Enabling HTTPS Login, Any Pitfalls?

[House Of Cards]

Hope you are all enjoying a long weekend...

I've set up a CA, created a certificate, and have configured DHCP to assign the same IP each boot to the FreeNAS box so it does not change. I'd like to change to an HTTPS login, but before I do, I was wondering if there are any pitfalls so I don't get locked out. The setup seemed simple, but like most things, experience counts.

Anybody know of anything I should consider before flipping to HTTPS to avoid issues?

Thanks!

 

[joeschmuck]

I wouldn't expect there to be any difference however, you could start with the HTTP+HTTPS setting so you have both for a period of time. Also, save a copy of your configuration file before the change that way you could perform an easy recovery if there were some ill effects.

 

[House Of Cards]

Thanks... Enabled the dual support and can login either way. Certificate is working. I'll leave it for a few days and then make the switch to purely HTTPS.

Sorry if I seem overly cautious, but even though this is a home server, I'm learning on what is essentially a "production" machine which currently has all my stuff stored on it. If I've learned anything over my computing years, it's don't &@!*% with it if you don't understand it. ;-)

I have a separate question relating to MAPALL and MAPROOT which I'll start a new thread on. Have a great day!

 

[joeschmuck]

Sorry if I seem overly cautious,

Sometimes there is no such thing as being overly cautious and this is one of those cases where it's smarter to just ask the question.

 

[zoomzoom]

It's recommend to use the SAN section in an openssl.cnf, adding the loopback IP as one of the SANs for the WebGUI's cert, otherwise if you ever SSH in and want to use the SSH session to also create a tunnel to the WebGUI, you'll receive certificate errors as the tunnel's IP to the WebGUI would be 127.0.0.1:port# (say 127.0.0.1:5999), where 5999 is the ssh client's local port number being mapped to the local address and port # of the WebGUI (which will either be 127.0.0.1:443, 127.0.0.1:80, or the IP of the WebGUI, say 192.168.1.2:443 or 192.168.1.2:80 - depends upon web server used as to which IP it would be)

 

[House Of Cards]

That one went above my head, sorry...

 

[joeschmuck]

That one went above my head, sorry... :)

Well it's related to the gravitational forces of the moon and ECC bit flips during a strong solar wind and you get this problem you're having with HTTPS logins. Here is how it goes... As the moon gets closer to the earth, you do know that it does, right? So the moon gets closer and it starts to negate some of the earths own gravity and the moon pulls on the earth. This is why we have high tide, the moon pulls on the oceans. If you watched closely you will see your toilet water elevation go down as the moon moves away from your toilet. Hey buddy, I didn't say which moon now did I. Back to the story, as the gravitational eddies change and then a massive coronal discharge happens (solar wind) well it could just fry our electrical grid. but in this particular situation we are discussing it will cause an Fido to flip his bit and run into the house with his tail between his legs. Fido just doesn't like flipping during a solar wind. Now once you start to get into a safe area such as the IP Tunnel (it's made of some well shielded stuff) then you can reach 127.0.0.1 (Home).

Hope this helps some. :D

 

[zoomzoom]

@joeschmuck LOL a bit too much time on your hands?

That one went above my head, sorry... :)

An openssl.cnf, or OpenSSL config, is what one uses to generate a Certificate Authority [CA], Intermediate Certificate Authority [ICA], Client Certificate, and Client Certificate Key with OpenSSL. I have an openssl.cnf in my signature with all commands you'll need at the bottom of the config [4 for CA, 3 for each client cert], along with itemized details explaining what's what. You can download OpenSSL independently, however I always install OpenVPN, of which includes the OpenSSL binaries.

• If using Windows, add C:\Program Files\OpenVPN\bin to your System Variable Path, allowing you to open any PowerShell/Command terminal and simply type openssl to access the program.

• SubjectAltName [SAN] profiles are per certificate, allowing one to assign multiple hosts names/IPs/FQDNs/emails/usernames/OIDs/etc. to the same certificate, allowing the user to choose whatever common name they want, instead of either the IP or FQDN. For example, this would allow the WebGUI cert to have a common name [CN] of "FreeNAS WebGUI", and SANs of "127.0.0.1", "192.168.1.2", "10.10.10.10", and "your.ddns.com".
  • The certificate will appear as valid regardless of which of those 4 you navigate to

• Now, let's say you want to SSH into your FreeNAS server from WAN for whatever reason. Once you SSH in, you can tell the SSH server to attach a separate tunnel for the connection to the WebGUI's IP & port. In order to access this tunnel, one would use the loopback IP [127.0.0.1] of their PC as the IP for the tunnel and whatever local [PC] port number they assigned to that tunnel, say 5999. To navigate to the WebGUI using the SSH tunnel, one would type into a browser https:\\127.0.0.1:5999, of which would load the WebGUI while still registering the certificate as valid for that IP.

I wrote an in depth wiki on using my openssl.cnf for OpenVPN on the OpenWrt forum, and if you start at the OpenSSL section and read through the Diffie-Hellman Key section (i.e. read from OpenSSL - Diffie-Hellman Key), you should have a firm grasp by the time you reach the Diffie-Hellman Key.

 

[House Of Cards]

Well it's related to the gravitational forces of the moon and ECC bit flips during a strong solar wind and you get this problem you're having with HTTPS logins. Here is how it goes... As the moon gets closer to the earth, you do know that it does, right? So the moon gets closer and it starts to negate some of the earths own gravity and the moon pulls on the earth. This is why we have high tide, the moon pulls on the oceans. If you watched closely you will see your toilet water elevation go down as the moon moves away from your toilet. Hey buddy, I didn't say which moon now did I. Back to the story, as the gravitational eddies change and then a massive coronal discharge happens (solar wind) well it could just fry our electrical grid. but in this particular situation we are discussing it will cause an Fido to flip his bit and run into the house with his tail between his legs. Fido just doesn't like flipping during a solar wind. Now once you start to get into a safe area such as the IP Tunnel (it's made of some well shielded stuff) then you can reach 127.0.0.1 (Home).

Hope this helps some. :D

That makes things much clearer!! And explains the declining whale population...

 

[House Of Cards]

Good information... Thanks!

I'll be looking more into the advanced aspects down the road and this will be handy. This is only a home system, and at this point, I have no intention of opening the FreeNAS box to access from the outside world. Any remote access I do at this point will be from inside my own network. This is the kind of thing I can see being really important if I decide to open remote access though, and leads me off to learning more.

This has been a "learn as you go experience", and I want to make decisions carefully. Sometimes, information such as what you provide clue you in to important considerations in setting things up initially, which can be much harder to change down the road. Best to have all considerations and possibilities in your mind, even if what you're setting up is seemingly a simple task.

Thanks for the information!

 

[joeschmuck]

That makes things much clearer!! And explains the declining whale population... :)

Anytime I can lend a helping hand.