Will this procedure work to get rid of browser warnings for self-signed certificates?

[DavidYLau]

Background: I have no intention of exposing my TrueNAS SCALE box to the public internet. I do want to connect to it with SSL/TLS for the additional security but without the annoying browser security warnings due to the self-signed certificates. Since the box won't be on the internet, can I avoid the cost of purchasing a domain-name (seems to be needed for an externally authorized certificate) and still avoid the browser warnings?

The following procedure works for my PFsense firewall:
1) Create internal root CA
2) Create internal intermediate CA (using root CA as authority)
3) Create certificate (using intermediate CA as authority)
4) Export root CA and intermediate CA info as files.
5) Import internal CA info into Windows certificate manager or the browser's certificate manager
6) Use the new certificate for Web_GUI
So I got this working for Pfsense with Brave, Firefox, Chrome, Edge browsers.

I seem to be able to replicate steps 1)-5) through the TrueNAS Web-GUI. I haven't done step 6) yet as I wanted people's opinion on whether this would work for SCALE before I take the risk of screwing up access to my SCALE box.

I found this procedure from this webpage:

Enable SSL for pfSense - Fast & Easy

I show you step by step how to enable SSL for pfSense. Follow along and learn how to establish a secure HTTPS connection to your Firewall!

www.ceos3c.com

 

[nabsltd]

I haven't done step 6) yet as I wanted people's opinion on whether this would work for SCALE before I take the risk of screwing up access to my SCALE box.

As long as you don't completely disable the GUI on port 80, you can make the change and can always fall back to non-HTTPS.

So, don't re-direct port 80 to 443, and don't disable port 80. I'm not in front of the UI right now, but I think those are the two settings.

 

[danb35]

As long as your browser trusts the issuing CA, and the address you're using to access the NAS is included on the certificate, what you're proposing should work and not give any certificate errors.

 

[DavidYLau]

As long as you don't completely disable the GUI on port 80, you can make the change and can always fall back to non-HTTPS.

So, don't re-direct port 80 to 443, and don't disable port 80. I'm not in front of the UI right now, but I think those are the two settings.

Thanks for the info.

On System Settings>General>GUI - I see the HTTP->HTTPS redirect button (currently not enabled).

But I don't see any particular port 80 disable button. I see there are Web Interface IP address fields - I guess you could set these to ::: to say not accessible from any IP address.

 

[DavidYLau]

I finally got the scheme to work but it took some tricks.

When I used the intermediate_CA certificate as created from the TrueNAS-SCALE certificate GUI, the Windows certificate manager complained that it wasn't correctly signed. I created the intermediate_CA on the TrueNAS system several times but no luck each time. I didn't see what I was doing wrong.

So I had to resort to importing the root_CA into my pfsense box and then generated the intermediate_CA on my pfsense box. I then imported this new intermediate_CA back into the TrueNAS-SCALE box. I did the same for the final SSL certificate (as I wasn't trusting the TrueNAS certificate GUI). Now both FQDN and IPaddress has TLS/SSL working without any browser warnings.