Domain Certificates for FreeNAS jail apps

Hi,

I’m brand new to certificate management so please forgive me if my issues and questions make me sound ignorant.

I have set up a personal home server using FreeNAS which is a port of FreeBSD, i believe. The build is FreeNAS-9.3-STABLE-201412090314.

I currently have 7 application jails successfully running. one of these have https set up already, but I’ll be honest and say that I just followed some “cookbook” instructions to set up the openssl in the jail. The jail app with SSL is ownCloud – my family’s personal cloud storage solution. The ownCloud install was done using NGINX, PHP-FPM, and MySQL per this walkthrough: https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/

I currently pay DynDNS.org for a domain that is always synced to my router’s IP. Let’s call it “CostonDomain.net” (for example).

Currently I can go to https: //CostonDomain.net:12808 to access my FreeNAS server’s web GUI, and I can go to https: //CostonDomain.net/owncloud to access my ownCloud server. This works because I configured my router to forward port 443 to the ownCloud server’s IP on my home network and I have port 12808 being forwarded to the FreeNAS WebGUI IP with FreeNAS configured to “listen” for https traffic on that same port.

What I’d like to do is to install the same domain verification certificate from Let’sEncrypt on both of these so whenever I try to access either the FreeNAS GUI or my ownCloud server from outside my home network using https: //CostonDomain.net… I won’t get the browser’s domain not valid error screen.

Is this possible? If so, How do I go about obtaining the cerificate? I’m hoping someone reading this is familiar with FreeNAS systems and jails.

I’ve already tried multiple times to follow the tutorials at Let’sEncrypt, but I am doing something wrong.

Again, please forgive my ignorance.

SDC

Yes, perfectly possible although it has a good few steps in it - and I'm not aware of a good "cookbook" set of instructions to help you with this.

Since there are only a very limited number of people involved ( I'm assuming just close family accessing your owncloud legitimately). why not just tell your browser that you want to trust the existing certificate, and you shouldn't get aked again ( on that browser).

@serverco,

Thank you for your reply. We use owncloud somewhat like Google drive and occasionally send one time links to folders or files to various people or entities, so it would be nice for them not to have to see and deal with the warning screen and “push through it.” And I don’t want to give each and every one of them instructions to trust my cert.

Also, I’ve tried what you recommended, and it doesn’t seem to always work depending on what platform and what browser is being used. Sometimes, also, adding the certificate in the trusted works, but only for a short time and them something reverts.

If I can figure out how to use Let’sEncrypt, it would be preferable.

I’ll keep on looking in to it, and push back here when I’ve figured it out.

Thanks, Sean

Hi Sean,

The easiest may be to use one of the alternative clients - particular one of the web based ones, to obtain an SSL certificate, then just place that on the NAS replacing the existing self signed cert. That would need manually updating every couple of months, but would at least get you started. It would also enable you to go through the stages of finding out where on the NAs to upload the cert to etc.

Did you ever get this to work? I am currently in the process of building a FeeeNas Server with the Owncloud plugin and I am almost at the point of needing to get my SSL installed. Any help would be very useful

For future visitors, here’s the official documentation for configuring LetsEncrypt on FreeNAS 11+

As the author of the work cited, thanks, but it isn't "official documentation"--just a user-generated guide. Further, I don't know that it directly addresses the question being raised here, which is how to obtain a cert for applications running in jails--my guide addresses automated deployment of the cert into the FreeNAS web UI itself.

The conceptually simplest way to put certs into jails is to assign them unique hostnames on a domain you own, and use DNS validation to get the cert. You'd have one cert for freenas.yourdomain.tld (for the FreeNAS UI), one for nextcloud.yourdomain.tld (for Nextcloud, of course), and so forth for any other jailed apps you wanted. Deployment of the certs would depend on the application; you could use my script to deploy the cert to FreeNAS itself, a simple webserver restart (in the jail) for Nextcloud, and whatever else is indicated for any other applications.

The other option would be to put everything behind a reverse proxy, put the cert on that, and direct traffic based on the path. I don't have any experience with that, though, so wouldn't be able to help further.

Thanks danb35, I didn’t realize it wasn’t official but I see now upon review. I found this post searching for putting a cert on the FreeNAS UI from within a jail… Hopefully it can still help some wayward websearchers.