in any endeavour
Correct. Get your cert using whatever client you like (e.g., acme.sh as I describe in the guide I linked up-thread, lego, etc.), then deploy it using the API (using my script, tnascert-deploy, or some other tool, or of course you can write your own if you like). All easy to automate.
Edit to add: The process may involve saving the cert on the file system, but that isn’t what gets TrueNAS to use it; what gets TrueNAS to use it is the TrueNAS API.
My guide linked up-thread has you install acme.sh and my script on your NAS. You use acme.sh to obtain the cert, save it somewhere to your pool, and then call my script to deploy it to your NAS. You could also do the same thing on some other system, but then installing the Python TrueNAS API client gets messier. If you’re wanting to obtain the cert on some other system and then deploy it your NAS, I’d use tnascert-deploy instead, because it’s a single, self-contained binary.
