9.3 -> 9.10 Upgrade thrashed SSL, causes certificate errors

[Luna]

After upgrading last night, I found myself unable to connect to HTTPS.

Firefox says:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Chrome tells a somewhat different story:

This certificate has an invalid digital signature.

Either way, I'm locked out, as no browser will allow me to even temporarily ignore the issue.

I haven't been able to find what I need as to how to manually regenerate the certificate, if it's even possible.

I also consider a few workarounds, such as disabling HTTPS and using HTTP to fix the issue, or, using the prior system snapshot to disable SSL, update again, and generate a new cert. However, while I know how to do it in the web client, I'm completely in the dark on how to do it in SSH.

Anyone able to offer a solution / workaround / method to execute my workaround idea?

 

[dlavigne]

This will be fixed in the next SU: https://bugs.freenas.org/issues/14250.

 

[Luna]

That's good to know. I can stand to be without the web client for a few days, but I'm going to need to know how to update FreeNAS in SSH in this case.

 

[dlavigne]

You should be able to type /etc/netcli from the session, then run 10) from the menu (see http://doc.freenas.org/9.10/freenas_quick.html).

 

[cyberjock]

You can switch back to http by doing the following from the CLI:

Backup your config file:
# cp /data/freenas-v1.db /data/freenas-v1.backup

Run this command:
# sqlite3 /data/freenas-v1.db "update system_settings set stg_guiprotocol = 'http';"

Reboot. ;)

 

[Simon Mackenzie]

Thanks cyberjock. Did the trick nicely.

 

[cyberjock]

Sigh.. I just upgraded one of my test systems.. I had to do this myself. :/

 

[Grewterd]

Would this work to update from CLI also?

freenas-update check
freenas-update update

 

[Grewterd]

I shall answer my own question. Yes, freenas-update check works.

 

[Grewterd]

Not fixed with the last SU, just installed, same issue.

 

[Grewterd]

You can switch back to http by doing the following from the CLI:

Backup your config file:
# cp /data/freenas-v1.db /data/freenas-v1.backup

Run this command:
# sqlite3 /data/freenas-v1.db "update system_settings set stg_guiprotocol = 'http';"

Reboot. ;)

After issuing your command, how do I get https back?

 

[ashes00]

Thanks for the http work around.

 

[j_r0dd]

I just created a new CA and certificate and https is working again. Simple enough.

 

[Suraj Ravichandran]

For a rebootless http workaround please do the following:

1. SSH into your system

2. Make a backup of your system database (for safety):
cp /data/freenas-v1.db /data/freenas-v1.db.bak


3. Manually Set the GUI's protocol to 'http' in the database:
sqlite3 /data/freenas-v1.db "UPDATE system_settings SET stg_guiprotocol = 'http';"

4. Ensure that the above step went through successfully by printing the value of stg_guiprotocol from the database:
sqlite3 /data/freenas-v1.db "select stg_guiprotocol from system_settings;"

5. Regenerate nginx config file and then restart nginx and django:
service ix-nginx onestart && service nginx restart && service django restart

Also, please read the 9.3--> 9.10 FAQ and prompt people that you see facing such an issue to do the same:
https://forums.freenas.org/index.php?threads/faq-upgrading-from-9-3-to-9-10.42964/

Specifically this point:

Q: I upgraded and my self-signed SSL certificates that I created earlier (on FreeNAS) no longer work?

• A: See comments in https://bugs.freenas.org/issues/14977 - easiest to just re-issue the certs in 9.10 due to the fact that 9.3 had some bugs in its cert generation logic (non-security compromising ones, but the tightened cert checks in 9.10 catch them nonetheless).

 

[Richard Durso]

Suraj - thank you for the steps above. Just upgraded from 9.3 to 9.10 and hit this problem. Steps worked great for getting back into the GUI.

 

[geeklord]

This is a round about method, but without seeing this thread this is how I resolved it in a nut shell:

SSH into Box
Create new .crt and .key files
Copy new .crt and .key files to the working files
rename the old ones for backup purposes
rename the new ones with the same name as the old
restart nginx

 

[Biornius]

This is still an issue - I ran into this after upgrading today. I wish I had known about this problem before upgrading. I would have enabled ssh or disabled https before upgrading. Since I don't have ssh enabled, I'm guessing that my only option now is to physically connect a screen and keyboard to the freenas computer. If anyone knows of any other option that is less hassle, please say!

 

[Biornius]

And I found a workaround: use Chrome on Android. It allows you to bypass the broken certificate and access the Freenas web UI.

 

[xcqckng]

thanks for the workaround!

 

[Unlisted Person]

This is still an issue - I ran into this after upgrading today. Firefox and Chrome both rejected access.

Comment #14 from Suraj above got it working again.

I'd just add one comment to Suraj's comment which is to delete and re-create SSL CA and Certificates after you regain access if you are using self-signed certificates.

Note for search engines: /var/log/nginx-error.log messages were:
[crit] SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking