HTTPS with DNS

ChrisAnder

Cadet
Joined
Sep 6, 2019
Messages
3
Hello Guys.

I'm new to FreeNas and to this Forum so first a friendly Hi! :)
If already a Post about this topic exists, i'm sorry for that and please link me to there! I couldn't find one.

I currently try to switch my FreeNas from http to https to make it more secure.
Unfortunately if i set up a CA, a Certificate and change the Settings to https i cant reach my FreeNas via my DNS.
I think its coming down to a problem with my common Name in the CA and Certificate but probably also to some overall Network settings.
Hope someone takes the time to help me :)
And just for information so that u know we don't need to start from the complete beginning:
I'm studying informatics so i know most of the theory.

Here is what exactly i'm doing and what my settings are:

I'v installed FreeNas, and gave it in my Fritz.box settings a static IP.
I have an DNS from no-ip and opened the Port 80 on my fritzbox to the static IP of the FreeNas.
Since than my FreeNas was reachable from outside my local Network just with the DNS.
Additionally i configured some of the options in "Global Configuration" under "Networking".
Hostname is just "freenas" , Domain (and here is maybe the first mistake?) is currently "local" and i also set the ipv4 and Nameserver1 to my local Gateway (192.168.178.1).
That's it.

Now i tried already different things.
i created (always only one at a time) CA's and Certificates with the following Common Names:

local IP-Address
DNS
hostname.DNS (freenas.*.ddns.net)
freenas.local (cause thats the domain currently at the Global Configuration)

So downloading and importing the CA into my Browser (Chrome).
Also i always set the Settings to Http+Https to not loose the connection completely if something isn't working with https. But yes. I checked everytime when i tested that i'm using https.

Unfortunately no one of these worked.
I could imagine that there is a mistake in the overall Network settings but i couldn't find out whats the problem.
If u need any further Information just ask.

I'm grateful for every kind of help.
Thanks!

Best regards

Christian
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
Connecting the FreeNAS server to the internet is not considered a good idea. FreeNAS is intended to be run in a local network only.
If you need to connect from outside to you server, it's best to set up a VPN connection in your Fritz-Box and use that connection
to access your home network and thus the FreeNAS server.

https probably does not work as it is not using port 80.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462

ChrisAnder

Cadet
Joined
Sep 6, 2019
Messages
3
Thanks to you both for that quick reply.

I know, that opening Ports to a Device is always a little bit critical.
But if i wanna be able to get a SSH connection for example i have to open Port 22 anyways or am i wrong?
Where is the difference then?
There is still the username and Password (of course a very strong one) to access FreeNas over the Internet.

@Fredda that https uses a different Port is true and i forgot completely about that. I will look if i can found a solution with that.
VPN is an option. True. But especially on a different Computer like at work or so its a mess. And if i have to run a SFTP Server on Port 22 anyways, wheres the difference if i also have Access to the FreeNas over the https Port 443?

@danb35 i don't think that the self-signed cert is the issue. Its more the Info that i have to use when i create the CA and Cert.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Where is the difference then?
The difference is that ssh is much more secure by design than the FreeNAS web GUI. But even so, I don't like exposing that over the Internet either; a VPN is a much better solution IMO.
There is still the username and Password (of course a very strong one) to access FreeNas over the Internet.
You're assuming that there are no vulnerabilities that could allow an attacker to do anything without authenticating. While I'm not aware of any such vulnerabilities, given that the GUI isn't designed for this, and hasn't been hardened for it, I'm not willing to make that assumption.
 

ChrisAnder

Cadet
Joined
Sep 6, 2019
Messages
3
The difference is that ssh is much more secure by design than the FreeNAS web GUI. But even so, I don't like exposing that over the Internet either; a VPN is a much better solution IMO.

You're assuming that there are no vulnerabilities that could allow an attacker to do anything without authenticating. While I'm not aware of any such vulnerabilities, given that the GUI isn't designed for this, and hasn't been hardened for it, I'm not willing to make that assumption.

okay got that. Thanks!
I will think about that and will decide for myself if i wanna do it like that.
But anyways. It would be nice if i can solve the problem :D
With Port 443 opened i'v got a step further.
But now it looks like the digital Signature of the downloaded Certificate isn't the same as the one the Website is sending. That's strange.
Common Name seems to be correct now.
 
Top