Add an ACME certbot tool
Some of my users have chomebooks, and getting them to trust the Self-Signed certificate, or the "unknown CA certificate" can be challenging. Managing SSL certificates, expiration, revocation, etc, is hard to do well. Updating all the clients when I have to rebuild the SSL certificate gets to be painful.
I would like to see a tool like Let's Encrypt ACME deployed on FreeNAS. I use on on my PFSense system (another FreeBSD based tool) and it greatly simplified managing my SSL certificates. https://letsencrypt.org/docs/client-options/
#3 Updated by Tim Witteveen about 3 years ago
Running ACME in a jail,or docker and having a cron job run once a day to import the certificate from the container storage seems like a small risk considering the risks of poorly managing SSL certs.
PFSense further reduces the risk by running this service on its own port, and only runs the service when the cronjob updates the certificate.
Allowing the users to specify the port ACME is listing on will allow them to use port forwarding to further mitigate internet facing services.
#4 Updated by Kris Moore about 3 years ago
- Status changed from Unscreened to Screened
- Assignee changed from Kris Moore to Suraj Ravichandran
- Priority changed from No priority to Important
- Target version set to 11.2-BETA1
We need to have some further discussion on the whole way certs are managed now anyway, considering S3 object services very often will be exposed public. Throwing this into the queue for 11.2 and assigning to Suraj. (Suraj, lets discuss this in the next couple days)
#5 Updated by Grzegorz Krzystek almost 3 years ago
Sean Fagan wrote:
That would require the server be accessible on the public internet, which is not recommended for FreeNAS systems.
there ale mutiple host validation options like dns etry change (eg. nsupdate)or, standalone acme server, that is started ondemand, so it can be done quite secure, without exposing nas world wide.