Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Upload Certificate to Truenas possible?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Upload Certificate to Truenas possible? (Read 2191 times)
mvdheijkant
Newbie
Posts: 29
Karma: 1
Upload Certificate to Truenas possible?
«
on:
May 09, 2023, 10:47:54 pm »
Does anyone know if it's possible to upload a certificate from ACME with automation to TrueNas scale.
Maybe it is in development, but I can't find anything about it.
It's a wildcard certificate from let's encrypt that I'm using for Synology and also want to use for my TrueNas scale.
Or is the other way around possible, to use ngingx or traefic on Truenas and get it from OpnSense/ACME.
Or is it all to complex and simply use a different certificate on my Truenas scale.
I'm quite a bit relaying on the GUI userinterface and am not to familiar with linux commands at all.
Does anyone have experience with this?
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: Upload Certificate to Truenas possible?
«
Reply #1 on:
May 10, 2023, 09:56:33 am »
I did a script for this:
https://github.com/bartsmit/distcerts
You may need to run a VM on Synology (or a container, if you're adventurous) to host it.
Bart...
Logged
mvdheijkant
Newbie
Posts: 29
Karma: 1
Re: Upload Certificate to Truenas possible?
«
Reply #2 on:
May 13, 2023, 08:01:21 pm »
Thanks for your reply.
It wasn't exactly what I was searching for.
For this challenge there are few services working together, like OpnSense, Let's Encrypt and Truenas.
But I took it into another "easier" direction.
My doubt was if it would be possible to also use ACME on Truenas and on OpnSense at the same time creating the same wildcard certificate. It seems this is supported.
So now I'm simply creating the certificate as usual on OpnSense and configured the same on Truenas.
Problem solved.
Logged
eric01
Newbie
Posts: 2
Karma: 1
Re: Upload Certificate to Truenas possible?
«
Reply #3 on:
September 05, 2023, 03:00:03 pm »
Yes it is possible, but requires a little work. Once the certificate in TrueNAS etc/certificates, using the TrueNAS CLI is the easiest way to replace it.
Summary
Generate a TrueNAS API key/SSH keypair
Configure an ACME Automation
Configure a cron job/script on TrueNAS to change the certificate (and restart web)
Expanded
1. Follow the documentation to generate a TrueNAS API key and generate an SSH keypair.
2. Within the ACME plugin on OPNsense, setup an Automation to run "Upload certificate to TrueNAS Core Server". This works the same for Scale.
3. Cron/script whatever you like. My one is as follows:
Daily cron
/bin/cli -c "system general update ui_certificate=$(find /etc/certificates/*.key | wc -l)" && /bin/cli -c "system general ui_restart"
run the TrueNAS CLI to update the certificate ID to the same number of files found with search context '/etc/certificates/*.key', which in my case will always be the same as intended (e.g. imported certificate 2 will also be ID 2, imported certificate 3 will be ID 3, and so on), and if that command doesn't error, then restart the web UI.
Some drawbacks on this method:
If TrueNAS is down when the Automation runs, need to manually push again (via the Automation run).
Web UI is restarted everyday
This cron job won't work if TrueNAS maintains other/many certificates
This cron job doesn't clean up expired certs (yet)
Note regarding multiple requests for the same certificate:
a couple of services independently requesting the same certificate won't hit rate limits, but if you start climbing to 5+ you might start hitting the 5 duplicate certificate/week limit. Still easily resolved for a few more services by staggering the request day.
edit:
Might not have had the Automation option when OP raised.
https://github.com/opnsense/plugins/issues/3421
«
Last Edit: September 05, 2023, 03:57:30 pm by eric01
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Upload Certificate to Truenas possible?