FreeNAS WebGUI through SSL causing getty repeating too quickly

[XTREEMMAK]

I previously installed SSL on an ownCloud install and that's working fine. So since my registered domain is going through the same IP, I wanted to use the purchased certificate with my FreeNAS WebGUI as well so I have https access to it away from home. I added the certificate and enabled the port on my router and finally switched in preferences from HTTP to HTTP+HTTPS access (for safety) Everything worked out great when trying to access the GUI through my registered domain name and I was accessing through a secured https connection (indicated by green lock).
The problem comes AFTER I restarted the server. I just added a NIC card today and just realized that after I added SSL, I never tried restarting the server! So after I did, I wasn't able to get in at all! And yes, I narrowed down the problem by removing the NIC just to be sure it wasn't causing any conflicts; same results.
Basically after FreeNAS does its initial checks and comes to the menu when you're about to be given your IP and can make choices from 1-14, the system will loop and then finally give out:
getty repeating too quickly, sleep for 30 seconds
And this will continue indefinitely. I'm unable to access shell at this point. So in order to get my system back to normal, I had to roll back to a previous install, and clone a boot from the default. I narrowed it down the problem from there after testing to my SSL settings.
Not sure what I'm doing wrong...Like I said, I had SSL connection working until I restarted the server. I only created a certificate (if that's any help in information)
I'm using the latest stable version of FreeNAS updated to latest build.

 

[m0nkey_]

Eeek! Do not expose any part of the FreeNAS GUI to the Internet. I'm not saying it's inherently insecure, but exposing the management portion to the Internet is just a bad idea in itself.

As for the SSL certificate, did you install both the public and private keys, including the CA and any chain certificates too?

 

[XTREEMMAK]

Well I initially just installed the public and private keys. I did not add anything in the CA tab and still managed to get SSL to work fine...until I restarted. But as you said, if its more of a malpractice to expose the WebGUI backend in a public environment regardless on if I'm using SSL or not, then I see it best for me just not to do so. No matter, I have RDP/TeamViewer setup on a system within the network and can easily access the WebGUI that way. This was strictly for connivence :/

 

[SweetAndLow]

Don't put your freenas gui on the wide open internet. That is just bad and scary.

 

[Mirfster]

No matter, I have RDP/TeamViewer setup on a system within the network and can easily access the WebGUI that way. This was strictly for connivence :/

Yeah, just have a decent firewall and VPN setup (PFSense with OpenVPN?). Then you are better off VPN'ing in and accessing the internal network that way.

 

[zoomzoom]

As has been echoed by most members, FreeNAS is only meant to be run behind a firewall, with no direct access from WAN -> FreeNAS. You can accomplish remote access either via VPN or SSH. SSH is great if you're only needing to get into the web management gui, and can be done via an SSH Multi-Hop (there's a tutorial in my signature).

As to certs, while a purchased ICA/client cert is, mostly, necessary if you have a website that will see decent traffic, for FreeNAS and anything else on a home network, it's better to create your own CA and ICAs (Intermediate CAs) using OpenSSL. If you're interested in that, there's a link to a prebuilt openssl.cnf in my sig, and towards the bottom of it will be a listing of the commands you'll need to execute.

• If your website is only for personal use, such as a blog, or a site for your friends/family, you can use your own CA/ICA to issue a cert for the site, provided you supply a link to download your CA for installation onto your friends'/family's PC. If you issue the website cert using an ICA, ensure you concatenate the ICA and CA into a single pem cert.

• When you purchase a cert from a trusted centralized CA or ICA, what you're paying for is the management of the CRL, not the cert itself. A website's SSL cert is only there to guarantee the connection between host and client is a trusted connection that hasn't been tampered with, so it's necessary for a site that will have sensitive info, such as usernames/passwords/finance transactions/etc, passing through it to be trusted by a central certificate authority whose trust has been verified and is accepted the world over.
  • This isn't the case for personal websites that will be utilized mostly by oneself, friends, and family, as the openssl generated CA can simply be provided to them to install into their keystore or cert manager as a Trusted Root Certificate. This will ensure one receives the green https tab, and does not receive the warning error that would occur without the CA's certificate being installed as a Root CA.