Making FreeNAS 11.3 a secure connection with HTTPS

Markeyse

Markeyse

Dabbler
Joined
Feb 17, 2020
Messages
14
Hello everyone! I just installed my new FreeNAS box, and I was following the video to add in the certificates so my browser will route it to HTTPS, and followed this video right here to get the CA and Certificates set. I think because everything is new that I am not getting it to work, and it is saying the connection isn't secure. Anyone please tell me what I am doing wrong. Thank you! I'm using the New Microsoft Edge and Chrome.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Markeyse said:
it is saying the connection isn't secure.
Click to expand...
Assuming that video is using the built-in CA, you're still going to have certificate errors with any of your client computers unless you download and trust that CA's cert on all of your client computers. If you're using a self-signed cert, you're always going to have certificate errors.

If you own a domain, the best thing to do is to get a real, trusted cert from a real CA. If you have a supported DNS provider, you can get that following these instructions:

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...
www.ixsystems.com www.ixsystems.com

FreeNAS 11.3 includes a little bit of this capability built-in, but only for one DNS host, IIRC.
 
Markeyse

Markeyse

Dabbler
Joined
Feb 17, 2020
Messages
14
danb35 said:
Assuming that video is using the built-in CA, you're still going to have certificate errors with any of your client computers unless you download and trust that CA's cert on all of your client computers. If you're using a self-signed cert, you're always going to have certificate errors.

If you own a domain, the best thing to do is to get a real, trusted cert from a real CA. If you have a supported DNS provider, you can get that following these instructions:

Let's Encrypt with FreeNAS 11.1 and later

Integrating Let’s Encrypt TLS Certificates with FreeNAS FreeNAS has long had the ability to use HTTPS for the web GUI, but that has usually meant dealing with self-signed certificates and the associated headaches, or paying for a commercial...
www.ixsystems.com www.ixsystems.com

FreeNAS 11.3 includes a little bit of this capability built-in, but only for one DNS host, IIRC.
Click to expand...

Ok Thank you. I guess they didn't say that a self signing one wouldn't still work in the video. Thank you.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Markeyse said:
I guess they didn't say that a self signing one wouldn't still work in the video.
Click to expand...
That depends what you mean by "work". It will still encrypt your communications, but in the four years since that video was made, browsers have become less willing to trust self-signed certs. So the cert will still work, but it's very hard to avoid certificate errors.
 
mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
What would be the benefit of that when accsessing FreeNAS from local networks? It've read here to never expose a FN-box to the internet.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
mistermanko said:
What would be the benefit of that when accsessing FreeNAS from local networks?
Click to expand...
Browsers have gotten more, shall we say, vocal in their warnings about HTTP forms and untrusted certs, to the point where it's pretty much impossible to trust a self-signed cert and have the browser show that everything's OK. Is a cert from a trusted CA needed for secure communications on your LAN? No, but it makes matters a lot easier with the browsers.
 
Markeyse

Markeyse

Dabbler
Joined
Feb 17, 2020
Messages
14
danb35 said:
That depends what you mean by "work". It will still encrypt your communications, but in the four years since that video was made, browsers have become less willing to trust self-signed certs. So the cert will still work, but it's very hard to avoid certificate errors.
Click to expand...

Got ya!
 
Markeyse

Markeyse

Dabbler
Joined
Feb 17, 2020
Messages
14
mistermanko said:
What would be the benefit of that when accsessing FreeNAS from local networks? It've read here to never expose a FN-box to the internet.
Click to expand...

For setup and stuff. My rig runs headless. Besides it is still technically local. I don't need to be connected to the net to still access it.

danb35 said:
Browsers have gotten more, shall we say, vocal in their warnings about HTTP forms and untrusted certs, to the point where it's pretty much impossible to trust a self-signed cert and have the browser show that everything's OK. Is a cert from a trusted CA needed for secure communications on your LAN? No, but it makes matters a lot easier with the browsers.
Click to expand...

Yea because I was like maybe I can run it and force it to go HTTPS and it will be "green" on the browser, but yet It says it isn't trusted and I have to click the link to say it is ok it isn't untrusted.
 
SHAWN MOLLOY

SHAWN MOLLOY

Cadet
Joined
Mar 27, 2023
Messages
1
danb35 said:
If you own a domain, the best thing to do is to get a real, trusted cert from a real CA.
Click to expand...
Sorry I'm so late to the party but may I ask, danb35, are you saying we can re-use the CERT from an existing domain for our local truenas instace? IE, an SSL cert for MyDomain.com can be used with truenas.local just because it is trusted from a CA like NOIP? And I assume that wouldn't endanger compromise or invalidate the real domains trust in any way...

Thank you!
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
SHAWN MOLLOY said:
are you saying we can re-use the CERT from an existing domain for our local truenas instace
Click to expand...
No, I'm saying you can make a new cert for your TrueNAS instance, using your domain name (e.g., call it truenas.domain.com). The link I gave above is still valid information for a way to do that, though acme.sh can now deploy the cert to TrueNAS directly.
 
You must log in or register to reply here.

Similar threads

C
Certificate ExtendedKeyUsage 1.3.6.1.5.5.7.3.2 (TLS_WEB_CLIENT_AUTHENTICATION) needed
Replies
1
Views
624
Carsten73
C
E
  • Locked
Problems enabling HTTPS with CA generated cert
Replies
10
Views
3K
zoomzoom
zoomzoom
diedrichg
  • Locked
SOLVED Secure Connection Failed - GUI SSL certificate error
Replies
3
Views
5K
diedrichg
diedrichg
K
Impossible to get https
Replies
14
Views
5K
danb35
danb35
A
  • Locked
How Do I Secure My FreeNAS Box?
Replies
2
Views
1K
ArcticWolf_11
A
Top