Truenas deploy websocket

[Attackwave]

This TrueNAS deployment script is completely redesigned for the use of WebSocket. The script uses the API Client tool midclt. The script is designed to use one certificate for all services. A wildcard certificate is recommended if you want to access the services/apps under certain subdomains.

Replaces the certificates in the following services:

• (CORE/SCALE) WebUI
• (CORE/SCALE) FTP
• (SCALE) ix Apps
• (CORE/SCALE) Type of TrueNAS and version identification

Features in planning:

• (CORE) ix Apps Charts?
• (CORE/SCALE) S3 (Enterprise only?)
• (SCALE) Portainer apps (certificates have to be implemented in own portainer config files)
• (CORE/SCALE) Config file (Blacklisting Services/Apps for certificate replacement)

https://github.com/truenas/api_client
https://www.truenas.com/docs/scale/api/

_**The TrueNAS REST API is deprecated in TrueNAS 25.04 and replaced by the TrueNAS API Client. Full removal of the REST API is planned for a future release.

This new API Client is not the deprecated TrueNAS CLI (midcli). The API Client is integrated in TrueNAS 25.04 onwards. It provides the midclt command-line tool, and the means to easily communicate with middleware using Python to make calls through the websocket API.**_

[Neilpang]

please help remove all the exit. use return instead.

[Attackwave]

Done

[Neilpang]

it's not bash. it's sh

[Attackwave]

Done and tested

`*************************************
**** INSTALLING NEW CERTIFICATES ****

---

[Mon Nov 25 21:22:37 CET 2024] Checking environment variables...
[Mon Nov 25 21:22:37 CET 2024] Environment variables: OK
[Mon Nov 25 21:22:37 CET 2024] Checking TrueNAS health...
[Mon Nov 25 21:22:37 CET 2024] TrueNAS health: OK
[Mon Nov 25 21:22:37 CET 2024] Gather system info...
[Mon Nov 25 21:22:37 CET 2024] TrueNAS system: SCALE
[Mon Nov 25 21:22:37 CET 2024] TrueNAS version: 24.10.0.2
[Mon Nov 25 21:22:37 CET 2024] Gather current WebUI certificate...
[Mon Nov 25 21:22:37 CET 2024] Current WebUI certificate ID: 183
[Mon Nov 25 21:22:37 CET 2024] Current WebUI certificate name: acme_20241125_201715
[Mon Nov 25 21:22:37 CET 2024] Upload new certificate...
[Mon Nov 25 21:22:37 CET 2024] New WebUI certificate name: acme_20241125_202237
[Mon Nov 25 21:22:52 CET 2024] New certificate ID: 184
[Mon Nov 25 21:22:52 CET 2024] Replace FTP certificate...
[Mon Nov 25 21:22:53 CET 2024] Replace app certificates...
[Mon Nov 25 21:22:54 CET 2024] Checking app vaultwarden...
[Mon Nov 25 21:22:54 CET 2024] App has certificate option, setup new certificate...
[Mon Nov 25 21:22:54 CET 2024] App will be redeployed after updating the certificate.
[Mon Nov 25 21:23:07 CET 2024] App certificate replaced.
[Mon Nov 25 21:23:07 CET 2024] Checking app portainer...
[Mon Nov 25 21:23:07 CET 2024] App has certificate option, setup new certificate...
[Mon Nov 25 21:23:07 CET 2024] App will be redeployed after updating the certificate.
[Mon Nov 25 21:23:11 CET 2024] App certificate replaced.
[Mon Nov 25 21:23:11 CET 2024] Replace WebUI certificate...
[Mon Nov 25 21:23:14 CET 2024] WebUI certificate replaced.
[Mon Nov 25 21:23:14 CET 2024] Restarting WebUI...
[Mon Nov 25 21:23:14 CET 2024] Waiting for UI restart...
[Mon Nov 25 21:23:20 CET 2024] Deleting old certificate...
[Mon Nov 25 21:23:23 CET 2024] Have a nice day...bye!
[Mon Nov 25 21:23:23 CET 2024] Success
`

[scyto]

I have been using acme.sh on my Synology (actually neilpangs image), just moved to Scale

genuine question, why would i use this over and above what is already in the UI?
if there is good reason i can move to this and test for you as you request on reddit

[Attackwave]

I have been using acme.sh on my Synology (actually neilpangs image), just moved to Scale

genuine question, why would i use this over and above what is already in the UI? if there is good reason i can move to this and test for you as you request on reddit

TrueNAS supports the following ACME providers via the UI: cloudflare, route53, ovh and self-scripted via shell.

In my case and many others who do not use any of the providers mentioned above, we have to resort to alternative scripts.

My truenas_ws.sh script handles the deployment of a generated certificate into the TrueNAS system. Not only is the certificate for the WebUI exchanged, but also for FTP and the Scale ix Apps. So we go a few steps further here.

As a rule, a wildcard certificate from Letscrypt or ZeroSSL is used. This is then easier to assign to each service in TrueNAS.

Furthermore, my script for using Websocket is written specifically with the TrueNAS tool midclt. The RestAPI is discontinued from version 25.04.

Other features are certainly not implemented by the built-in ACME function in TrueNAS. Something like: exchanging certificates in the Portainer apps, for example. I'm not entirely sure, but the built-in ACME script only exchanges the certificate in the WebUI.

I wrote my own script that creates a ZeroSSL wildcard certificate and then stores it in TrueNAS using the truenas_ws.sh deploy hook. I use the provider Hetzner, which is not listed above among the providers mentioned. Furthermore, I not only want to exchange the WebUI certificate, but also other services.

I also imagine additional features that can be configured via file. But first everything basic has to work.

I hope I understood your question correctly and was able to answer it for you.

Greetings
Attackwave

[scyto]

neat thanks for the clarification, doing other apps on the system (like say portainer) is neat, i have been handling that in my reverse proxy i use internally to put everything https on 443 internally. I will take a look.

[Attackwave]

neat thanks for the clarification, doing other apps on the system (like say portainer) is neat, i have been handling that in my reverse proxy i use internally to put everything https on 443 internally. I will take a look.

The approach is to use the internal mechanisms. But there are also ixApps that only support http, so a reverse proxy is of course an advantage.

I personally only use the external TrueNAS services via Wireguard always on VPN and do not release any TrueNAS ports to the outside world via the firewall.

[Attackwave]

In case anyone needs a sample script. Here Hetzner as provider and a sample to deploy the cert on the UDM Pro.

I simply add an A and AAAA record to Hetzner DNS with the local IP addresses of the UDM Pro.
Ex.
A udm.lan.mydomain.com => 192.168.1.1
AAAA udm.lan.mydomain.com => fe80:beef:beef:0001

#!/bin/bash

# ISSUE AND DEPLOY SCRIPT
# DOMAIN PROVIDER: HETZNER
# DEPLOY SYSTEM: TRUENAS


# Globals
_BASE_DIR=/base-dir/to/my/acme-and-renew-scripts
_ACME_DIR=${_BASE_DIR}/bin/acme.sh
_TOKEN='Place Hetzner Token here'
_DOMAIN_NAME='*.lan.mydomain.com'

_CERT_DIR=${_BASE_DIR}/certs/${_DOMAIN_NAME}
_CERT_FILE=${_CERT_DIR}/domain.cer
_KEY_FILE=${_CERT_DIR}/domain.key
_CA_FILE=${_CERT_DIR}/ca.cer
_FULLCHAIN_FILE=${_CERT_DIR}/fullchain.cer


# Environment used by acme.sh
export HETZNER_Token=${_TOKEN}
export DEPLOY_TRUENAS_APIKEY='Place TrueNAS Token here'
export DEPLOY_TRUENAS_HOSTNAME=Place TrueNAS IP here
export DEPLOY_TRUENAS_SCHEME=https


# Main
export PATH=${PATH}:${_ACME_DIR}:${_BASE_DIR}
chmod +x ${_ACME_DIR}/acme.sh
mkdir -p ${_CERT_DIR}

# Issue certificate
echo "*************************************"
echo "****    ISSUE NEW CERTIFICATE    ****"
echo "*************************************"
echo ""
echo ""
acme.sh --issue -k 4096 -ak 4096 --force --dns dns_hetzner --cert-file "${_CERT_FILE}" --key-file "${_KEY_FILE}" --ca-file "${_CA_FILE}" --fullchain-file "${_FULLCHAIN_FILE}" -d ${_DOMAIN_NAME}

# Deploy certificate
echo "*************************************"
echo "****   DEPLOY NEW CERTIFICATE    ****"
echo "*************************************"
echo ""
echo ""
acme.sh --deploy --force --insecure --deploy-hook truenas_ws -d ${_DOMAIN_NAME}

# Deploy certificate to UDM Pro
#scp -i /home/admin/.ssh/udm_id_rsa ${_CERT_FILE} [email protected]:/tmp/udm.cert
#scp -i /home/admin/.ssh/udm_id_rsa ${_KEY_FILE} [email protected]:/tmp/udm.key
#scp -i /home/admin/.ssh/udm_id_rsa ${_CA_FILE} [email protected]:/tmp/udm.ca
#scp -i /home/admin/.ssh/udm_id_rsa ${_FULLCHAIN_FILE} [email protected]:/tmp/udm.chain
#curl -o $_BASE_DIR/unifi-easy-encrypt.sh -sO https://get.glennr.nl/unifi/extra/unifi-easy-encrypt.sh
#scp -i /home/admin/.ssh/udm_id_rsa $_BASE_DIR/unifi-easy-encrypt.sh [email protected]:/root/
#ssh -i /home/admin/.ssh/udm_id_rsa -t [email protected] 'sudo bash /root/unifi-easy-encrypt.sh -skip --own-certificate --private-key /tmp/udm.key --signed-certificate /tmp/udm.cert --chain-certificate /tmp/udm.chain --intermediate-certificate /tmp/udm.ca'