Project

General

Profile

Bug #7124

Certificates in 9.3 are a major headache

Added by Aaron C de Bruyn almost 6 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Suraj Ravichandran
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

In 9.2.x, a dummy SSL cert was automatically generated for you and used when you access the UI via HTTPS.

In 9.3 there is no dummy cert. You have to create an internal CA, fill out a City, State, Org, E-Mail address, and the common name.
Once that's done, you have to go create the actual certificate based off that CA and fill out a bunch of the same information all over again, then switch to HTTPS.

The API doesn't appear to support uploading certs. I haven't tried it yet, but the API differs from the UI. It doesn't require a certificate authority, but it also doesn't allow you to upload a key.

I have about 50 FreeNAS boxen that can't be upgraded because they will all hit Bug #7049, and once I edit the DB and restart Django to gain HTTP access to the web interface, a bunch of tools that use the API will be broken until I go through a time consuming CA and cert creation process.

I'm not doing certs because I need to validate the endpoint, I need certs to keep credentials encrypted while calling the API from a management host over the internet.

Any way to generate a self-signed dummy cert on upgrade?

History

#1 Updated by Aaron C de Bruyn almost 6 years ago

In addition to this, I just went through the process to create a certification on my test NAS. I created the internal CA, then the internal cert based on that CA. I switched the GUI to use HTTPS and the newly selected cert. I hit save, received the message about Django restarting, then I was redirected to Chrome saying 'NET::ERR_CERT_INVALID'.

I changed 'stg_guiprotocol' back to 'http' in the database and restarted Django. It keeps redirecting me to use HTTPS (cleared cache, tried incognito mode, etc...) which gives me the error about an invalid cert.

#2 Updated by Aaron C de Bruyn almost 6 years ago

I guess I don't know how to trigger a re-write of the nginx.conf file with the new settings.

#3 Updated by Josh Paetzel almost 6 years ago

  • Status changed from Unscreened to Screened
  • Assignee set to Josh Paetzel

Try service ix-nginx start && service nginx restart

It's a CLI back to get you running not what should happen.

I'll reach out to you tomorrow to see what we can do to make your migration reasonable.

#4 Updated by Aaron C de Bruyn almost 6 years ago

I cheated. Nginx was referring to certificates on the disk, so I used openssl to generate a self-signed certificate and overwrote crt and key files as a workaround. ;)

#5 Updated by Jordan Hubbard almost 6 years ago

  • Category set to 118

#6 Updated by sven ollino over 5 years ago

Running 9.3-release, everything up to date and there is still an issue with the Cert or CA when using WebDAV over HTTPS:
Chrome says NET::ERR_CERT_INVALID which can't be bypassed.

FYI: First install was 9.3-beta. I made an internal CA and a cert which didn't work (as described), updated to release, deleted CA and the cert and created new ones no change.. still NET::ERR_CERT_INVALID.

wrote the same under:
https://bugs.freenas.org/issues/6864

#7 Updated by Jordan Hubbard over 5 years ago

  • Assignee changed from Josh Paetzel to Suraj Ravichandran
  • Target version set to Unspecified

#8 Updated by Suraj Ravichandran over 5 years ago

#7049 is resolved with tonday's update.

Can you please try it out and get back.

Thanks!

#9 Updated by Suraj Ravichandran over 5 years ago

  • Status changed from Screened to Resolved

I am closing this bug since #7049 is resolved and should solve your certs being retained on import issue.

Please comment and/or reopen if you are still facing any kinds of problems.

Thanks.

#10 Updated by Aaron C de Bruyn over 5 years ago

I haven't performed a fresh install since this bug was closed. Will a fresh install automatically create a self-signed cert? I was trying to avoid both the hassle of not retaining the original cert, and having to go through the process of creating a self-signed CA and then a self-signed cert.

#11 Updated by Jordan Hubbard over 5 years ago

No. The default for FreeNAS is HTTP. If you want a cert, either buy one or create one.

#12 Updated by sven ollino over 5 years ago

Suraj, I sent you a sample Freenas 9.3-stable cert and key that I cannot use with Chrome.

#13 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF