Greetings friends, the other day I showed you how to deploy FreeNAS 11.x on a vSphere environment, which can be perfectly reproduced in Hyper-V, or in any other Hypervisor or physical, or in Cloud.
One of the most important things in this type of cases, is to have security when we activate space sharing services, whether FTP, Object Storage, etc.. That’s why today, we’re going to see how to deploy a Let’s Encrypt SSL Certificate over FreeNAS 11.x.
SSH connection to our FreeNAS 11.x
The first step will be to be able to access our FreeNAS via SSH, for this we will go to the services part, and in SSH, we will click on Actions to edit the options:Several options here, the most important in my case is to allow root login, since I have no more users: Once we have the configuration as we want, we will enable the service and also tell it to start automatically, if we want to access often by SSH, not really recommended:
Installing Let’s Encrypt packages and requesting our SSL certificate
Once we are connected by SSH, we will download the acme package, which allows us to automate calls to Let’s Encrypt:
curl https://get.acme.sh | sh
In addition, we will download the following GitHub repository that contains the script that allows us to do this automatically, thanks to Danb35:
git clone https://github.com/danb35/deploy-freenas
Once downloaded everything, we will have to edit the file called deploy_config.example and rename it to deploy_config, to the document we will have to add our password, and that will be the only change we will make.
cp /root/deploy-freenas/deploy_config.example /root/deploy-freenas/deploy_config nano /root/deploy-freenas/deploy_config
Now that we have almost everything ready, we will return to the main root folder and launch the following commands, in my case I am using CloudFlare for my domain, so we can obtain an SSL certificate very easily using DNS authentication, which this script does automatically, we must know our FQDN for our FreeNAS, in my case freenas.jorgedelacruz.es:
cd /root bash export CF_Key="NUESTRAKEYDECLOUDFLARE" export CF_Email="[email protected]" # The email address we use in CloudFlare .acme.sh/acme.sh --issue -d ELFQDNDETUFREENAS --dns dns_cf --reloadcmd "/root/deploy-freenas/deploy_freenas.py"
Once we launch this command well, we can see a result similar to this one:
[Sat Aug 3 09:44:15 PDT 2019] Create account key ok. [Sat Aug 3 09:44:15 PDT 2019] Registering account [Sat Aug 3 09:44:16 PDT 2019] Registered [Sat Aug 3 09:44:17 PDT 2019] ACCOUNT_THUMBPRINT='uYM' [Sat Aug 3 09:44:17 PDT 2019] Creating domain key [Sat Aug 3 09:44:17 PDT 2019] The domain key is here: /root/.acme.sh/freenas.jorgedelacruz.es/freenas.jorgedelacruz.es.key [Sat Aug 3 09:44:17 PDT 2019] Single domain='freenas.jorgedelacruz.es' [Sat Aug 3 09:44:17 PDT 2019] Getting domain auth token for each domain [Sat Aug 3 09:44:17 PDT 2019] Getting webroot for domain='freenas.jorgedelacruz.es' [Sat Aug 3 09:44:18 PDT 2019] Adding txt value: gr-ctRr for domain: _acme-challenge.freenas.jorgedelacruz.es [Sat Aug 3 09:44:19 PDT 2019] Adding record [Sat Aug 3 09:44:20 PDT 2019] Added, OK [Sat Aug 3 09:44:20 PDT 2019] The txt record is added: Success. [Sat Aug 3 09:44:20 PDT 2019] Let's check each dns records now. Sleep 20 seconds first. [1;31;32m0[0m [Sat Aug 3 09:44:42 PDT 2019] Checking freenas.jorgedelacruz.es for _acme-challenge.freenas.jorgedelacruz.es [Sat Aug 3 09:44:42 PDT 2019] Domain freenas.jorgedelacruz.es '_acme-challenge.freenas.jorgedelacruz.es' success. [Sat Aug 3 09:44:42 PDT 2019] All success, let's return [Sat Aug 3 09:44:42 PDT 2019] Verifying: freenas.jorgedelacruz.es [Sat Aug 3 09:44:45 PDT 2019] [1;31;32mSuccess[0m [Sat Aug 3 09:44:45 PDT 2019] Removing DNS records. [Sat Aug 3 09:44:45 PDT 2019] Removing txt: gr-ctRr for domain: _acme-challenge.freenas.jorgedelacruz.es [Sat Aug 3 09:44:46 PDT 2019] Removed: Success [Sat Aug 3 09:44:46 PDT 2019] Verify finished, start to sign. [Sat Aug 3 09:44:46 PDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/6270/8308 [Sat Aug 3 09:44:48 PDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0311 [Sat Aug 3 09:44:49 PDT 2019] [1;31;32mCert success.[0m -----BEGIN CERTIFICATE----- MIIFaDCCBFCgAwIBAgISAxHnDytpXEcvMstuUfbEFWbEMA0GCSqGSIb3DQEBCwUA ME... qzyM8YsqdEMSRMkUsPc1WH9gGzyWb1y8L8hzPajy9KZtKe9GwyFWtvpWwUo= -----END CERTIFICATE----- [Sat Aug 3 09:44:49 PDT 2019] Your cert is in /root/.acme.sh/freenas.jorgedelacruz.es/freenas.jorgedelacruz.es.cer [Sat Aug 3 09:44:49 PDT 2019] Your cert key is in /root/.acme.sh/freenas.jorgedelacruz.es/freenas.jorgedelacruz.es.key [Sat Aug 3 09:44:49 PDT 2019] The intermediate CA cert is in /root/.acme.sh/freenas.jorgedelacruz.es/ca.cer [Sat Aug 3 09:44:49 PDT 2019] And the full chain certs is there: /root/.acme.sh/freenas.jorgedelacruz.es/fullchain.cer [Sat Aug 3 09:44:49 PDT 2019] Run reload cmd: /root/deploy-freenas/deploy_freenas.py Certificate import successful Certificate list successful Setting active certificate successful [Sat Aug 3 09:44:51 PDT 2019] [1;31;32m Reload success
We see how the script has taken care of everything, from creating the DNS entry, to making the request to Let’s Encrypt, downloading the SSL, and including it in the paths for FreeNAS to see.
Change the interface of FreeNAS 11.x to be accessible only from HTTPS
We will go through HTTP and FQDN or IP to our FreeNAS, up to System – General, and change the interface to HTTPS and select Let’s Encrypt SSL Certificate:Once we have saved the changes, access by HTTPS://TUNOMBREDEFREENAS.TUDOMINIO.COM and we can see the long-awaited green padlock, if we explore we can see that is a valid SSL certificate:If we want to see the details, here we can see the FQDN that I use with my valid SSL.Congratulations! We have everything ready and securely to start offering NAS services securely, I hope you like the article.
I leave you the whole menu with the entries on FreeNAS:
- FreeNAS: Initial installation and configuration of FreeNAS 11.x as VM within vSphere
- FreeNAS: Enable and configure Object Storage in FreeNAS 11.x compatible with S3 APIs – Based on MinIO
- FreeNAS: How to Deploy a Let’s Encrypt SSL Certificate in FreeNAS 11.x and HTTPS Configuration
- FreeNAS: Configure Veeam Backup Repository Object Storage connected to FreeNAS (MinIO) and launch Capacity Tier