make it possible to automate certificate renewal in FreeNAS
I would like to automate certificate renewal of the certificates used in FreeNAS. I will gladly automate it by myself, even if FreeNAS does not provide this out of the box, but I need some way or kind of API. I would like to use the Let's encrypt CA, which provides valid certificates for free in an automized manner.
At the moment I work by using a jail on FreeNAS with certbot installed. It correctly requests and pulls the certificate for FreeNAS. I then have to manually configure the resulting certificate in the GUI. I would like to eliminate this manual step.Ideas:
- If I know the place where FreeNAS stores the certificates on the filesystem, I could just overwrite them there.
- Another possibility would be to use a kind of API
- Another possibility would be if FreeNAS supported Let's encrypt out of the box (via the GUI)
#2 Updated by Florian Pressler about 3 years ago
I actually found a very nice way to achieve the goal. I modified the variable "SSLDIR", which is normally pointing to /etc/certificates. This directory holds the certificates configured through the GUI of FreeNAS. Instead, I point it to another directory (in my case /mnt/DATA/shares/persistent/configs/freenas-certs), which holds the certificates generated by certbot (the Let's encrypt client which runs in a jail regularly). This variable can be set via the GUI at System/Tunables/Add Tunable/" (type = rc.conf). The names have to match exactly the names normally used in the original directory. I achieved this by using symbolic links into the jail-storage-directory.
#4 Updated by Constantin Jacob about 3 years ago
I would also like to see this as a future feature in the FreeNAS web UI.
Let's Encrypt also just announced their ACME v2 API which is now an IETF standard so this does not only applies to Let's Encrypt specifically. https://letsencrypt.org/2017/06/14/acme-v2-api.html
Their ACME v1 API spec can be found here https://tools.ietf.org/html/draft-ietf-acme-acme-07
#14 Updated by Andrew Meyer over 2 years ago
This feature as written is already implemented, right? According to this post, FreeNAS has had an API for updating the Web UI's active cert since v11.1: https://forums.freenas.org/index.php?resources/lets-encrypt-with-freenas-11-1-and-later.82/
That said, the other bug #25355 that got marked as a duplicate of this one is actually not resolved, since that bug is asking for an actual native integration with ACME. I'd love to see that in FreeNAS; it'd be amazing if you could obtain and deploy a publicly trusted cert for the web UI with just a couple clicks.