Lets Encrypt jail
Lets Encrypt jail
Setup for letsencrypt service jail with iocage.
On FreeNAS
Create jail:
Datasets
On FreeNAS create user and group acme, GID/UID 169.
In web ui create mount datasets:
letsencrypt
letsencrypt Data
mountpoint:
/var/db/acme/
/mnt/tank/data/database/letsencrypt/acme
certs
mountpoints:
/mnt/certs/<cert>
couchpotato.ramsden.network
/mnt/certs/couchpotato.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/couchpotato.ramsden.network
emby.ramsden.network
/mnt/certs/emby.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/emby.ramsden.network
lilan.ramsden.network
/mnt/certs/lilan.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/lilan.ramsden.network
sabnzbd.ramsden.network
/mnt/certs/sabnzbd.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/sabnzbd.ramsden.network
sickrage.ramsden.network
/mnt/certs/sabnzbd.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/sabnzbd.ramsden.network
syncthing.ramsden.network
/mnt/certs/syncthing.ramsden.network
/mnt/tank/data/database/letsencrypt/certs/syncthing.ramsden.network
Have the acme user own thedatasettank/data/database/letsencrypt/acme
.
Mount /mnt/tank/data/database/letsencrypt/acme
to /var/db/acme/
Mount the certs under /var/db/acme/certs/
Nullfs mount datasets in jail:
letsencrypt data:
Setup directories for certs:
Mount the directories:
Check fstab:
Start jail and enter.
Jail
In the jail, update all packages and install acme.sh
.
Switch to the ‘acme’ user which renews the certificate on a cron job add configuration.
Issue cert
Add acme to le in FreeNAS and jail.
chown certs dir in freenas to acme:le recursively.
Set Install Location
Now, to set the install location for the certificates use the installcert command, for example:
Cert deploy location: /etc/certificates
Various Services
Various Services need their certificates installed two different locations, and some of them need some changes. There are a few that I make changes to from the default.
Emby
Emby needs pks file, to convert cert key cert and ca are needed
Set deploy location
Install directory in jail: /var/db/emby-server/ssl
Cron:
Crontab from freenas:
You probably want to renew starts on a crontab so they get done every month. I use the following script to renew my various services:
Last updated