TrueNAS with Let’s Encrypt SSL Certificate (Reverse Proxy)
I recently began rebuilding my Home Lab and installed a TrueNAS Server for all my data.
By using my exisiting reverse proxy that is running acme.sh for Let’s Encrypt on my Home Lab network, I was able to get TrueNAS using the SSL Certificate.
First off, it is assumed that you have a working Reverse Proxy or server running acme.sh or similar to get your wildcard certificates for your home network.
I have a wild card certificate setup using acme.sh for the domian *.lab.comprofix.com
Once you have this setup we can continue.
Install Let’s Encrypt Certificate
Step 1 – Manual Import
First we need to manually import the certificate into TrueNAS before we can configure automatic updates.
- Connect to your TrueNAS Server and navigate in the menu to System –> Certificates
- Click Add
- Change the Type to “Import Certificate”
- Give the Certificate a Name – LetsEncrypt.
- Copy and paste your Certificate and Private Key
- Click Submit
Last thing we need to do in TrueNAS is set it to use the new SSL Certificate.
- Navigate to System –> General
- Change the GUI SSL Certificate to the new one you named and installed
- Tick the Box HTTP –> HTTP Redirect
Step 2 – Enable SSH
Next we need to setup SSH
- Navigate to Services
- Search for SSH
- Click the “Pencil” Icon to edit the options
- Tick the Box “Log in as Root with password”
- Tick the Box “Allow Password Authentication”\
- Click Save
- Search for SSH again
- Toggle the “Running” switch ON
- Tick box “Start Automatically”
Step 3 – Setup SSH Keys
Now that we have SSH running we need to setup SSH Keys to allow for password less authentication.
- SSH to your Reverse Proxy
- Create the RSA Key Pair
- Press Enter to save the keypair
- Copy the Keypair to your TrueNAS System (replace truenas with your truenas IP Address)
$ ssh-copy-id root@truenas
- Test ssh as root to your TrueNAS system. You should not be asked for a password and should be presented with a prompt
If you have any trouble with your SSH Keys, check out the guide here from Digital Ocean.
Once you have your SSH Keys working go back to the Step 2 and Edit SSH Service untick the boxes. But leave SSH Running.
Step 4 – Copy Certificates to TrueNAS
As I am using acme.sh to get my certificates these steps will show what I do.
We need to copy them over to the TrueNAS Server in the folder /etc/certificates and name them the same as we did in Step 1. See below example.
root@truenas[~]# ls -l /etc/certificates total 16 -rw-r--r-- 1 root wheel 1330 May 1 19:54 freenas_default.crt -r-------- 1 root wheel 1704 May 1 19:54 freenas_default.key -rw-r--r-- 1 root wheel 1883 May 1 19:54 LetsEncrypt.crt -r-------- 1 root wheel 1678 May 1 19:54 LetsEncrypt.key root@truenas[~]#
- Navigate to your certificate name folder in the .acme.sh folder and edit the conf file for you wildcard certificate.
[root@fileserver ~/.acme.sh/*.home.comprofix.com ]# vim \*.home.comprofix.com.conf
- Update the line Le_PostHook=”
Le_PostHook='scp /root/.acme.sh/\*.home.comprofix.com/\*.home.comprofix.com.cer email@example.com:/etc/certificates/LetsEncrypt.crt && scp /root/.acme.sh/\*.home.comprofix.com/\*.home.comprofix.com.key firstname.lastname@example.org:/etc/certificates/LetsEncrypt.key && ssh email@example.com "service nginx restart"'
What the PostHook line does is once the certificate has been renewed it will copy (scp) the files from the Reverse Proxy to the TrueNAS Server and then Restart the nginx Service to load the new certificates.
If you intend on using the wild card certificate on multiple servers and services then I would recommend that you change the Le_PostHook line to point to a script file and in that file list all the copy commands and service restarts to get the certificates on the systems you need. But the above will be enough to get you started.