Last week my LetsEncrypt certificate expired on FreeNAS which effectively locked me out of my FreeNAS UI when using Chrome (my default browser). Thinking perhaps that I had forgotten something during my upgrade to FreeNAS 11.2 I set out to figure out what the problem was, only to realize two things: one, I hadn't setup a cronjob to renew and two, I didn't blog about it.
Usually I write blogs primarily for my benefit on these things so that I can go back and look at some of the things I've done. So this is an attempt to repair that and record information for future-me, although perhaps it will be helpful for some of you as well.
To start with, I use CloudFlare for DNS for the domain I use for home. For the moment lets assume I use
annvix.com for home and we'll also assume that the hostname for my FreeNAS server is
freenas.annvix.com (neither are obviously true).
The first step is to install the acme.sh client on the FreeNAS server. You could go through a bunch of hoops by installing it in a dedicated jail, etc. but I opted not to. Instead I have it installed as the root user on my FreeNAS server and it ends up in
/root/.acme.sh/. Second, install the deploy-freenas python script; it ends up as
/root/deploy_freenas.py. Create the config file as described, mine lives in
The instructions for using acme.sh with CloudFlare are pretty simple; I'm not going to repeat them here. I chose to use CloudFlare because it's free and has an API which makes this all very simple and very transparent.
The end result is you should have a config file in
/root/.acme.sh/freenas.annvix.com/freenas.annvix.com.conf and the only thing really to point out is that you want it to contain this:
Le_ReloadCmd='/root/deploy_freenas.py --config /root/.deploy_config'
That reload command will automatically update the FreeNAS web UI with the new certificate. Note that it doesn't remove certificates, so you might want to manually prune them every once in a while in the FreeNAS web UI.
Finally, and the big part that I missed, is you want to enable a cronjob to run this every day. This should be done via the web UI. In the web UI navigate to Tasks then Cron Jobs. Add a new daily task that runs:
/root/.acme.sh/acme.sh --cron --home /root/.acme.sh
I'll know in March whether or not it works, but I'm pretty sure it will. You should be able to see the certificate listed in the web UI in System then Certificates. This is also where you'll want to prune any old certificates.
Next I'm going to look at how to use LetsEncrypt with Plex since I hate seeing the "Not Secure" label whenever I go to the Plex UI. This time I'll be sure to blog about it.