-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
What is the best way to use lets-encrypt with TrueNAS Scale 21.04
- Thread starter vega2004
- Start date
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
Nate W
Dabbler
- Joined
- Jul 10, 2014
- Messages
- 38
I followed these directions and it wasn't as clear as it could be. The only profiles available are OpenVPN Client and OpenVPN Server. I assume you want server? Also, what key usage config flags do we want? The defaults are as shown at the bottom.
When submitting, it throws this error for me:
Code:
Error: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 378, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 414, in __run_body
rv = await self.method(*([self] + args))
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1001, in nf
return await f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1589, in do_create
data = await self.map_functions[create_type](job, data)
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1001, in nf
return await f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1676, in create_csr
req, key = await self.middleware.call(
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1239, in call
return await self._call(
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1207, in _call
return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1111, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/lib/python3/dist-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1005, in nf
return f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 567, in generate_certificate_signing_request
csr = self.add_extensions(csr, data.get('cert_extensions', {}), key, None)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 244, in add_extensions
klass(*self.get_extension_params(extension, cert, issuer)),
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 265, in get_extension_params
issuer.public_key() if issuer else cert._public_key
AttributeError: 'CertificateSigningRequestBuilder' object has no attribute '_public_key'
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
Nate W
Dabbler
- Joined
- Jul 10, 2014
- Messages
- 38
I did follow the directions. I can screen cap if you really want it. Perhaps some assumptions are being made in the directions?
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
No, no assumptions are made.
Key config flags are not a part of the guide and the guide clearly states:
"If you are not sure, the defaults are alsmost always "alright", because most of what you enter here is completely ignored by Letsencrypt."
Nate W
Dabbler
- Joined
- Jul 10, 2014
- Messages
- 38
Alright, progress!
This is more for the iX folks at this point:
Is there a good way to validate that cloudflare creds are working? I am using the API key as stated, have 1.1.1.1 for the dns and tried a reboot. It looks like it is not successfully creating the TXT record for the challenge.
This is more for the iX folks at this point:
Is there a good way to validate that cloudflare creds are working? I am using the API key as stated, have 1.1.1.1 for the dns and tried a reboot. It looks like it is not successfully creating the TXT record for the challenge.
Code:
Error: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/plugins/acme_protocol_/issue_cert.py", line 101, in issue_certificate
return acme_client.poll_and_finalize(
File "/usr/lib/python3/dist-packages/acme/client.py", line 710, in poll_and_finalize
orderr = self.poll_authorizations(orderr, deadline)
File "/usr/lib/python3/dist-packages/acme/client.py", line 734, in poll_authorizations
raise errors.ValidationError(failed)
acme.errors.ValidationError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 378, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 414, in __run_body
rv = await self.method(*([self] + args))
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1001, in nf
return await f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1584, in do_create
data = await self.middleware.run_in_thread(
File "/usr/lib/python3/dist-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/lib/python3/dist-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1005, in nf
return f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1639, in __create_acme_certificate
final_order = self.middleware.call_sync('acme.issue_certificate', job, 25, data, csr_data)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1266, in call_sync
return methodobj(*prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/plugins/acme_protocol_/issue_cert.py", line 117, in issue_certificate
raise CallError(f'Certificate request for final order failed: {msg}')
middlewared.service_exception.CallError: [EFAULT] Certificate request for final order failed:
Authorization for identifier Identifier(typ=IdentifierType(dns), value='mydomain.com') failed.
Here are the challenges that were not fulfilled:
Challenge Type: dns-01
Error information:
- Type: urn:ietf:params:acme:error:unauthorized
- Details: No TXT record found at _acme-challenge.mydomain.com
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
This is a known issue currently, both iX and myself are working on finding out what precisely is the cause and i've send some improvements for the ACME middleware already. But more Debugs are definately welcome!
Assuming your credentials are right (like the others with this bug) you will find out that in fact the TXT record is correctly created but simply not detected.
It's not really iX's fault either. Certbot developer docs are complete and utter trash. Other implementations of certbot also had to do a lot of trail and error to fix small race conditions and weird failures like this one.
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
iX uses Jira not github issues.
I already made a report for that, you can vote/watch it if you want.
Jira is the best (and only?) place to report bugs.
In github issues are not available anyway.
Also problems with truecharts, the best place would be in github discussions/issues (depending if its a bug or question) or the discord server.
Pile on here for cloudflare issue: https://jira.ixsystems.com/browse/NAS-110141
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
I have no idea if the API for SCALE supports the same endpoints that it does in CORE. If it does, my Let's Encrypt deployment script would handle the TrueNAS GUI:
github.com
Any containers/apps would need a different solution, though.
GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to TrueNAS servers
Python script to automate deploying TLS certificates to TrueNAS servers - danb35/deploy-freenas
github.com
Any containers/apps would need a different solution, though.
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
Actually: No not really.
If you use the iX made certificate selection system for Apps (like TrueCharts does), you directly consume what's put into the certificate system... Which could just as well be done by your script :)
I have no idea if the API for SCALE supports the same endpoints that it does in CORE. If it does, my Let's Encrypt deployment script would handle the TrueNAS GUI:
GitHub - danb35/deploy-freenas: Python script to automate deploying TLS certificates to TrueNAS servers
Python script to automate deploying TLS certificates to TrueNAS servers - danb35/deploy-freenas
Any containers/apps would need a different solution, though.
Registered just to say that your script was working out of the box with no modifications for me on 21.02. Looks like CloudFlare is native in 21.04 though so I will probably switch over to that.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
I'd do the same--better to use the integrated solution if it does what you need it to.
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
It's a bit odd though, he registered an account to comment this, but neglected to read 3 posts higher and notice it's severely bugged in 21.04 :')
