Skip to content

Instantly share code, notes, and snippets.

@SamEureka

SamEureka/README.md

Last active February 26, 2024 12:58
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SamEureka/504eb35b963bb64ec20d0e94169b497e to your computer and use it in GitHub Desktop.
Save SamEureka/504eb35b963bb64ec20d0e94169b497e to your computer and use it in GitHub Desktop.
Download ZIP
Install Let's Encrypt certs on TrueNAS Core or SCALE using ACME.sh deploy hooks
Raw
README.md

Install Let's Encrypt certs on TrueNAS Core or SCALE using ACME.sh deploy hooks

This information was spread out on several forum posts, blogs, wikis... etc. This gist is intended to collect all that information in one place so I don't have to dig it all up again. If you find it useful please leave a comment.

pre reqs

  • You need to have a working install of TrueNAS Core or SCALE. (I prefer SCALE... it is just better)
  • All of the following commands are performed in the shell on the NAS. (zsh is my prefered shell, these will work in bash)
  • You need an api key from your DNS provider (my example is Digital Ocean) and an api key for your NAS. See official documentation for instructions on generating. (not in the scope of this gist)
  • Your own domain

Install ACME.sh (one of the best scripts ever written)

acme.sh on Github Wiki Install instructions

TL;DR

Using curl: curl https://get.acme.sh | sh -s email=my@example.com

Using wget: wget -O - https://get.acme.sh | sh -s email=my@example.com

Create your certificates

In this step you will generate a cert for your server. Stick to Let's Encrypt. ACME.sh defaults to ZeroSSL but the certs it creates did not work for me.

Presto generato!

Create a environment variable for your DNS provider API key (example is Digital Ocean)

export DO_API_KEY=yourDO-API-KEYhere

Make Let's Encrypt your default CA

acme.sh --set-default-ca --server letsencrypt

Issue the certificate

acme.sh --issue -d your.domain.here --dns dns_dgon

Deploy the cert on TrueNAS Core/SCALE Server

When I did this on the Core server there were additional steps to select the certificate for use in the gui. SCALE just did it and it worked right away. SCALE for the win!

Push it, push it real good

Create some env variables

export DEPLOY_TRUENAS_APIKEY=theAPI_KEYyouGENERATED_IN_THE_WEB_UI

The following two variables are optional and will default to the example values if you don't create them. (I always create them anyway. I have trust issues)

export DEPLOY_TRUENAS_HOSTNAME=localhost <Optional, defaults to localhost>

export DEPLOY_TRUENAS_SCHEME=http <Optional, defaults to http, set alternatively to https>

acme.sh --insecure --deploy -d your.domain.here --deploy-hook truenas

(I think if you change the SCHEME variable to https you can leave off the --insecure flag. But I am not 100% on that and I did not test it)

Conclusions and refs

If you did this on TrueNAS SCALE... you can now type in your fqdn (assuming you have taken steps for it to resolve correctly) and shit just works. I do not remember where the settings were in Core to get the Let's Encrypt cert installed as the GUI cert. I think it was in somewhere... maybe.

Enjoy life! You now have https goodness!

Refs (Notice there are not any TrueNAS refs... they only officially support CloudFlare and Route53)

@momon
Copy link

momon commented Feb 26, 2024

Thank you for this. I've been looking for a simpler way to manage SSL on my TrueNAS and this looks promising. I'm carving out sometime this weekend to test it out. Appreciate it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment