Damien Plenard

Dad 👶 Neurodivergent 🧠 Site Reliability Engineer at @Mollie 💻 Twitch Affiliate 🎥 Pokémon trainer 👾 Octoling worker at Grizzco Industries 🐙 Also French 🇫🇷

1 minute read

At home, my trusty HP N54L serves as my NAS, powered by TrueNAS Core 13. However, one lingering concern was the lack of encryption for its web UI. Eager to enhance security, I sought a solution and discovered the effectiveness of Let’s Encrypt certificates, specifically through the use of acme.sh.

Requirements

Before diving into the configuration process, ensure you have a TrueNAS Core server, an existing DNS zone on Cloudflare, and a designated sub-domain for your NAS.

Installing acme.sh

To begin, access the shell on your TrueNAS server either through the web UI or SSH with the root user. While it’s generally discouraged to pipe curl into a shell, the most straightforward method to install acme.sh on your TrueNAS is to use the following command:

curl https://get.acme.sh | sh -s email=[email protected]

Creating Your First Certificate

As my NAS is not exposed to the internet, I opted for DNS verification. For Cloudflare users, an API Token needs to be created on your account: dash.cloudflare.com/profile/api-tokens. The token must have the following permissions on your zone: DNS:Read and DNS:Edit.

Once the token is generated, use the following command to create your certificate. Retrieve your Account & Zone ID from your Cloudflare zone overview:

setenv CF_Account_ID <Cloudflare Account ID>
setenv CF_Zone_ID <Cloudflare Zone ID>
setenv CF_Token <Cloudflare API Token>
/root/.acme.sh/acme.sh --issue -d <nas sub-domain> --dns dns_cf

acme.sh will store your token and IDs on disk for future renewals.

Deploying Your Certificate on TrueNAS

The final step involves deploying your certificate to TrueNAS using its API. Start by creating an API Key from your web UI. Subsequently, deploy your certificate with the following commands:

setenv DEPLOY_TRUENAS_APIKEY <TrueNAS API key>
/root/.acme.sh/acme.sh --insecure --deploy -d <nas sub-domain> --deploy-hook truenas

By following these steps, you can bolster the security of your TrueNAS server by configuring a Let’s Encrypt certificate, ensuring encrypted communication for your NAS web interface.

You May Also Enjoy

Install OpenBSD on a remote server

less than 1 minute read

This week-end, I was upgrading my secondary dns server from OpenBSD 6.0 to OpenBSD 6.1 on a Digi ONE server from Digicube, a french hosting provider.