Project

General

Profile

Feature #36403

Add Let's Encrypt Support for Certs

Added by Waqar Ahmed over 1 year ago. Updated 8 months ago.

Status:
Ready for Testing
Priority:
No priority
Assignee:
Waqar Ahmed
Category:
Middleware
Target version:
Estimated time:
(Total: 0.00 h)
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

Description

We are going to introduce native Let's Encrypt intergration to the FreeNAS system. This will allow users to use Let's Encrypt as a CA from which they can obtain/renew certs. Implementation specific details are being considered right now and this ticket will be updated as they are finalized.

Risk
The risk is breaking the cert section as a whole and other services which use the cert section like setting up HTTPS in systems-> general

Acceptance Criteria
When this is complete, end users should be able to obtain/renew certs from Let's Encrypt and other services which rely on the cert section should function properly like setting up HTTPS in systems->general or maybe setting up WebDAV across HTTPS


Subtasks

Feature #38719: Add Python packages needed for ACME integrationDoneWilliam Grzybowski

Related issues

Related to FreeNAS - Feature #33594: Certificate management is complex for an appliance, add Let's Encrypt feature to get/renew certificate for the web interface.Closed
Related to FreeNAS - Feature #24182: make it possible to automate certificate renewal in FreeNASClosed
Related to FreeNAS - Feature #25355: Add an ACME certbot tool Closed: Duplicate2017-07-28
Related to FreeNAS - Feature #33405: Notify when SSL certificate is about to expireClosed
Related to FreeNAS - Feature #55986: Add support for ACME certs in new UIClosed
Related to FreeNAS - Bug #64197: iXsystems should host it's own instance of acme-dnsClosed
Related to FreeNAS - Feature #62655: Add support for ECDSA private keys and parsing certificate attributesReady for Testing

Associated revisions

Revision b46c7a9f (diff)
Added by Waqar Ahmed over 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision f59fff54 (diff)
Added by Waqar Ahmed about 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision 30458424 (diff)
Added by Waqar Ahmed about 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision 38b55eec (diff)
Added by Waqar Ahmed about 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision db2a6add (diff)
Added by Waqar Ahmed about 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision e261c238 (diff)
Added by Waqar Ahmed about 1 year ago

ACME basic Service set up This commit adds some models for ACME registration and sets up few basic services which will make ACME work Ticket: #36403

Revision 18672649 (diff)
Added by Waqar Ahmed about 1 year ago

ACME native integration in FreeNAS (#1477) ACME Native Integration This commit adds a native ACME client which we can use with any ACME server. It uses DNS Challenges and right now only support for route53 DNS Provider has been added. Ticket: #36403

History

#1 Updated by Waqar Ahmed over 1 year ago

  • Related to Feature #33594: Certificate management is complex for an appliance, add Let's Encrypt feature to get/renew certificate for the web interface. added

#2 Updated by Waqar Ahmed over 1 year ago

  • Related to Feature #24182: make it possible to automate certificate renewal in FreeNAS added

#3 Updated by Waqar Ahmed over 1 year ago

#4 Updated by Waqar Ahmed over 1 year ago

  • Related to Feature #33405: Notify when SSL certificate is about to expire added

#5 Updated by Waqar Ahmed over 1 year ago

  • Status changed from Unscreened to In Progress

#6 Updated by Andrew Meyer over 1 year ago

Since you're considering implementation details now, I'd like to submit a couple extra points for consideration:

1. It'd be nice if this feature would work with any ACME server, not just Let's Encrypt. This would be good for future-proofing in case more CAs start supporting ACME, and it'd allow getting certs from the Let's Encrypt staging instance for testing.

2. The DNS validation method should be modular to allow for interacting with the APIs of many different DNS providers. (For an example, check out how the ACME.sh client handles this: https://github.com/Neilpang/acme.sh/tree/master/dnsapi ) Once this feature is in place, I'd be happy to contribute support for the DNS provider I use.

#8 Updated by Waqar Ahmed about 1 year ago

  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#9 Updated by Dru Lavigne about 1 year ago

  • Related to Feature #55986: Add support for ACME certs in new UI added

#10 Updated by Dan Brown 12 months ago

It looks like this is planned to use DNS validation, which I think is a good call--HTTP validation would require that port 80 on the FreeNAS server be open to the Internet, which is generally discouraged. The big problem with DNS validation is API support for the DNS provider--and as a result, the GUI work needed to properly define the fields for all the supported DNS APIs.

If you haven't already considered these, I'd like to suggest two things that would make this much more valuable for the userbase:

1. iXSystems could host its own instance of acme-dns (https://github.com/joohoi/acme-dns). This would allow users with just about any DNS host to still use automated DNS validation--they'd only need to set up one, static CNAME record pointing to your validation domain, and between the client and your acme-dns instance, the rest would be taken care of. Benefit to the users is that, as long as they can set up that CNAME record, they can do this with just about any DNS provider. Benefit to you is that you might be able to get away with only supporting a single DNS API.

2. Since Let's Encrypt only provides certs for public domains, I'd suggest you provide domain names--I'm thinking this would work somewhat like what Synology does, that you'd give subdomains (perhaps user.freenasusers.com or something). To avoid rate limit, cross-site cookie, and other issues, you'd want to add that domain to the Public Suffix List. Combining with the first suggestion, you could create the CNAME record when the user registered for their subdomain.

The obvious downside to both of these is that they require you to host the respective services on an ongoing basis. But without (especially) the first, an awful lot of users won't be able to take advantage of this feature.

#11 Updated by Larry Rosenman 12 months ago

I'd like to see nsupdate support for the DNS validation, as that's how I do all my acme.sh certs on other boxes. I can provide MY nsupdate key in the GUI or whatever, and point it to my authoritative server.

#12 Updated by Waqar Ahmed 11 months ago

  • Related to Bug #64197: iXsystems should host it's own instance of acme-dns added

#13 Updated by Janus Ng 11 months ago

I would like an option to run the DNS validation as a plugin or a service. It avoids exposing the FreeNAS WebUI to the Internet.

As most FreeNAS are running behind a firewall.Otherwise the WebUI is exposed to the internet already. The port for DNS validation can be mapped to just a different IP or port on the NAT.

#14 Updated by Dan Brown 11 months ago

DNS validation would be contacting your domain's DNS servers, not your FreeNAS box, so firewalls shouldn't be an issues.

#15 Updated by Dru Lavigne 10 months ago

  • Target version changed from 11.3 to 11.3-BETA1

#16 Updated by Dru Lavigne 10 months ago

  • Related to Feature #62655: Add support for ECDSA private keys and parsing certificate attributes added

Also available in: Atom PDF