airflow
Contributor
- Joined
- May 29, 2014
- Messages
- 111
Hello,
I recently wanted to leverage the free official Let's Encrypt CA for using in some of my projects, for example for the GUI of FreeNAS itself. It's quite easy, and with a little hack you can automate the process completely, so you will never have to manually renew the certificate of FreeNAS and it will be valid forever. =) Well actually it's not a hack, as everything can be configured via the GUI of FreeNAS.
I recently wanted to leverage the free official Let's Encrypt CA for using in some of my projects, for example for the GUI of FreeNAS itself. It's quite easy, and with a little hack you can automate the process completely, so you will never have to manually renew the certificate of FreeNAS and it will be valid forever. =) Well actually it's not a hack, as everything can be configured via the GUI of FreeNAS.
- Create a jail on FreeNAS for the installation of certbot, which is the client from Let's Encrypt to fetch and renew certificates
a. update the ports-tree within the jail
b. install ports-mgmt/portmaster, security/py-certbot & www/nginx - The webserver (nginx) is used by certbot to verify that the FQDNs you are trying to certify are actually yours. This means that these names actually have to resolve to the IP of the jail and be reachable by the internet. If you are not comfortable with this, this is not for you.
- As we would like to use the name in the certificate for the GUI of FreeNAS, but from the internet it has to resolve to the jail, we have a little bit of contradiction here. I solve this problem by using split-DNS, which just means that the name for FreeNAS resolves differently when coming from the internet or the internal LAN. I achieve this goal by using dnsmasq in another jail of my FreeNAS, and setting it as my internal DNS-resolver/proxy.
a. when coming from the Internet it should point to the IP of the jail, and it must be reachable from the internet.
b. when coming from the internal LAN, it should point to the GUI of FreeNAS. The GUI of FreeNAS should of course not be reachable via internet. - Now for the configuration of certbot: That's actually asthonishingly easy. It is just one command per name. You have to specify the webroot of the nginx-installation, which is /usr/local/www/nginx, and of course the FQDN.
certbot --webroot -w /usr/local/www/nginx -d freenas.example.com certonly -n
- The certificate and all necessary files are now stored in /usr/local/etc/letsencrypt/live. Each time they are renewed (we will come to that later) they are automatically replaced there.
- You can do that for as many names you'd like. I do this for a variety of services in my network with different name. The goal is to automize the process for all of them. =)
- In the case of FreeNAS, it is quite easy to achieve. You could of course manually configure the generated certificates via the GUI. But you would have to repeat that each three month, as Let's Encrypt certificates are only valid three month. Instead, we do the following:
a. Look at the directory /etc/certificates on your FreeNAS. Here the system stores and retrieves its configured certificates. The name of this directory is stored in the rc.d-variable SSLDIR. Don't touch this directory. It will be recreated on every reboot anyway.
b. Instead, create a new directory anywhere you like within your ZFS-pools. Create symbolic links from the Let's Encrypt certificates to this new directory. Use exactly the same names for the targets of the links, so you recreate the file-structure basically. fullchain.pem links to the file ending with .crt, privkey.pem links to the file ending with .key.
c. Now you just have to tell FreeNAS that it should use your new certificate-directory instead of its own. You can do that comfortably in System/Tunables/Add Tunable/" (type = rc.conf). The name of the variable is SSLDIR, the value is the path to the directory created by you before. - Create a shellsript which executes the certbot-command from before. You might want to add a "service nginx restart" after that to reload the certificate for the GUI. Each time you run the certbot-command from before, it automatically checks if the certificate is to be renewed and will do so if needed. Call the shellscript via the cronjob-function on a regular basis. When the certificate of your FreeNAS is to be renewed, it will happen automatically now.