SSL Certificate Chains not saving

Wardy118 · Apr 29, 2016

Hello,

Apologies if this is in the wrong place.

But i've been trying for days now to get my head around certificate chains, and i've finally cracked it. However, I now have a new issue that FreeNAS is deciding to revert all my changes whenever I reboot...

Basically I have the combined .crt chain that is correct and the corresponding private key and when I upload it (paste it) into the WebUI, all is good and everything works fine (mobile's are my main concern here). However, when I reboot and view the certificate it appears as though FreeNAS has removed the second certificate from the chain. (And the mobile no longer works)

So i tried uploading them through scp into /etc/certificates and using 'cat' - that worked too. I changed the crt filename in the nginx conf to match the new key and that seemed to work too. But then the same thing happens every time i reboot.

Initially, I had been using a different name for the certificate in the webUI to what I actually named the key file. So I changed it so that they would match, thinking it was doing something weird. But when I rebooted just now for the 100th time, the name's the same in the webUI - nginx is pointing to the right key, but the certificate itself (nano /etc/certificates/combined.crt) only has one certificate, not the chain.

Is this a bug, or am I missing something here?

Many thanks

[EDIT]: I've just noticed that upon reboot - the key in the webUI is the correct chain (and has two certs), but the key that nginx is using only has one certificate in the 'chain' (in /etc/certificates)

dlavigne · Apr 29, 2016

Which build version (from System -> Information)?

danb35 · Apr 29, 2016

Interesting. I hadn't noticed an issue with this, probably because my browser is caching the intermediate cert, but my system is doing the same thing. Nginx is only serving the "leaf" cert, and that's the only cert in /etc/certificates, even though the full chain (intermediate and leaf) is entered in the web GUI. Here's what's entered in there, which is what nginx requires to serve the certificate properly:

Code:

...but the contents of /etc/certificates/FreeNAS Server 2 Mar.crt are only this:

Code:

...and when connecting using openssl as a client, only the leaf cert is served:

Code:

dan@dan-MacBookPro:~/.ssh$ openssl s_client -connect freenas2.familybrown.org:443
CONNECTED(00000003)
depth=0 CN = freenas2.familybrown.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = freenas2.familybrown.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=freenas2.familybrown.org
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGFDCCBPygAwIBAgISAmBDIkJiLxBHyC+W/3kpSf8JMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNjAzMDMwODQxMDBaFw0x
NjA2MDEwODQxMDBaMCMxITAfBgNVBAMTGGZyZWVuYXMyLmZhbWlseWJyb3duLm9y
ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALs1Bw55uMbveMymobWU
/HKUwXXrcrFCB7bg9tSJHkrumC5/LlO7eDj3LUTcBrMqaUUk+LlaeAZB1/TpLzJe
x5n4XEc2y7yJrVnnx23WFe4vfsKhgDN1DN4SJoYaOBDgStJ4skAuE1yitiLCso3F
lzHfE+kiSYpH6kCVvub2xQNGLMVQm0AGT2cOmsS1JRgRm1qlkc6YUus8qX15d4hq
Os78gGC8+t1jM5q1M7z5UZR72M2zh7GFndvbE0hfVvSqRLRvap8swECFCO8B8kXy
Rc2aLHMDmR/Nder7vlmYkBbRDBBQqbHDvidVDgu0OhbkUEvnPQGkQM0Hi3J3svnN
6fAXlkhCGycHbr0k0gvFw3RQU1C3s8sZgFv3rmgHAiN61qN0Xddv7LdhhLD6P79U
vND65dl+yk0QoBpQTndEaYPLh3HO/xHPFOwlT4iFiu6tl0OGIGKL9IVX1JjeYqSx
N0YO2vY9UgiwsoV37L5RvGxNwld6E55PH1mW17L4HEpW58oUftgk4hz9WnBuvdGG
kz4NFXn7DyBotp4rCbI6Fj7hjsrQqVtlHD4v4tFuuiL+dq2I/qhA3NA0pFw4hDH1
PE05fjHEdIip8ElfubN5HozNIUyko0FF92pcjx4bUvUWWceQsxxvop5Q26siSdFG
UcaGQWRNsWCIov+sZ+jcNZTvAgMBAAGjggIZMIICFTAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFD7CLGTHmnynpAAyizuBLYEKMO86MB8GA1UdIwQYMBaAFKhKamMEfd26
5tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDov
L29jc3AuaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6
Ly9jZXJ0LmludC14MS5sZXRzZW5jcnlwdC5vcmcvMCMGA1UdEQQcMBqCGGZyZWVu
YXMyLmZhbWlseWJyb3duLm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYL
KwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9u
bHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGlu
IGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0
IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEB
CwUAA4IBAQB/iCW03TY8XFkgTyfsp8CrqX2tJ1gQUn0AgxMOr54eaFkJeSYBUOXY
4mzV0emg/uhVBiwOonhsz9PSg9kAYlN5L7QeHE0eAImF3Yz2Zit8bO46C91op+CM
xn+PAMnlapNu94XorjkCAlVooSZA1oX6r+IzVYxnGFttLf3pvm3MgfmN4KtBOhpj
5Ks/ZL+R9fgJ8YnMmVMEwK2nRQjlOehXU8iA86Wbivek7/CwtjesC/CSy23C7Hk/
6tiQYYPzjLs15r1WtU/TK7rdg0LthkjCpGCSzBfPkGsN9bb80C73zCbonaa5j4Q6
fD+L+sehR9EBQpC9RXteD22SxPPBfiyw
-----END CERTIFICATE-----
subject=/CN=freenas2.familybrown.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2491 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
  Protocol  : TLSv1.2
  Cipher  : ECDHE-RSA-AES256-GCM-SHA384
  Session-ID: 7235EA17267A52F3FEF41568D93B57425C815FB87D8F61E4E860E4DF0E721DF2
  Session-ID-ctx:
  Master-Key: D7B1F7B4B9F28AF5820C8F5A39B87980655B754B5ABCBE66E03223DEE1071BAAFE24006C8CA1673A818E657A49898C57
  Key-Arg  : None
  PSK identity: None
  PSK identity hint: None
  SRP username: None
  TLS session ticket lifetime hint: 7200 (seconds)
  TLS session ticket:
  0000 - 22 f8 23 90 bb f8 7c 5e-2a b7 ae 0b da 4e 50 36  ".#...|^*....NP6
  0010 - 9e 68 47 81 7e 4c e1 70-13 1c fd c7 61 01 2b 29  .hG.~L.p....a.+)
  0020 - a2 44 16 34 52 ec 94 e4-cf 55 3f 0a bc 82 de 38  .D.4R....U?....8
  0030 - a4 70 86 17 87 f7 68 11-3f a7 a8 31 7c 36 4f a2  .p....h.?..1|6O.
  0040 - e6 77 dd 59 a2 81 5d 8f-02 73 38 0c 57 dc 95 ef  .w.Y..]..s8.W...
  0050 - 30 77 ba 8e 8a 60 1b 04-fb 18 b3 da 5c 6c 6d fc  0w...`......\lm.
  0060 - 5e 84 c0 35 ea 19 d7 59-5a dc 51 58 95 b0 ff 92  ^..5...YZ.QX....
  0070 - f5 7e 06 94 e0 11 6a 07-dd 1c 59 c2 20 40 e1 de  .~....j...Y. @..
  0080 - 00 34 da f6 16 d9 c4 44-73 ae be df 9e ea 34 0e  .4.....Ds.....4.
  0090 - 58 58 2f cb ff c2 ea 0c-9d 2a 43 89 e4 39 e9 cf  XX/......*C..9..
  00a0 - 24 be eb 4f 6b 0e 8a 6a-09 fe e6 89 ed 80 9d 84  $..Ok..j........

  Start Time: 1461976265
  Timeout  : 300 (sec)
  Verify return code: 21 (unable to verify the first certificate)
---

^C

dlavigne · Apr 30, 2016

Please create a bug report at bugs.freenas.org (that includes the build version) and post the issue number here.

Wardy118 · Apr 30, 2016

dlavigne said:
Which build version (from System -> Information)?

FreeNAS-9.10-STABLE-201604261518 (881b70d)

dlavigne said:
Please create a bug report at bugs.freenas.org (that includes the build version) and post the issue number here.

15083

Thanks

Important Announcement for the TrueNAS Community.

SSL Certificate Chains not saving

Wardy118

Cadet

dlavigne

Guest

danb35

Hall of Famer

dlavigne

Guest

Wardy118

Cadet

Similar threads