deploy-freenas.py is a Python script to deploy TLS certificates to a FreeNAS/TrueNAS (Core) server using the FreeNAS/TrueNAS API. This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate. Its original intent was to be called from a Let's Encrypt client like acme.sh after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated. However, it can be used with certificates from any source, whether a different ACME-based certificate authority or otherwise.
This fork of danb35/deploy-freenas is packaged to be deployed as a Docker container.
Run a single excecution of the script:
docker run -it --rm --name deploy-freenas -v deploy-freenas:/deploy-freenas dcroper/deploy-freenas:latestRun as a daemon:
docker run -it --rm --name deploy-freenas -v deploy-freenas:/deploy-freenas dcroper/deploy-freenas:latest deamonWithin the daemon container you can execute deploy_freenas to run the script as the Docker image adds the script to the default $PATH.
The relevant configuration takes place in the /deploy-freenas/deploy_config file. The Docker image will create a deploy_config file based on deploy_config.example if none exists in the config volume. Its format is as follows:
[deploy]
password = YourReallySecureRootPassword
cert_fqdn = foo.bar.baz
connect_host = baz.bar.foo
verify = false
privkey_path = /some/other/path
fullchain_path = /some/other/other/path
protocol = https://
port = 443
ftp_enabled = false
webdav_enabled = false
cert_base_name = letsencryptEverything but password (or api_key) is optional, and the defaults are documented in depoy_config.example.
On TrueNAS (Core) 12.0 and up you should use API key authentication instead of password authentication.
Generate a new API token in the UI first, then add it as api_key to the config, which replaces the password field:
api_key = 1-DXcZ19sZoZFdGATIidJ8vMP6dxk3nHWz3XX876oxS7FospAGMQjkOft0h4itJDSP
Once you've prepared deploy_config, you can run deploy_freenas.py. The intended use is that it would be called by your ACME client after issuing a certificate. With acme.sh, for example, you'd add --reloadcmd "/path/to/deploy_freenas.py" to your command.
There is an optional paramter, -c or --config, that lets you specify the path to your configuration file. By default the script will try to use deploy_config in the script working directoy:
/path/to/deploy_freenas.py --config /somewhere/else/deploy_config