Add Let's Encrypt Support for Certs
We are going to introduce native Let's Encrypt intergration to the FreeNAS system. This will allow users to use Let's Encrypt as a CA from which they can obtain/renew certs. Implementation specific details are being considered right now and this ticket will be updated as they are finalized.
The risk is breaking the cert section as a whole and other services which use the cert section like setting up HTTPS in systems-> general
When this is complete, end users should be able to obtain/renew certs from Let's Encrypt and other services which rely on the cert section should function properly like setting up HTTPS in systems->general or maybe setting up WebDAV across HTTPS
#6 Updated by Andrew Meyer over 1 year ago
Since you're considering implementation details now, I'd like to submit a couple extra points for consideration:
1. It'd be nice if this feature would work with any ACME server, not just Let's Encrypt. This would be good for future-proofing in case more CAs start supporting ACME, and it'd allow getting certs from the Let's Encrypt staging instance for testing.
2. The DNS validation method should be modular to allow for interacting with the APIs of many different DNS providers. (For an example, check out how the ACME.sh client handles this: https://github.com/Neilpang/acme.sh/tree/master/dnsapi ) Once this feature is in place, I'd be happy to contribute support for the DNS provider I use.
It looks like this is planned to use DNS validation, which I think is a good call--HTTP validation would require that port 80 on the FreeNAS server be open to the Internet, which is generally discouraged. The big problem with DNS validation is API support for the DNS provider--and as a result, the GUI work needed to properly define the fields for all the supported DNS APIs.
If you haven't already considered these, I'd like to suggest two things that would make this much more valuable for the userbase:
1. iXSystems could host its own instance of acme-dns (https://github.com/joohoi/acme-dns). This would allow users with just about any DNS host to still use automated DNS validation--they'd only need to set up one, static CNAME record pointing to your validation domain, and between the client and your acme-dns instance, the rest would be taken care of. Benefit to the users is that, as long as they can set up that CNAME record, they can do this with just about any DNS provider. Benefit to you is that you might be able to get away with only supporting a single DNS API.
2. Since Let's Encrypt only provides certs for public domains, I'd suggest you provide domain names--I'm thinking this would work somewhat like what Synology does, that you'd give subdomains (perhaps user.freenasusers.com or something). To avoid rate limit, cross-site cookie, and other issues, you'd want to add that domain to the Public Suffix List. Combining with the first suggestion, you could create the CNAME record when the user registered for their subdomain.
The obvious downside to both of these is that they require you to host the respective services on an ongoing basis. But without (especially) the first, an awful lot of users won't be able to take advantage of this feature.
I would like an option to run the DNS validation as a plugin or a service. It avoids exposing the FreeNAS WebUI to the Internet.
As most FreeNAS are running behind a firewall.Otherwise the WebUI is exposed to the internet already. The port for DNS validation can be mapped to just a different IP or port on the NAT.