[Sticky] How to generate Let's encrypt Certificate with AMCE Shell Script (amce.sh) on TrueNAS SCALE
I was exiting to see that TrueNAS SCALE included ACME DNS-Authenticator. However, iXsystems chose to only include Cloudflare and route53 (aka AWS) DNS API was some what a disappointment. Cloudflare and route53 are not really a popular domain providers for personal use. Although Cloudfare is more affordable compare to AWS, it's still more expensive than most domain provider. I don't see any reason not to include all the DNS API already supported by ACME shell script. Even pfSense included all DNS API in pfSense + (pfSense paid product). For full list of DNS API supported by AMCE shell script, please visit amce.sh official page: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
You can watch the tutorial on YouTube for more detailed instruction:
The first step is to update your network setting. Under Network > Global Configuration. You can change your Hostname and Domain from here. By default, domain name is set as local. You will need to change it to a Fully Qualified Domain Name (FQDN) as shown below:
You would need to restart your system for the Hostname change and domain name change to take effect. Once your TrueNAS restarted, the next step is to install the acme.sh shell script using the below command:
curl https://get.acme.sh | sh -s firstname.lastname@example.org
Use the ACME DNS API wiki to determine what the correct syntax for your Domain service provider:
The syntax below is for ClouDNS API
# Use this for a sub auth ID export CLOUDNS_SUB_AUTH_ID="XXXXX" # Use this for a regular auth ID export CLOUDNS_AUTH_ID="XXXXX" export CLOUDNS_AUTH_PASSWORD="YYYYYYYYY"
Make sure to put the credential in the quotation mark " "
The next step is to request a certificate from Let's Encrypt server by using the below command:
acme.sh --issue --dns dns_your --keylength 4096 -d truenasscale.sysadmin102.tech
Replace dns_your with your DNS API listed on the ACME Wiki. You can skipped the --keylength 4096 if you wish toy use the default setting
If everything runs smoothly, you screen should have something similar to the screenshot below:
Next, you will need to generate a API Key on TrueNAS to deploy the certificate.
After you generate the API Key, copy it, we will need it to deploy the certs on TrueNAS
You will need the python script written by a user named danb35@TrueNAS to deploy the certificate. You will clone his certificate to your TrueNAS using the command below:
git clone https://github.com/danb35/deploy-freenas
Once you've downloaded the script, you'll need to create a configuration file called deploy_config. The git repo has an example (deploy_config.example) which you can copy and modify, or you can write your own from scratch.
Open the deploy_config.example and save as deploy_config using nano text editor.
Remove the # in front of api_key and add the API key that you generated earlier
Add # in front of password = YourSuperSecurePassword#@#$* to disable the password option.
Next, you will deploy the certificate using the below command:
acme.sh --install-cert -d truenasscale102.tech --reloadcmd "~/deploy-freenas/deploy_freenas.py"
Once the command is successfully ran, you will get the message "Certificate import successfully." Your Web Service will restart.
Log in after the system restarted. Then, navigate to System Settings > GUI > Settings and enable Web Interface HTTP -> HTTPS Redirect.
The system will restart Web Service, once it restarted, you will no longer see the red line over the lock icon because your certificate is signed by ZeroSSL.
Lastly, you need to create a Cron Job to renew the certificate automatically. Navigate to the System Settings > Advanced > Add. Disregard the Warning message by selecting "Close."
Under the description box: enter whatever describe the job. Under the command enter the below command:
Congratulation, you have successfully deployed Let's encrypt Certificate on your TrueNAS.
Official ACME Github: https://github.com/acmesh-official/acme.sh
Official ACME DNS API Wiki: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Credit to danb35@TrueNAS. Link to the original post: https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/