Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Invalid Certificate

afc_rich

Newbie
Joined
Jun 6, 2020
Messages
2
Hi everyone, I am a new User to FreeNAS and have been pulling my hair out with the following certificate issue.

My environment has a Windows 2019 PKI (Offline Root, Enterprise Subordinate).

I have followed the below steps:

  • Generated a CSR request via the FreeNAS web GUI (11.3-RELEASE-p7).
  • Issued a Web certificate using the advanced certificate request
  • Created a text file containing full chain of certificates (From top to bottom, Web cert, Sub CA, Root CA)
  • Imported Certificate to FreeNAS
  • Updated GUI SSL certificate to the New Cert
When I now connect to the web gui from a workstation (Has CAs in store) I receive the "Your connection to this website is insecure" "Invalid Certificate" message.

The strange thing is that when you look at the cert via Chrome, all certs in the chain report as "OK".

From the FreeNAS shell I have run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" which gives me the error: "Verify return code: 19 (self signed certificate in certificate chain)"

Some reading tells me this is the case because a RootCA is always self signed. I therefore added the RootCA to the local store by running the following command "openssl x509 -in <Crt File> -text >> /etc/ssl/cert.pem"

Now when I run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" there are no errors. However I am still receiving the original error within Chrome.

I feel as though I am very close to cracking it. Any thoughts?

Thanks,

Rich
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
1,308
A couple of things to check:
  1. Did you import the offline root CA into your workstation as a trusted root CA?
  2. Did you import the subordinate root CA into your workstation as a trusted intermediate CA?
  3. Does the FreeNAS cert have a Subject Alternate Name (SAN) that matches the Canonical Name (CN)? Entries in the SAN are lines with DNS Name=domain.name. This is new requirement for certificate validity.
 
Last edited:

afc_rich

Newbie
Joined
Jun 6, 2020
Messages
2
  1. Did you import the offline root CA into your workstation as a trusted root CA? YES
  2. Did you import the subordinate root CA into your workstation as a trusted intermediate CA? YES
  3. Does the FreeNAS cert have a Subject Alternate Name (SAN) that matches the Canonical Name (CN)? Entries in the SAN are lines with DNS Name=domain.name. This is new requirement for certificate validity. NO

I did not add the FQDN to the SAN entries! All fixed now, knew it would be something simple.

Thank you for your help.
 
Top