updates

danb35 · danb35 · commit 16fd9e971c22 · 2025-03-08T12:59:36.000-05:00
diff --git a/README.md b/README.md
@@ -10,6 +10,20 @@ This version of this script is a work in progress, and has had minimal testing.
 # Known issues
 Connections to the Websocket API will fail if you have a HTTP -> HTTPS redirect enabled, either in TrueNAS itself or in some other system (e.g., Traefik) in front of TrueNAS.  This results from an [issue](https://github.com/truenas/api_client/issues/13) in the upstream API client.
 
+# Status
+* TrueNAS SCALE 25.04-BETA1 - Works locally (running on the TrueNAS host) and remotely (so long as all dependencies are installed), but see notes below.
+* TrueNAS SCALE 24.10 - Works locally and remotely.
+* TrueNAS SCALE 24.04 - Works remotely only--the TrueNAS API client isn't installed in this version of TrueNAS.  Will not update certificates for apps on this or earlier versions of TrueNAS SCALE.
+* TrueNAS SCALE 23.10 - Same as 24.04.
+
+## Notes for 25.04
+Security measures in TrueNAS SCALE 25.04 require that the API keys be passed over a secure channel.  In order to use this script with 25.04:
+* You must have already deployed a trusted cert to your NAS
+* That cert must not be expired
+* You must have configured the UI to use that cert
+* The address you're using to connect to the NAS (`connect_host` in `deploy_config`) must be named in that cert
+* You must set `protocol = wss` in `deploy_config`.
+
 # Installation
 This script can run on any machine running Python 3 that has network access to your TrueNAS server, but in most cases it's best to run it directly on the TrueNAS box.  Change to a convenient directory and run `git clone https://github.com/danb35/deploy-freenas`.  If you're installing this on your TrueNAS server, it cannot be in your home directory; place it in a convenient place on a storage pool instead.
 
@@ -30,6 +44,7 @@ ui_certificate_enabled = true
 ftp_enabled = false
 apps_enabled = false
 cert_base_name = letsencrypt
+protocol = ws
 ```
 
 Everything but `api_key` and paths to the cert and key are optional, and the defaults are documented in `deploy_config.example`.
diff --git a/deploy_config.example b/deploy_config.example
@@ -17,10 +17,9 @@ api_key = YourNewlyGeneratedAPIKey#@#$*
 # Default is localhost (assuming the script is running on your FreeNAS box)
 # connect_host = baz.bar.foo
 
-# verify sets whether the script will attempt to verify the server's certificate with a HTTPS
-# connection.  Set to true if you're using a HTTPS connection to a remote host.  If connect_host
-# is set to localhost (or is unset), set to false.  Default is false.
-# verify = false
+# protocol specifies the protocol used to connect to the API.  Default is ws.
+# Set to wss for TrueNAS 25.04 and later
+# protocol = wss
 
 # set ui_certificate_enabled to false if you want to skip using the new cerificate for the UI. Default is true.
 # ui_certificate_enabled = false
diff --git a/deploy_freenas.py b/deploy_freenas.py
@@ -25,6 +25,8 @@
 import socket
 from datetime import datetime, timedelta
 from truenas_api_client import Client
+from OpenSSL import crypto
+import re
 
 parser = argparse.ArgumentParser(description='Import and activate a SSL/TLS certificate into TrueNAS.')
 parser.add_argument('-c', '--config', default=(os.path.join(os.path.dirname(os.path.realpath(__file__)),
@@ -40,8 +42,9 @@
     exit(1)
 
 API_KEY = deploy.get('api_key')
+PROTOCOL = deploy.get('protocol', "ws")
 CONNECT_HOST = deploy.get('connect_host',"localhost")
-CONNECT_URI = "ws://" + CONNECT_HOST + "/websocket"
+CONNECT_URI = PROTOCOL + "://" + CONNECT_HOST + "/websocket"
 
 PRIVATEKEY_PATH = deploy.get('privkey_path')
 if os.path.isfile(PRIVATEKEY_PATH)==False:
@@ -67,8 +70,41 @@
 with open(FULLCHAIN_PATH, 'r') as file:
     full_chain = file.read()
 
+def extract_leaf_certificate(fullchain_pem):
+    """Extract the first certificate (leaf) from a full chain PEM file."""
+    certs = re.findall(r"-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", 
+                       fullchain_pem, re.DOTALL)
+    if not certs:
+        raise ValueError("No valid certificate found in the provided PEM data.")
+    return certs[0]  # Return the first certificate (leaf)
+
+def validate_cert_key_pair(cert_pem, key_pem):
+    """Validate that the certificate's public key matches the private key."""
+    leaf_cert_pem = extract_leaf_certificate(cert_pem)
+
+    # Load the extracted leaf certificate and key
+    cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, leaf_cert_pem)
+    key_obj = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
+
+    # Verify that the certificate's public key matches the private key
+    try:
+        return cert_obj.get_pubkey().to_cryptography_key().public_numbers() == \
+               key_obj.to_cryptography_key().public_key().public_numbers()
+    except Exception as e:
+        print(f"Validation error: {e}")
+        return False
+
+if validate_cert_key_pair(full_chain, priv_key):
+    print("✅ Certificate and private key match.")
+else:
+    print("❌ Certificate and private key do not match.")
+    exit(1)
+
 with Client(CONNECT_URI) as c:
-    c.call("auth.login_with_api_key", API_KEY)
+    result=c.call("auth.login_with_api_key", API_KEY)
+    if result==False:
+        print("Failed to authenticate!")
+        exit(1)
     # Import the certificate
     args = {"name": cert_name, "certificate": full_chain, "privatekey": priv_key, "create_type": "CERTIFICATE_CREATE_IMPORTED"}
     cert = c.call("certificate.create", args, job=True)
