Cannot Access WebGUI after Enabling HTTPS

[NodakBarnes]

I've just setup my FreeNAS server and wanted to make it more secure by using HTTPS for the WebGUI. I created the CA and self-signed certificate and then enabled HTTPS after selecting the self-signed certificate I had just created. Now when I try to access the WebGUI I get an error for a "Malformed certificate". I still have access to the console, so if anybody could please guide me towards a way to turn the WebGUI back to HTTP that would be splendid! As of right now the only way to administer the server is through the console and there are very limited options.

After thinking about this, for the CA and the self-signed certificate I used the hostname not the FQDN for the Common Name...could this have been what dorked the certificate?

I hope there's an easy fix via console I'm just unsure of what configuration file to look at and change. Luckily I already had all my CIFS shares and permissions set.

FreeNAS-9.3-STABLE w/ all updates on Dell PowerEdge 2900

 

[DrKK]

you could always reset, via the console, back to factory fresh. That would not harm your pool. Then, you could import the pool, and get everything configured again.

I would like to know what the cause of the problem was. Shouldn't have anything to do with the Common Name. There was a bug at one point where, if you chose <1024 bits on the RSA, Firefox would refuse to accept it. But, those <1024 options should have been removed...

 

[NodakBarnes]

I'll give the factory reset a go tomorrow. I'd like to get the HTTPS working for the WebGUI. The basic steps I followed were to create an internal CA. Then I created a self-signed certificate. Then I select HTTPS and select the self-signed certificate in the dropdown. After clicking save I should be able to access just as before with the exception of it now being https. I hope it works this time.

 

[tropic]

Shot in the dark, but do you have a hyphen or other non-alphanumeric character in your ca or cert name? If so, try using freenasCA and freenasCERT or somesuch next time you're troubleshooting. FreeNAS had a bit of fun with me when I first switched to the 9.3 train.

Edit: You might also want to select HTTP+HTTPS until you've got it working correctly... it'll save you a lot of headaches

 

[NodakBarnes]

I do have a space in the cert name which I will not do this next time. Also, after reading further, I have a dual-NIC box set up with DHCP reservations which I've now discovered is not fully supported. When I redo it this time, I'll leave the reservations in the router but give the box static IPs.

 

[NodakBarnes]

I did the reset to factory defaults and imported my pools again and then set both NICs to static IPs. I created the internal CA and the internal certificate (without spaces this time) and then enabled HTTP+HTTPS. I could not access HTTPS. I still get a certificate error. I've tried changing the WebGUI IPv4 to each NIC as well as 0.0.0.0, still no go. I tried all the major browsers (IE, Chrome, FF). I'm at a loss as to what to try next. I do not like administering the box in the clear. I've had this same hardware setup with CentOS serving Samba shares and administered with HTTPS via Webmin.

 

[rogerh]

What sort of certificate error? Browsers are going to point out that your CA isn't in their list of approved ones, and put various obstructions in the way of using it unless you import the certificate authority.

 

[NodakBarnes]

Chrome gives the most information and says that it is a malformed certificate. I can try importing the CA but I do not think that will do it. I am aware of how to get around the browser stranger danger screen.

 

[rogerh]

Well I tried to create a second internal certificate to see if it would work but I go some kind of exception saying the serial number (which is not one of the fields the user can control) was incorrect. So my attempt to help didn't get far. But my original internal certificate did work. (I am using one from a cacert.org for my domain now because it is easier.) Did you fill in every field of the dialogue? I think it needs all of them even if some of them are not really applicable. If you accept a browser's offer to let you look at the certificate is there any obvious anomaly in what is presented?

 

[NodakBarnes]

Yes, all fields were filled in as per the manual. Unfortunately the browser will not allow me to view the certificate (probably due to it be malformed). Perhaps I'll try to create one in a VM and test there and then import and use it that way.

 

[NodakBarnes]

I used the export certificate and then looked at the properties and under certificate status on my Windows 7 machine it says "This certificate has an invalid digital signature."

 

[rogerh]

Beginning to sound like a bug. It did work before though ...

 

[NodakBarnes]

I ending up going to http://www.selfsignedcertificate.com/ and creating a self-signed certificate there. I imported it and it worked a treat. Appears to be a bug.

 

[NodakBarnes]

Created Bug #9431 - Self-signed certificates have invalid digital signature
Possibly related: Bug #9207 - self signed CA certificates

 

[cstanley]

Not to grave dig here - I too am experiencing this issue with the malformed cert. I responded to the bug request as well.

FreeNAS 9.10-Stable

 

[bibigon]

Hello, I confirm this bug on my newly established system with 9.10-STABLE.
My workaround is to ssh into FreeNAS box and issue self-signed cert, as described here https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

Then I cat key.pem, cat cert.pem, copied output to corresponding fields in web gui. See System -> Certificates -> Import Certificate.
Finally I've delete these 2 newly created files.

I ending up going to http://www.selfsignedcertificate.com/ and creating a self-signed certificate there. I imported it and it worked a treat. Appears to be a bug.

It feels a little bit insecure for me to use an external certificate generator. And furthermore, it doesn't support https itself, only http :(