Project

General

Profile

Feature #25355

Add an ACME certbot tool

Added by Tim Witteveen about 3 years ago. Updated almost 3 years ago.

Status:
Closed: Duplicate
Priority:
Important
Assignee:
William Grzybowski
Category:
Forums/Websites
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

Some of my users have chomebooks, and getting them to trust the Self-Signed certificate, or the "unknown CA certificate" can be challenging. Managing SSL certificates, expiration, revocation, etc, is hard to do well. Updating all the clients when I have to rebuild the SSL certificate gets to be painful.

I would like to see a tool like Let's Encrypt ACME deployed on FreeNAS. I use on on my PFSense system (another FreeBSD based tool) and it greatly simplified managing my SSL certificates. https://letsencrypt.org/docs/client-options/


Related issues

Related to FreeNAS - Feature #36403: Add Let's Encrypt Support for CertsReady for Testing
Has duplicate FreeNAS - Feature #24182: make it possible to automate certificate renewal in FreeNASClosed

History

#1 Updated by Sean Fagan about 3 years ago

That would require the server be accessible on the public internet, which is not recommended for FreeNAS systems.

#2 Updated by Dru Lavigne about 3 years ago

  • Assignee changed from Release Council to Kris Moore

Over to Kris for consideration.

#3 Updated by Tim Witteveen about 3 years ago

Running ACME in a jail,or docker and having a cron job run once a day to import the certificate from the container storage seems like a small risk considering the risks of poorly managing SSL certs.

PFSense further reduces the risk by running this service on its own port, and only runs the service when the cronjob updates the certificate.

Allowing the users to specify the port ACME is listing on will allow them to use port forwarding to further mitigate internet facing services.

Thanks.

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Status changed from Unscreened to Screened
  • Assignee changed from Kris Moore to Suraj Ravichandran
  • Priority changed from No priority to Important
  • Target version set to 11.2-BETA1

We need to have some further discussion on the whole way certs are managed now anyway, considering S3 object services very often will be exposed public. Throwing this into the queue for 11.2 and assigning to Suraj. (Suraj, lets discuss this in the next couple days)

#5 Updated by Grzegorz Krzystek almost 3 years ago

Sean Fagan wrote:

That would require the server be accessible on the public internet, which is not recommended for FreeNAS systems.

not exacly,
there ale mutiple host validation options like dns etry change (eg. nsupdate)or, standalone acme server, that is started ondemand, so it can be done quite secure, without exposing nas world wide.

#6 Updated by Dru Lavigne almost 3 years ago

  • Assignee changed from Suraj Ravichandran to William Grzybowski

William: please load balance between Vladimir and Nikola.

#7 Updated by William Grzybowski almost 3 years ago

  • Status changed from Screened to Closed: Duplicate

#8 Updated by William Grzybowski almost 3 years ago

  • Has duplicate Feature #24182: make it possible to automate certificate renewal in FreeNAS added

#9 Updated by Dru Lavigne almost 3 years ago

  • Target version changed from 11.2-BETA1 to N/A

#10 Updated by Waqar Ahmed about 2 years ago

  • Related to Feature #36403: Add Let's Encrypt Support for Certs added

Also available in: Atom PDF