Let’s Encrypt certificate with DNS challenge on TrueNAS VM

If you have TrueNAS CORE or Scale, it could be on your local network behind a router and maybe firewall. The whole process of using a Dynamic DNS and port forwarding if not complicated is not easy either. We will in this article setup Let’s Encrypt certificate with DNS challenge on TrueNAS VM or jail.

Now you may think, why not a Jail? So the answer is simple you can follow this article and have it in a jail too.

If you are wondering why no-ip? This is for dynamic IP from your ISP. If you have static IP, you don’t need no-ip.

Tools

  • Ubuntu 22.04 Jelly Fish VM OR FreeBSD jail
  • Apache
  • No-ip service with custom domain
  • Custom domain app.my-domain.com

Port forwarding and no-ip setup

In your router/firewall go to DDNS (Dynamic DNS) section and forward port 80 and 443 to your VM/Jail IP address with the same ports.

I have used a dummy IP in the table below.

IPInternal portExternal port
192.168.1.508080
192.168.1.50443443

Now open noip.com website, login to your account or create one. If you want to use managed DNS for your custom domains you will need to buy the monthly package.

If you have created a new account, no-ip has a guide for the initial setup. Follow that step by step guide to connect to your router.

To use your custom domain, add your new domain in the Managed DNS section.

Once all set, head over to your TrueNAS.

Apache virtualhost

This is optional but if you haven’t installed and created a vhost file yet. Click the button below to install Apache and create a vhost.

Certbot installation

If you are on Ubuntu VM install certbot with:

snap install certbot --classic

Inside a jail:

pkg install certbot

SSL certificate and update no-ip

We are going to get a wildcard certificate for example *.my-domain.com. That is because If I need another sub domain certificate in the future I don’t need to go through the DNS TXT challenge again.

certbot certonly --manual --preferred-challenges dns -d "*.my-domain.com"

When ask for an email, enter your correct email address and answer the rest of the queries.

If the challenge goes well, you will be give a TXT record with a key and sub domain like _acme-challenge.my-domain.com.

Don’t press Enter yet.

Go back to no-ip and enter these details for your domain in TXT record section. Wait a few minutes for propagation. Check the TXT records in terminal with dig txt _acme-challenge.my-domain.com.

Once confirm the record is propagated, press Enter in the VM/Jail. If the record was correct, SSL certificates will be retrieved successfully. Update Apache vhost file with 443 virtual host section.

Auto renew certificate

I will show you two methods, you can use either of them.

1- Custom cronjob

crontab -e

Paste the following in it to check for the certificates at 4.30AM everyday.

30/4 * * * * certbot renew

2- System cron

Add the following line to /etc/periodic.conf.

weekly_certbot_enable="YES"

Leave a Reply

Your email address will not be published.