Skip to content

Section X: TrueNAS: ACME / Let's Encrypt #35

New issue
New issue
Open
Open
Section X: TrueNAS: ACME / Let's Encrypt#35
Labels
documentationImprovements or additions to documentation
@coolaj86

Description

@coolaj86
coolaj86
opened on Sep 10, 2025

Important Overview

  1. Root user and TrueNAS user must have a valid email for ToS and renewal notices
    https://tns1.example.com/ui/credentials/users
  2. Create a permanent dataset for truenas_admin (or another user to act as ACME admin)
    https://tns1.example.com/ui/datasets/tank1
  3. Clone (or download) acme.sh 
    mkdir -p /mnt/tank1/truenas_admin/.local/opt/
cd /mnt/tank1/truenas_admin/.local/opt/
git clone https://github.com/acmesh-official/acme.sh.git
    (dns providers will be in /mnt/tank1/truenas_admin/.local/opt/acme.sh/dnsapi/dns_*.sh)
  4. Copy (and modify) /mnt/tank1/truenas_admin/bin/custom-acme-sh (below)
  5. Follow https://www.youtube.com/watch?v=TJ5fDiDRcbU
    • Credentials => Certificates
    • Add ACME DNS-Authenticators (with shell and the path to custom-acme-sh)
    • Add Certificate Signing Request
    • 🔧 to Create ACME Certificate
  6. Change the GUI certificate https://tns1.example.com/ui/system/general

Custom ACME Script

/mnt/tank1/truenas_admin/.local/opt/acme.sh/acme.sh

/mnt/tank1/truenas_admin/bin/custom-acme-sh:

#!/bin/bash
# DO NOT set -e or set -u because acme.sh is not strict and sourcing it will cause early exist

### CHANGE ME

# Dns API authentication. See details for your provider https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export PROVIDER="dns_dnsimple" # Find provider script in 'dnsapi' folder
export DNSimple_OAUTH_TOKEN="dnsimple_o_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 

# Generally the same

export ACME_FOLDER="/mnt/tank1/truenas_admin/.local/opt/acme.sh" # Change this path to reflect your environment
source "${ACME_FOLDER}/acme.sh" > /dev/null 2>&1
export ACME_DNSAPI="${ACME_FOLDER}/dnsapi"
source "${ACME_DNSAPI}/${PROVIDER}.sh" > /dev/null 2>&1

# Logfile
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
LOGFILE="${SCRIPT_DIR}/acmeShellAuth.log"

### FUNCTIONS
_log_output() {
        echo `date "+[%a %b %d %H:%M:%S %Z %Y]"`" $1" >> "${LOGFILE}"
}

### MAIN
_log_output "INFO Script started."

# File/folder validation
if [ ! -d "${ACME_FOLDER}" ]; then
        _log_output "ERROR Invalid acme folder: ${ACME_FOLDER}"
        return 1
fi
if [ ! -f "${LOGFILE}" ]; then
        touch "${LOGFILE}"
        chmod 500 "${LOGFILE}"
fi

# Main
if [ "${1}" == "set" ]; then
        echo ${PROVIDER}_add "${3}" "${4}" >> "${LOGFILE}"
        ${PROVIDER}_add "${3}" "${4}" >> "${LOGFILE}" 2>>"${LOGFILE}"
elif [ "${1}" == "unset" ]; then
        echo ${PROVIDER}_rm "${3}" "${4}" >> "${LOGFILE}"
        ${PROVIDER}_rm "${3}" "${4}" >> ${LOGFILE} 2>>"${LOGFILE}"
fi

_log_output "INFO Script finished."

ENVs:

export LOG_FILE="CHANGE_ME"
export NO_TIMESTAMP=
export OUTPUT_INSECURE=
# this cannot be set empty: export ACCOUNT_CONF_PATH=

Certificate Process

Add DNS Authenticator

Image Image

Issue CSR

Image Image Image Image Image

Issue Cert

Image Image Image Image

Switch GUI Cert

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions