Project

General

Profile

Feature #24182

make it possible to automate certificate renewal in FreeNAS

Added by Florian Pressler about 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Nice to have
Assignee:
Waqar Ahmed
Category:
Middleware
Target version:
Estimated time:
Severity:
Medium
Reason for Closing:
Duplicate Issue
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

I would like to automate certificate renewal of the certificates used in FreeNAS. I will gladly automate it by myself, even if FreeNAS does not provide this out of the box, but I need some way or kind of API. I would like to use the Let's encrypt CA, which provides valid certificates for free in an automized manner.

At the moment I work by using a jail on FreeNAS with certbot installed. It correctly requests and pulls the certificate for FreeNAS. I then have to manually configure the resulting certificate in the GUI. I would like to eliminate this manual step.

Ideas:
  • If I know the place where FreeNAS stores the certificates on the filesystem, I could just overwrite them there.
  • Another possibility would be to use a kind of API
  • Another possibility would be if FreeNAS supported Let's encrypt out of the box (via the GUI)

Related issues

Related to FreeNAS - Feature #36403: Add Let's Encrypt Support for CertsReady for Testing
Is duplicate of FreeNAS - Feature #25355: Add an ACME certbot tool Closed: Duplicate2017-07-28

History

#1 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Priority changed from No priority to Nice to have
  • Target version set to 49

It would be nice to have some sort of automated cert renewal or letsencrypt support. We can take a look at this down the road.

#2 Updated by Florian Pressler about 3 years ago

I actually found a very nice way to achieve the goal. I modified the variable "SSLDIR", which is normally pointing to /etc/certificates. This directory holds the certificates configured through the GUI of FreeNAS. Instead, I point it to another directory (in my case /mnt/DATA/shares/persistent/configs/freenas-certs), which holds the certificates generated by certbot (the Let's encrypt client which runs in a jail regularly). This variable can be set via the GUI at System/Tunables/Add Tunable/" (type = rc.conf). The names have to match exactly the names normally used in the original directory. I achieved this by using symbolic links into the jail-storage-directory.

#3 Updated by Suraj Ravichandran about 3 years ago

  • Status changed from Unscreened to Screened

#4 Updated by Constantin Jacob about 3 years ago

I would also like to see this as a future feature in the FreeNAS web UI.

Let's Encrypt also just announced their ACME v2 API which is now an IETF standard so this does not only applies to Let's Encrypt specifically. https://letsencrypt.org/2017/06/14/acme-v2-api.html

Their ACME v1 API spec can be found here https://tools.ietf.org/html/draft-ietf-acme-acme-07

#5 Updated by Suraj Ravichandran about 3 years ago

  • Target version changed from 49 to 11.2-BETA1

#6 Updated by Dru Lavigne almost 3 years ago

  • Assignee changed from Suraj Ravichandran to William Grzybowski

William: please load balance between Vladimir and Nikola.

#7 Updated by William Grzybowski almost 3 years ago

  • Status changed from Screened to Unscreened
  • Assignee changed from William Grzybowski to Nikola Gigic

#8 Updated by William Grzybowski almost 3 years ago

#9 Updated by Nikola Gigic almost 3 years ago

  • Status changed from Unscreened to Screened

#10 Updated by Dru Lavigne almost 3 years ago

  • Assignee changed from Nikola Gigic to Vladimir Vinogradenko

#11 Updated by William Grzybowski over 2 years ago

  • Target version changed from 11.2-BETA1 to 11.3

We will have to punt it to 11.3 (at least)

#12 Avatar?id=14398&size=24x24 Updated by Kris Moore over 2 years ago

  • Status changed from Screened to Not Started

#13 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 2 years ago

  • Target version changed from 11.3 to Backlog

#14 Updated by Andrew Meyer over 2 years ago

This feature as written is already implemented, right? According to this post, FreeNAS has had an API for updating the Web UI's active cert since v11.1: https://forums.freenas.org/index.php?resources/lets-encrypt-with-freenas-11-1-and-later.82/

That said, the other bug #25355 that got marked as a duplicate of this one is actually not resolved, since that bug is asking for an actual native integration with ACME. I'd love to see that in FreeNAS; it'd be amazing if you could obtain and deploy a publicly trusted cert for the web UI with just a couple clicks.

#15 Updated by Vladimir Vinogradenko over 2 years ago

  • Severity set to Medium

#16 Updated by William Grzybowski about 2 years ago

  • Assignee changed from Vladimir Vinogradenko to Waqar Ahmed

#17 Updated by Waqar Ahmed about 2 years ago

  • Status changed from Not Started to Closed
  • Reason for Closing set to Duplicate Issue

#18 Updated by Waqar Ahmed about 2 years ago

  • Related to Feature #36403: Add Let's Encrypt Support for Certs added

#19 Updated by Dru Lavigne about 2 years ago

  • Target version changed from Backlog to N/A

Also available in: Atom PDF