Upload Certificate to Truenas possible?

Started by mvdheijkant, May 09, 2023, 10:47:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2023, 10:47:54 PM
Does anyone know if it's possible to upload a certificate from ACME with automation to TrueNas scale.
Maybe it is in development, but I can't find anything about it.
It's a wildcard certificate from let's encrypt that I'm using for Synology and also want to use for my TrueNas scale.
Or is the other way around possible, to use ngingx or traefic on Truenas and get it from OpnSense/ACME.
Or is it all to complex and simply use a different certificate on my Truenas scale.
I'm quite a bit relaying on the GUI userinterface and am not to familiar with linux commands at all.

Does anyone have experience with this?
May 10, 2023, 09:56:33 AM #1
I did a script for this: https://github.com/bartsmit/distcerts

You may need to run a VM on Synology (or a container, if you're adventurous) to host it.

Bart...
May 13, 2023, 08:01:21 PM #2
Thanks for your reply.

It wasn't exactly what I was searching for.
For this challenge there are few services working together, like OpnSense, Let's Encrypt and Truenas.
But I took it into another "easier" direction.
My doubt was if it would be possible to also use ACME on Truenas and on OpnSense at the same time creating the same wildcard certificate. It seems this is supported.
So now I'm simply creating the certificate as usual on OpnSense and configured the same on Truenas.

Problem solved.
September 05, 2023, 03:00:03 PM #3 Last Edit: September 05, 2023, 03:57:30 PM by eric01
Yes it is possible, but requires a little work. Once the certificate in TrueNAS etc/certificates, using the TrueNAS CLI is the easiest way to replace it.

Summary

  • Generate a TrueNAS API key/SSH keypair
  • Configure an ACME Automation
  • Configure a cron job/script on TrueNAS to change the certificate (and restart web)

Expanded
1. Follow the documentation to generate a TrueNAS API key and generate an SSH keypair.

2. Within the ACME plugin on OPNsense, setup an Automation to run "Upload certificate to TrueNAS Core Server". This works the same for Scale.

3. Cron/script whatever you like. My one is as follows:
Daily cron
/bin/cli -c "system general update ui_certificate=$(find /etc/certificates/*.key | wc -l)" && /bin/cli -c "system general ui_restart"

run the TrueNAS CLI to update the certificate ID to the same number of files found with search context '/etc/certificates/*.key', which in my case will always be the same as intended (e.g. imported certificate 2 will also be ID 2, imported certificate 3 will be ID 3, and so on), and if that command doesn't error, then restart the web UI.

Some drawbacks on this method:

  • If TrueNAS is down when the Automation runs, need to manually push again (via the Automation run).
  • Web UI is restarted everyday
  • This cron job won't work if TrueNAS maintains other/many certificates
  • This cron job doesn't clean up expired certs (yet)

Note regarding multiple requests for the same certificate:
a couple of services independently requesting the same certificate won't hit rate limits, but if you start climbing to 5+ you might start hitting the 5 duplicate certificate/week limit. Still easily resolved for a few more services by staggering the request day.


edit:
Might not have had the Automation option when OP raised. https://github.com/opnsense/plugins/issues/3421
Print
Go Up Pages1
User actions