OPNSense – Deploy Let’s Encrypt certificate to TrueNAS CORE or TrueNAS SCALE using Acme webhook

Author:
Introduction

This document details the process for deploying an SSL certificate to TrueNAS CORE and TrueNAS SCALE using the deploy hook under the OPNSense Automation Acme plugin. The steps outlined are intended to provide a comprehensive guide for individuals seeking to implement a secure SSL certificate solution for their TrueNAS systems. The procedure is precise and straightforward, ensuring the desired outcome is achieved without complications. By following the instructions outlined in this document, users can successfully deploy SSL certificates to their TrueNAS CORE and TrueNAS SCALE systems, providing an added layer of security to their network infrastructure.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

Ways to support my channel

If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx 
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

 Step 1: Create a Wildcard Let’s Encrypt or ZeroSSL certificate

You can skip this step if the Let’s Encrypt or ZeroSSL certificate was issued with the wildcard certificate. Otherwise, follow this tutorial to complete step 1: https://sysadmin102.com/2023/05/create-lets-encrypt-wildcard-certificates-on-opnsense-with-acme-client/

** Note: You must have a Wildcard certificate if you want your browser to recognize the SSL cert as valid.
For instance, a certificate generated for opnsense.sysadmin102.org is only valid for that subdomain. A wildcard certificate would be valid for all subdomains under the sysadmin10.org domain (*.sysadmin102.org).

Step 2: Obtain TrueNAS API Key

Follow this tutorial to generate a TrueNAS API Key: https://sysadmin102.com/2023/05/how-to-generate-api-keys-on-truenas/

Step 3: Config Automation Deploy Hook

 3.1. Add new Automation under Services > ACME Client > Automations

3.2. Config New Automation.
3.2.a. Select Enabled.
3.2.b. Create a Name for your new automation.
3.2.c. Create a Description for your new automation.
3.2.d. Select Upload certificate to TrueNAS Core Server under Run Command.
3.2.e. Input the TrueNAS API key from Step 2.
3.2.f. Select TrueNAS scheme, and select HTTPS instead.
3.2.g. Save
3.2.h. Repeat Step 3.2.a – Step 3.2g for TrueNAS SCALE.

Step 4: Add Automation to the selected certificate

4.1. Navigate to Services ‣ ACME Client ‣ Certificates.
4.2. Select Edit Certificate.

4.3. Select Deploy to TrueNAS under Automations (the name may vary depending on what you named it under Step 3)
4.4. Save.

Step 5: Enable Web Interface HTTP -> HTTPS Redirect on TrueNAS

TrueNAS CORE

  • Select System ‣ General.
  • Select Web Interface HTTP -> HTTPS Redirect.
  • Select Save.
  • Confirm to Restart Web Service.

TrueNAS SCALE

  • Select System Settings ‣ General ‣ Settings.
  • Select Web Interface HTTP -> HTTPS Redirect.
  • Select Save.
Step 6: Run Automation to deploy certificates to TrueNAS
  • Navigate to Services ‣ ACME Client ‣ Certificates.
  • Select Run automation icon.
  • Monitor for Errors under Services ‣ ACME Client ‣ Log Files
Step 7: Select Let’s Encrypt certificate and Restart WebUI

TrueNAS CORE

  • Navigate to System ‣ General.
  • Select Letencrypt Certificate (You only need to do this the first time).
  • Save.
  • Confirm to Restart Web Service.

TrueNAS SCALE

  • Navigate to System Settings ‣ General ‣ Settings.
  • Select Letencrypt Certificate (You only need to do this the first time).
  • Select Save.
  • Confirm to Restart Web Service.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »