Lets Encrypt jail

Lets Encrypt jail

Setup for letsencrypt service jail with iocage.

On FreeNAS

Create jail:


On FreeNAS create user and group acme, GID/UID 169.

In web ui create mount datasets:

  • letsencrypt

    • letsencrypt Data

      • mountpoint: /var/db/acme/

        • /mnt/tank/data/database/letsencrypt/acme

    • certs

      • mountpoints: /mnt/certs/<cert>

        • couchpotato.ramsden.network

          • /mnt/certs/couchpotato.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/couchpotato.ramsden.network

        • emby.ramsden.network

          • /mnt/certs/emby.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/emby.ramsden.network

        • lilan.ramsden.network

          • /mnt/certs/lilan.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/lilan.ramsden.network

        • sabnzbd.ramsden.network

          • /mnt/certs/sabnzbd.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/sabnzbd.ramsden.network

        • sickrage.ramsden.network

          • /mnt/certs/sabnzbd.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/sabnzbd.ramsden.network

        • syncthing.ramsden.network

          • /mnt/certs/syncthing.ramsden.network

          • /mnt/tank/data/database/letsencrypt/certs/syncthing.ramsden.network

Have the acme user own thedatasettank/data/database/letsencrypt/acme.

Mount /mnt/tank/data/database/letsencrypt/acme to /var/db/acme/ Mount the certs under /var/db/acme/certs/

Nullfs mount datasets in jail:

letsencrypt data:

Setup directories for certs:

Mount the directories:

Check fstab:

Start jail and enter.


In the jail, update all packages and install acme.sh.

Switch to the ‘acme’ user which renews the certificate on a cron job add configuration.

Issue cert

Add acme to le in FreeNAS and jail.

chown certs dir in freenas to acme:le recursively.

Set Install Location

Now, to set the install location for the certificates use the installcert command, for example:

Cert deploy location: /etc/certificates

Various Services

Various Services need their certificates installed two different locations, and some of them need some changes. There are a few that I make changes to from the default.


Emby needs pks file, to convert cert key cert and ca are needed

Set deploy location

Install directory in jail: /var/db/emby-server/ssl


Crontab from freenas:

You probably want to renew starts on a crontab so they get done every month. I use the following script to renew my various services:

Last updated