Project

General

Profile

Bug #6067

Upgrading to FreeNAS 9.2.1.7 causes bad SSL cert creation

Added by Daniel Spisak about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Suraj Ravichandran
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Earlier this week we upgraded our farm of 15 FreeNAS servers running 9.2.1.2 to 9.2.1.7. After this upgrade it would appear that all of the SSL certs for our servers are now invalid.

Sample SSL certs from our server run through openssl:

[root@prdbackuphn109] /mnt/tank/home/backup/.ssh# openssl x509 -noout -in /etc/ssl/freenas/CA/cacert.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d7:fc:f9:30:46:82:dd:ba
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=AppDynamics, OU=Operations/emailAddress=, L=San Francisco, ST=CA, C=US, CN=prdbackuphn109.ord.app.dy
Validity
Not Before: Sep 8 18:38:59 2014 GMT
Not After : Oct 8 18:38:59 2014 GMT
Subject: O=AppDynamics, OU=Operations/emailAddress=, L=San Francisco, ST=CA, C=US, CN=prdbackuphn109.ord.app.dy

[root@prdbackuphs109] ~# openssl x509 -noout -in /etc/ssl/freenas/CA/cacert.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
83:f4:6f:9e:a5:df:52:9e
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=iXsystems, Inc., OU=Systems/emailAddress=root@localhost, L=San Jose, ST=California, C=US, CN=localhost
Validity
Not Before: Sep 8 17:47:38 2014 GMT
Not After : Oct 8 17:47:38 2014 GMT
Subject: O=iXsystems, Inc., OU=Systems/emailAddress=root@localhost, L=San Jose, ST=California, C=US, CN=localhost

[root@prdbackupid109] ~# openssl x509 -noout -in /etc/ssl/freenas/CA/cacert.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a0:83:e3:86:b9:fa:34:a1
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=iXsystems, Inc., OU=Systems/emailAddress=root@localhost, L=San Jose, ST=California, C=US, CN=localhost
Validity
Not Before: Sep 8 18:06:24 2014 GMT
Not After : Oct 8 18:06:24 2014 GMT
Subject: O=iXsystems, Inc., OU=Systems/emailAddress=root@localhost, L=San Jose, ST=California, C=US, CN=localhost

As you can see in all three cases its creating a certificate that is only valid for 1 month from the date the system was upgraded on. On top of that, even though these certificates should be valid right now the systems all think they are invalid. What is causing this?

Associated revisions

Revision 8731cf38 (diff)
Added by Suraj Ravichandran about 6 years ago

The final piece for fixing bad ssl cert creation in 9.2.1-BRANCH (hopefully). This should also subsume the ticket below (although that one is waiting for feedback). Ticket: #6067

History

#1 Updated by Jordan Hubbard about 6 years ago

  • Assignee set to John Hixson
  • Target version set to 9.2.1.8-RELEASE

Over to the cert-meister for analysis and triage.

#2 Updated by John Hixson about 6 years ago

  • Status changed from Unscreened to Screened

#3 Updated by Jordan Hubbard about 6 years ago

  • Assignee changed from John Hixson to Suraj Ravichandran
  • Priority changed from Important to Nice to have

#4 Updated by Suraj Ravichandran about 6 years ago

  • Status changed from Screened to 15

There was something strange going on with the ssl backend, which is why we have completely revamped for our future 9.3 version, which has a much cleaner and more versatile ssl cert creation UI as well as backend.

However, there still are some problems with the old one, that must be fixed and I am currently working on patching it.

In the meanwhile, if you want a temp fix (without any upgrades) then I suggest that you delete the ssl certs and keys from /etc/ssl/freenas/CA/cacert.crt, /etc/ssl/freenas/CA/private/cakey.key.

And then go to the Web GUI--> Settings --> SSL --> and just delete the entire field of the ssl cert and key, and if your entering your own key and cert then delete and reenter them.

If you could get back with whether that worked or not then it will help me narrow the cause of the problem at your end.

#5 Updated by Suraj Ravichandran about 6 years ago

Should be fixed by this 8731cf382858a0aae9bf72ed9846819bc44630c9.

Still feedback would be nice, and would let us know if more issues exist so waiting for some more time before closing this.

#6 Updated by Daniel Spisak about 6 years ago

I will give this a try on my 9.2.1.7 box tonight and report back

#7 Updated by Daniel Spisak about 6 years ago

Deleting the cert and key and then deleting the contents via the WebGUI did not fix this issue. Tried re-deleting them and then flipping WebGUI to HTTP only mode, making sure the SSL cert field was empty, re-deleting the cert and key and then back to HTTP+HTTPS mode.

If I do that, I can connect to the HTTPS successfully.

However, the WebGUI still shows an alert about the SSL cert.

Also, the SSL cert created still is only valid from now till one month from today. So....partial success? :/

I guess upgrade to 9.3 is the real fix.

#8 Updated by Suraj Ravichandran about 6 years ago

Yes, those problems did exist and I found them as I went along fixing the initial issue.

You also you may find that, now if you reboot then there may be no https cert (which has also been fixed in the upcoming 9.2.1.8)

I have the fixed the above issues in 9.2.1.8 (well except for the month duration validity), you could always make a new one if need be after a month but will add that too (good that you pointed it out, it honestly had slipped me).

But, If you want internal CA creation control and multiple ones at that, multiple certs, as well as a cert and CA manager, then you should probably go for 9.3 as that is the real deal.

Note: can you specify more about that alert, as if you are creating an internal cert, then that alert is bound to happen. If it is happening on a cert that you purchased from a reputed CA then please inform back.

#9 Updated by Daniel Spisak about 6 years ago

I should have clarified, these are all auto-generated self-signed certs made by FreeNAS, none of my cert errors are related to purchased SSL certs.

#10 Updated by Jordan Hubbard about 6 years ago

What do you mean by "the web GUI shows an alert?" You mean in the actual alert system, or your browser alerts (properly) about a self-signed cert being untrusted?

#11 Updated by Suraj Ravichandran about 6 years ago

  • Status changed from 15 to Resolved

The SSL certs have been fixed to last for atleast 1 year and thus, this should give you more room.

Here is the commit 584b1ec73ee6697257043a2481a8a5d5d94fd318

I am marking this as resolved and unless you are facing any further issues will close it within 2 days.

#12 Updated by Daniel Spisak about 6 years ago

The FreeNAS WebGUI alerts, Chrome does its usual complaining about self-signed certificates which is expected and normal.

Also available in: Atom PDF