Help Need a SSL Certificate

Not dumb proof enough! I tried Nginx a while back but couldn't get to work, I was wanting to configure reverse proxy suggested to me in another thread, so I didn't need to add a port number to the end of the URL for each specific web app, but it broke something causing the certificate to fail when enabled. I deleted Nginx and everything worked again. I am weary about trying it again in case I brick TrueNAS. Now that I have everything working to the point of not updating TrueNAS in case the settings do not transfer properly to an updated version. Probably not the best approach, but I would struggle to set everything up from scratch again.
 
True, it did not let me break anything permanently, but I came to this problem without knowing anything about certificates and the rest of the networking security jargon from scratch. I just wanted to self host Vaultwarden and it snowballed from there :-)
 
One thing to look into that might help in future is using a reverse proxy for browsing your internal stuff. It gives you a single point of ingress into your 'hosted' stuff and you can have the proxy host the certificate with LetsEncrypt, and just do whatever you need on the back end.

Nginx proxy manager as mentioned above is one, if you're using Opnsense you should be able to use HAProxy quite easily too (have done this before).
 
Si MPS said:
One thing to look into that might help in future is using a reverse proxy for browsing your internal stuff. It gives you a single point of ingress into your 'hosted' stuff and you can have the proxy host the certificate with LetsEncrypt, and just do whatever you need on the back end.

Nginx proxy manager as mentioned above is one, if you're using Opnsense you should be able to use HAProxy quite easily too (have done this before).
Click to expand...
Does Nginx or HAProxy replace my use case for Unbound DNS overrides?

Can I leave the management of Lets Encrypt Certificate to TrueNAS since it works as is?

I am reluctant to add more modules to OPNsense in case I brick it (losing internet capability would be a pain, although temporary), But TrueNAS has a docker container for Nginx available that I tired to use before, and I think I could not get the Web GUI to work before abandoning it. I might give it another shot now I am running TrueNAS Fangtooth.
 
The reverse proxy won't handle your DNS, you'd still need to point to something, when I used to run it on Pfsense I just ran it on a dummy loopback interface and pointed my subdomains to that. If TrueNAS is running LE, then it's downloading the certificates to that so there's not an easy way to mount them remotely (without doing some network share shenanigans) but ideally you'd only have CertBot running in one place, along with the proxying and DNS. Then you don't have multi-stage dependencies. But it is going a bit poweruser if its not entirely needed.
 
So my configuration is not optimal. Think I will leave my setup as is, or until something breaks. I run 2 Docker containers within TrueNAS and only one needs a WebGUI requiring a port number. I might revisit this if I start adding more containers in the future. Thanks for your responses. :-)
 
You must log in or register to reply here.
Back
Top Bottom