french fries business plan example homework banner python homework classes product manager cover letter medium literature review on online course registration system creating a business plan for loan

TrueNAS with Let’s Encrypt SSL Certificate (Reverse Proxy)

Published by Moe on

I recently began rebuilding my Home Lab and installed a TrueNAS Server for all my data.

By using my exisiting reverse proxy that is running acme.sh for Let’s Encrypt on my Home Lab network, I was able to get TrueNAS using the SSL Certificate.

Prerequisites

First off, it is assumed that you have a working Reverse Proxy or server running acme.sh or similar to get your wildcard certificates for your home network.

I have a wild card certificate setup using acme.sh for the domian *.lab.comprofix.com

Once you have this setup we can continue.

Install Let’s Encrypt Certificate

Step 1 – Manual Import

First we need to manually import the certificate into TrueNAS before we can configure automatic updates.

  • Connect to your TrueNAS Server and navigate in the menu to System –> Certificates
  • Click Add
  • Change the Type to “Import Certificate”
  • Give the Certificate a Name – LetsEncrypt.
  • Copy and paste your Certificate and Private Key
  • Click Submit

You should now see your LetsEncrypt Certificate Added to TrueNAS

Last thing we need to do in TrueNAS is set it to use the new SSL Certificate.

  • Navigate to System –> General
  • Change the GUI SSL Certificate to the new one you named and installed
  • Tick the Box HTTP –> HTTP Redirect

Step 2 – Enable SSH

Next we need to setup SSH

  • Navigate to Services
  • Search for SSH
  • Click the “Pencil” Icon to edit the options
    • Tick the Box “Log in as Root with password”
    • Tick the Box “Allow Password Authentication”\
  • Click Save
  • Search for SSH again
  • Toggle the “Running” switch ON
  • Tick box “Start Automatically”

Step 3 – Setup SSH Keys

Now that we have SSH running we need to setup SSH Keys to allow for password less authentication.

  • SSH to your Reverse Proxy
  • Create the RSA Key Pair
$ ssh-keygen
  • Press Enter to save the keypair
  • Copy the Keypair to your TrueNAS System (replace truenas with your truenas IP Address)
$ ssh-copy-id root@truenas

  • Test ssh as root to your TrueNAS system. You should not be asked for a password and should be presented with a prompt

If you have any trouble with your SSH Keys, check out the guide here from Digital Ocean.

Once you have your SSH Keys working go back to the Step 2 and Edit SSH Service untick the boxes. But leave SSH Running.

Step 4 – Copy Certificates to TrueNAS

As I am using acme.sh to get my certificates these steps will show what I do.

We need to copy them over to the TrueNAS Server in the folder /etc/certificates and name them the same as we did in Step 1. See below example.

root@truenas[~]# ls -l /etc/certificates 
total 16
-rw-r--r--  1 root  wheel  1330 May  1 19:54 freenas_default.crt
-r--------  1 root  wheel  1704 May  1 19:54 freenas_default.key
-rw-r--r--  1 root  wheel  1883 May  1 19:54 LetsEncrypt.crt
-r--------  1 root  wheel  1678 May  1 19:54 LetsEncrypt.key
root@truenas[~]# 
  • Navigate to your certificate name folder in the .acme.sh folder and edit the conf file for you wildcard certificate.
[root@fileserver ~/.acme.sh/*.home.comprofix.com ]# vim \*.home.comprofix.com.conf
  • Update the line Le_PostHook=”
Le_PostHook='scp /root/.acme.sh/\*.home.comprofix.com/\*.home.comprofix.com.cer root@truenas.home.comprofix.com:/etc/certificates/LetsEncrypt.crt && scp /root/.acme.sh/\*.home.comprofix.com/\*.home.comprofix.com.key root@truenas.home.comprofix.com:/etc/certificates/LetsEncrypt.key && ssh root@truenas.home.comprofix.com "service nginx restart"'

What the PostHook line does is once the certificate has been renewed it will copy (scp) the files from the Reverse Proxy to the TrueNAS Server and then Restart the nginx Service to load the new certificates.

If you intend on using the wild card certificate on multiple servers and services then I would recommend that you change the Le_PostHook line to point to a script file and in that file list all the copy commands and service restarts to get the certificates on the systems you need. But the above will be enough to get you started.

 

 

Categories: Linux