ACME Certificate on TrueNas with Digital Ocean DNS Challenge

At the time of writing TrueNas only supports Rout53 DNS challenge for ACME certificates.

Go to Network -> Global Configuration, ensure that the Hostname is set to the fully qualified domain name (FQDN) that you wish to use.

I am going to be using the certificate for the S3 service too. Ensure the S3 service is configured to use a hostname and certificate. Go to Services -> S3 -> Edit. Set the certificate to the default one. Set the hostname to the FQDN you wish to use for S3.

Install acme.sh

curl https://get.acme.sh | sh -s email=...

Setup the DNS options, see https://github.com/acmesh-official/acme.sh/wiki/dnsapi for more information. I am using Digital Ocean, so I need to set a DO_API_KEY.

export DO_API_KEY="..."

The below scripts assume you’re TrueNas is hosted on nas.example.com and the S3 service on s3.example.com. Substitute this for your domain name.

Request a certificate from Let’s Encrypt:

.acme.sh/acme.sh --issue --dns dns_dgon -d nas.example.com -d s3.example.com

To enable the certificate to be loaded in to TrueNas generate an API key. Go to Settings Cog -> API Keys -> Add

Clone the deploy-freenas script from danb35, we will use this to upload the certificate in to TrueNas.

cd .acme.sh
git clone https://github.com/danb35/deploy-freenas

Create a deploy_config to configure what the deploy-freenas script does. This requires the TrueNas API Key we generated earlier. My deploy_config is as follows:

[deploy]
api_key = ...
s3_enabled = true

I am setting s3_enabled as I want to use the certificate for the S3 service.

We can now deploy the certificate by adding deploy_freenas as a hook to acme.sh. Use --force to regenerate a certificate even if renewal isn’t required.

.acme.sh/acme.sh --issue --dns dns_dgon -d nas.example.com -d s3.example.com --reloadcmd ".acme.sh/deploy-freenas/deploy_freenas.py" --force

Add a cron job that will renew the cert as required. The script should be:

/root/.acme.sh/acme.sh --cron