Bad Certificate, can't access WebUI

[my95z34]

So, I've been trying to get Chrome to accept the certificate for my server, but it just keeps refusing. In my searches I have found that it might be because the certificate is for localhost and the URL I'm using is my ddns.net one. Anyway, I was attempting to create a new cert using the ddns.net url but I couldn't figure it out. I created a certificate request (I think...) and switched the UI to use that one. Now when I attempt to log in, I get a 403 with this message: CSRF verification failed. Request aborted.

Is that the server kicking the connection, or Chrome? If it's Chrome, I can try to launch it with the ignore certificate flag.

Any input would be greatly appreciated.

 

[my95z34]

Just tried with the ignore certificate flag and I get this:

This web page is not available


ERR_CONNECTION_REFUSED

 

[pirateghost]

if you are on the local network, and trying to access your NAS by a public hostname, you are trying to do what is called HAIRPIN NAT, where you go OUT to the internet, and come back IN through your router. If your network is not configured properly, this will not be possible. (having port 443 forwarded to your NAS for instance, and assuming your router can handle the hairpin nat)

having said that, why on earth would you expose your NAS web GUI to the internet??

 

[my95z34]

if you are on the local network, and trying to access your NAS by a public hostname, you are trying to do what is called HAIRPIN NAT, where you go OUT to the internet, and come back IN through your router. If your network is not configured properly, this will not be possible. (having port 443 forwarded to your NAS for instance, and assuming your router can handle the hairpin nat)

having said that, why on earth would you expose your NAS web GUI to the internet??

Yeah, I know. I've had it set up this way for quite some time. And now I cannot even access the WebGUI via the local IP.

But, I have it opened to the internet because there are many times when I'm not home and need to access it. Also, I run a server at my moms house, which I need to access from my house. I've never had any luck setting up OpenVPN, otherwise I would do that, lol.

 

[pirateghost]

Personally, I wouldn't trust the security of your server at this point. Time to SSH in and check the logs.

 

[my95z34]

Personally, I wouldn't trust the security of your server at this point. Time to SSH in and check the logs.

I don't follow why you wouldn't trust the security of the server... I personally changed the certificate and now I cannot access it to change it back. Also, I'm looking at the monitor attached to the server and it's not outputting anything special.

What logs would you advise?

 

[pirateghost]

why wouldn't I trust the security??

because you expose it directly to the internet...

you can SSH or console in and check out the logs located in /var/log

It appears to me that your server is not listening for requests at all. or your router is misconfigured

 

[pirateghost]

based on what I know right now from a quick scan, you have a Sophos firewall, but port 443 is not open and forwarded

Uptime guess: 7.096 days (since Sat Jul 18 12:03:13 2015)
53/tcp closed domain
110/tcp open pop3-proxy Astaro firewall pop3 proxy

Looks like port 8080 is open too

 

[my95z34]

why wouldn't I trust the security??

because you expose it directly to the internet...

you can SSH or console in and check out the logs located in /var/log

It appears to me that your server is not listening for requests at all. or your router is misconfigured

I trust the strength of my password, lol.

But, like I said, the local IP doesn't work either. So it has to be something on the server, right? Nothing else changed on the network.

I'm just going to boot into a previous boot snapshot and then upgrade again. See what happens.

 

[pirateghost]

I trust the strength of my password, lol.

But, like I said, the local IP doesn't work either. So it has to be something on the server, right? Nothing else changed on the network.

I'm just going to boot into a previous boot snapshot and then upgrade again. See what happens.

right, if local IP doesnt work, it sounds like NGINX has failed to restart.

 

[my95z34]

right, if local IP doesnt work, it sounds like NGINX has failed to restart.

Well, son of a gun. Just rebooted the server and it works again. So apparently NGINX hadn't fully restarted or something. Because, I could get it to show me the login screen, but after that I'd get the 403.

Anyway, this thread can be removed now, lol. I should have tried to reboot. (Have you tried turning it off and back on? -____- )

 

[pirateghost]

Do you indeed run a Sophos/Astaro UTM?

You can run OpenVPN directly on it without the need to set up FreeNAS for ANYTHING. Setting up VPN on Sophos is simple. VPN is the appropriate way of accessing your server across the internet.

 

[my95z34]

Do you indeed run a Sophos/Astaro UTM?

You can run OpenVPN directly on it without the need to set up FreeNAS for ANYTHING. Setting up VPN on Sophos is simple. VPN is the appropriate way of accessing your server across the internet.

Not sure, lol. I run DDWRT on my WNDR3700. I've attempted to get OpenVPN to run on it, to no avail.

 

[pirateghost]

a Sophos UTM acts as a firewall/router. you would know if you have one installed, since its a server/hardware device.

 

[my95z34]

a Sophos UTM acts as a firewall/router. you would know if you have one installed, since its a server/hardware device.

Just googled it, no I do not have that. I was toying with PFSense last week, not sure if maybe you're seeing cached info or something.

 

[JDCynical]

There are also programs like TeamViewer. It's not open source, but it's free for personal use and is cross platform (Windows, Mac, Linux, Android)

 

[zoomzoom]

I've been trying to get Chrome to accept the certificate for my server, but it just keeps refusing. In my searches I have found that it might be because the certificate is for localhost and the URL I'm using is my ddns.net one. Anyway, I was attempting to create a new cert using the ddns.net url but I couldn't figure it out. I created a certificate request (I think...) and switched the UI to use that one. Now when I attempt to log in, I get a 403 with this message: CSRF verification failed. Request aborted.

Here's a nice tutorial on how to create ssl certs that are trusted by your browser, with a pre-built openssl.cnf below

• Due to wanting better security, I slightly modified the commands in the tutorial:
  • openssl genrsa -aes256 -out server.key 2048
    • There's a negligible performance hit between 2048 and 1024, thus 2048 should be utilized
  • openssl req -sha256 -new -key server.key -out server.csr
  • openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt

• Save the openssl.cnf in the directory you'll be working in
  • For example, /etc/ssl/certs/
  • Under Establish Certificate Defaults add your information to the right of the "= "

• Chrome is finicky when it comes to self-signed SSL certs
  • For example, the SSL cert I built for my FreeNAS and the OwnCloud jail both register without error in chrome [Edge Browser still registers them as invalid however], yet the SSL cert I created for OpenWRT still registers an error even though I've imported the CA into Trusted Root in Certificate Manager (certmgr.msc)
    • Sometimes Chrome fails to recognize CA's imported into Trusted Root, at which point manually adding them via chrome://settings/ HTTPS/SSL manager has sometimes fixed the issue
  • Remember the Common Name must always be set to the full path of the IP or FQDN (wild cards for FQDN's are acceptable, i.e. *.yoursite.com)
    • I think this may be the issue with my OpenWRT cert, as I'm thinking "/cgi-bin/luci" may need to be added to the IP common name

openssl.cnf

Code:

#-------------------------------------------#
##---------- OpenSSL Config File ----------##
#-------------------------------------------#


##----- Establish working directory -----##

dir                       = .


##----- Establish CA Profile and Policy -----##

[ ca ]
default_ca                = CA_default

[ CA_default ]
serial                    = $dir/serial
database                  = $dir/certindex.txt
new_certs_dir             = $dir/certs
certificate               = $dir/cacert.pem
private_key               = $dir/private/cakey.pem
default_days              = 3650
default_md                = sha256
preserve                  = no
email_in_dn               = no
nameopt                   = default_ca
certopt                   = default_ca
policy                    = policy_match

[ policy_match ]
countryName               = match
stateOrProvinceName       = match
organizationName          = match
organizationalUnitName    = optional
commonName                = supplied
emailAddress              = optional


##----- Establish Certificate Options -----#

[ req ]
default_bits              = 2048
default_keyfile           = key.pem
default_md                = sha256
string_mask               = nombstr
distinguished_name        = req_distinguished_name
req_extensions            = v3_req

[ req_distinguished_name ]

0.organizationName        = Organization Name (company)
organizationalUnitName    = Organizational Unit Name (department, division)
emailAddress              = Email Address
emailAddress_max          = 40
localityName              = Locality Name (city, district)
stateOrProvinceName       = State or Province Name (full name)
countryName               = Country Name (2 letter code)
countryName_min           = 2
countryName_max           = 2
commonName                = Common Name (hostname, IP, or your name)
commonName_max            = 64


##----- Establish Additional Certificate Profiles -----##

[ v3_ca ]
basicConstraints          = CA:TRUE
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always,issuer:always

[ v3_req ]
basicConstraints          = CA:FALSE
subjectKeyIdentifier      = hash


##----- Establish Certificate Defaults -----##
   
0.organizationName_default         =
localityName_default               =
stateOrProvinceName_default        =
countryName_default                =
organizationunitName_default       =