Impossible to get https

kkstar

Dabbler
Joined
Mar 16, 2018
Messages
17
Hello,

I've tried to install the CA on FreeNAS by following the tutorial so I can use https but it doesn't work :(. After I've done all the tuto said I get a message saying my connection is not secure so the https doesn't work.
I can override the message on Firefox and the https then works but it's not a great solution.

I've a 4G connection to my Asus RT-AC68U router who then distribute it to my NAS and other devices.

Thanks in advance.
 
D

dlavigne

Guest
Please post the specific URL so others know which specific instructions you tried.
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
so after successfully adding the CA to you browser it still doesn’t recognize the certificate?
 
D

dlavigne

Guest
Hello,

I've tried to install the CA on FreeNAS by following the tutorial so I can use https but it doesn't work :(. After I've done all the tuto said I get a message saying my connection is not secure so the https doesn't work.
I can override the message on Firefox and the https then works but it's not a great solution.

I've a 4G connection to my Asus RT-AC68U router who then distribute it to my NAS and other devices.

Thanks in advance.

It sounds like you're using a self-signed cert. Most browsers will give a warning message when a cert is not signed by a public authority.
 

kkstar

Dabbler
Joined
Mar 16, 2018
Messages
17
Yes it's that but I didn't choose that, so I guess that is by defauflt, because of....?
 
D

dlavigne

Guest
Yes it's that but I didn't choose that, so I guess that is by defauflt, because of....?

Because the built-in CA is not a public authority :smile:

If you have purchased a publicly signed certificate, you can import it.
 

kkstar

Dabbler
Joined
Mar 16, 2018
Messages
17
Because the built-in CA is not a public authority :)

If you have purchased a publicly signed certificate, you can import it.

Ok but is the certificate working or not ?

And if I absolutely need to purchase, where I can do it ?

Thanks you
 

ttslt

Cadet
Joined
Jul 20, 2019
Messages
5
OS Version: FreeNAS-11.2-U5 (Build Date: Jun 24, 2019 18:41)
Processor: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (8 cores) RAM: 32 GiB
Asus TS700 8Bay box with two NICs currently on one plugged in with a router/modem static DHCP lease


Okay, this might be the wrong way to start, but its 2019 and I have found the same youtube tutorial FreeNAS® 9.10 - Certificate Authority & SSL Certificates (circa 2016 for freeNAS 9.1) and cannot work out how to set up the variation between the IP and the localhost name in the CA and the certificate. I get the following error (in various browsers)
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 10.1.1.71. The certificate is only valid for home.local.
Error code: SEC_ERROR_UNKNOWN_ISSUER

I assume it is to do with the alternative names? But which do I put where and in what order in CA & for the certificate? It is not obvious so...

Is there an updated guide somewheres?

thank you
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I assume it is to do with the alternative names?
No, it has to do with the fact that the cert wasn't issued by a trusted CA--that's what "SEC_ERROR_UNKNOWN_ISSUER" means.

There are a few requirements for your browser to be happy with the TLS connection to some host:
  • The host (i.e., your FreeNAS box) must have a TLS certificate
  • That certificate must belong to the name you're connecting to (so if you have a cert for freenas.yourdomain.com, and you browse to 192.168.100.100, you'll get an error--this could in some circumstances be addressed by the alternative names you mention)
  • The certificate must be issued by a trusted (by your browser) Certificate Authority (CA)
The FreeNAS box doesn't necessarily need to know anything about the CA, if you're using a cert that was issued by someone else. It can act as a CA, you can generate a cert somewhere else using openssl commands, or you can use a cert from a trusted CA like Let's Encrypt. Some brilliant and helpful forum member has written a resource on the latter subject.

Getting a cert from a trusted CA means you don't need to do anything on your client machines (like importing the CA cert), but it's generally going to preclude getting a cert that covers an IP address. Generating your own cert addresses that problem, but you'll need to import the CA cert into any machine you want to use to access that FreeNAS web GUI.
 
Last edited:

ttslt

Cadet
Joined
Jul 20, 2019
Messages
5
Thank you for your reply.

If I wasn't clear, and I wasn't. I have been importing a CA cert into my browsers generated in freeNAS, but still not getting past this issue. I am not clear in the FreeNAs generation process where to put the IP.

I'll try again.

thanks,
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I am not clear in the FreeNAs generation process where to put the IP.
In the "Subject Alternate Names" field:
1563827276569.png

Edit: Again, though, this has nothing to do with the error message you posted--that's a result of the cert (or the CA that issued it) not being trusted by your browser.
 
Last edited:
Top