Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command : sudo certbot certonly --webroot
It produced this output : Input the webroot for ravendellnas.zapto.org: (Enter 'c' to cancel): /var/www/ravendellnas.zapto.org/web
Waiting for verification...
Challenge failed for domain ravendellnas.zapto.org
http-01 challenge for ravendellnas.zapto.org
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version) :
The operating system my web server runs on is (include version): truenas 12.2
My hosting provider, if applicable, is: no-ip
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0
I think you’re right, and this is probably the right way to go. I have already spent a few hours trying to get that script to work as I saw it somewhere else earlier but the instructions were a bit above me and I most likely didn’t have it setup right. Causing a similar error I believe.
I've seem people say this a few times, and I really don't understand where the idea comes from that "my" script (only mine in that I initially hacked it together; most of the code comes from others) is in any way official--it's a user-contributed script. The only thing that's "official" is the built-in support for DNS validation using a very limited set of DNS hosts (I believe only one).
Also, my script really doesn't have anything to do with obtaining certs, only installing them--though the rest of the resource does address obtaining them.
No, there is no such setting in TrueNAS; it simply isn't designed or intended to be used in this way.
NEVER, UNDER ANY CIRCUMSTANCES, EXPOSE THE FREENAS/TRUENAS GUI TO THE INTERNET. It isn't designed for that, it isn't secured for that, and you're just asking for your server to be compromised. If you need to access the GUI from outside your LAN, use a VPN.
...but without actually asking any questions in the place where that script is discussed. Why?
Now, in-depth discussion or troubleshooting on the use of the script would probably be better done in the discussion thread for that script. And I don't even know how you got certbot installed in the base TrueNAS system; you shouldn't be able to install any software there. But for a few basics--since your DNS provider doesn't have a supported API, you'll need to:
Create a jail.
In that jail, install socat and bash (pkg install bash socat nano), acme.sh (as described in the resource linked above), and my script (also as described in that resource). Yes, if you really want to use certbot instead of acme.sh you can, but I can't imagine why you'd want to.
On your router, forward port 80 to the IP address of that jail, rather than to your TrueNAS box.
In the jail, configure the script with the correct IP address for your your TrueNAS box, and other relevant parameters.
In the jail, run acme.sh --issue -d fqdn_of_freenas_box --standalone --reloadcmd "/path/to/deploy_freenas.py"
Follow up in that thread if you have further questions.
It's the top search result in Google and hosted on the official TrueNAS website as a resource. Seemed official enough to me. You most likely have worlds more experience with this product than anyone else here regularly.
It really isn't; the TrueNAS forums would be much better. But in short, you create a jail with a static IP address--that should be all that matters. Release doesn't really matter, though I'd think you'd want to use the latest (12.2). The only real requirement for the jail is that it be there so you can install other software and have something other than the GUI listening on port 80.
