Python script to automate deploying TLS certificates to FreeNAS servers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
danb35 846c33e303
Merge pull request #60 from fnichol/ui_certificate_enabled
2 months ago
.gitignore Set executable bit 4 years ago
LICENSE Create LICENSE 2 years ago Add `ui_certificate_enabled` to optionally disable updating UI 3 months ago
deploy_config.example Add `ui_certificate_enabled` to optionally disable updating UI 3 months ago Merge pull request #60 from fnichol/ui_certificate_enabled 2 months ago

deploy-freenas is a Python script to deploy TLS certificates to a FreeNAS/TrueNAS (Core) server using the FreeNAS/TrueNAS API. This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate. Its original intent was to be called from a Let's Encrypt client like after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated. However, it can be used with certificates from any source, whether a different ACME-based certificate authority or otherwise.


This script can run on any machine running Python 3 that has network access to your FreeNAS/TrueNAS server, but in most cases it's best to run it directly on the FreeNAS/TrueNAS box. Change to a convenient directory and run git clone


The relevant configuration takes place in the deploy_config file. You can create this file either by copying deploy_config.example from this repository, or directly using your preferred text editor. Its format is as follows:

password = YourReallySecureRootPassword
cert_fqdn =
connect_host =
verify = false
privkey_path = /some/other/path
fullchain_path = /some/other/other/path
protocol = https://
port = 443
ui_certificate_enabled = false
s3_enabled = false
ftp_enabled = false
webdav_enabled = false
cert_base_name = letsencrypt

Everything but password (or api_key) is optional, and the defaults are documented in deploy_config.example.

On TrueNAS (Core) 12.0 and up you should use API key authentication instead of password authentication. Generate a new API token in the UI first, then add it as api_key to the config, which replaces the password field:

api_key = 1-DXcZ19sZoZFdGATIidJ8vMP6dxk3nHWz3XX876oxS7FospAGMQjkOft0h4itJDSP

Once you've prepared deploy_config, you can run The intended use is that it would be called by your ACME client after issuing a certificate. With, for example, you'd add --reloadcmd "/path/to/" to your command.

There is an optional paramter, -c or --config, that lets you specify the path to your configuration file. By default the script will try to use deploy_config in the script working directoy:

/path/to/ --config /somewhere/else/deploy_config