SOLVED TrueNAS Core behind cisco umbrella cert

V

VulcanRidr

Explorer
Joined
Jan 5, 2015
Messages
59
I'm posting this in the Core forum because that is what I'm running, however it likely applies to Scale as well. I have multiple TrueNAS' at work, and sometime since the release of 13.0u5.3, I am no longer able to get to update-master.ixsystems.com, either in the gui or in the command line. According to the command line, it is because of our cisco umbrella setup. When I try to wget the trains.txt file from update-master, I get

Code:
ERROR: cannot verify update-master.ixsystems.com's certificate, issued by ‘CN=Cisco Umbrella Secondary SubCA nyc-SG,O=Cisco’:
  Unable to locally verify the issuer's authority.
To connect to update-master.ixsystems.com insecurely, use `--no-check-certificate'.


I uploaded a copy of the umbrella certificate to system -> CAs, but I am still unable to reach the site from the GUI or wget. Is there some other place that this cert needs to be uploaded? I wanted to ask, since I remember the adage about not "doing things on the command line behind the gui's back"...
 
V

VulcanRidr

Explorer
Joined
Jan 5, 2015
Messages
59
Turns out that the security team had to not only allow update-master.ixsystems.com, but also add a cname record (in umbrella?) for link.storjshare.io" to allow that our NAS' to be able to update.
 
unseen

unseen

Contributor
Joined
Aug 25, 2017
Messages
103
I view Cisco's Umbrella product as corporate spyware. It does a man-in-the-middle attack on all https connections originating from within the company's network. It can decrypt and read any connections that it allows. It most likely logs them as well.
If your company uses CIsco Umbrella, never connect with saved credentials or log in to anything personal from work.

www.cisco.com

Cisco Umbrella

Cisco Umbrella converges multiple cloud-delivered security functions into one solution to extend data protection to devices, users, and locations anywhere.
www.cisco.com

I find it more than creepy, knowing what it can do and how it does it by deliberately compromising the SSL certificate trust chain. The reason your TrueNAS installation had a problem with it is because the Umbrella system can't use a Windows Group Policy to install the rogue certificate on it to intercept its connections.
 
V

VulcanRidr

Explorer
Joined
Jan 5, 2015
Messages
59
unseen said:
I view Cisco's Umbrella product as corporate spyware. It does a man-in-the-middle attack on all https connections originating from within the company's network. It can decrypt and read any connections that it allows. It most likely logs them as well.
If your company uses CIsco Umbrella, never connect with saved credentials or log in to anything personal from work.

www.cisco.com

Cisco Umbrella

Cisco Umbrella converges multiple cloud-delivered security functions into one solution to extend data protection to devices, users, and locations anywhere.
www.cisco.com

I find it more than creepy, knowing what it can do and how it does it by deliberately compromising the SSL certificate trust chain. The reason your TrueNAS installation had a problem with it is because the Umbrella system can't use a Windows Group Policy to install the rogue certificate on it to intercept its connections.
Click to expand...
I completely concur with all of your points. Which is why, as a remote worker, I do all of my searches, log into my email, or other sites, on my personal desktop machine. As I recall, wasn't the Opera mobile web browser caught doing something similar back in the day?
 
unseen

unseen

Contributor
Joined
Aug 25, 2017
Messages
103
VulcanRidr said:
I completely concur with all of your points. Which is why, as a remote worker, I do all of my searches, log into my email, or other sites, on my personal desktop machine. As I recall, wasn't the Opera mobile web browser caught doing something similar back in the day?
Click to expand...

My memory fails me on Opera doing something like that, but I don't doubt you. Very naughty of them.
Another good reason to stick with Firefox! :)
 
V

VulcanRidr

Explorer
Joined
Jan 5, 2015
Messages
59
unseen said:
My memory fails me on Opera doing something like that, but I don't doubt you. Very naughty of them.
Another good reason to stick with Firefox! :)
Click to expand...
As I recall, it was found out in the mid-noughties, about the time I got my Nokia N900. I stopped using it immediately. I also agree with only using Firefox. It has it's blemishes, but it is still the best game in town. Especially since I found the TabStash addon, which allowed me to cut down from my ridiculous number of tabs and tab groups to be able to keep my open tabs pruned down to about at any given time. :D
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "TrueNAS Core behind cisco umbrella cert"

Similar threads

D
Cannot update "Unable to connect to url https://update-master.ixsystems.com/TrueNAS/trains.txt". Connection Refused.
Replies
1
Views
3K
neofusion
N
C
  • Locked
Unable to update because of ssl error
Replies
16
Views
12K
jgreco
jgreco
A
TrueNAS 13.0-U4 - Jail Update issue since Update U4 is installed
Replies
2
Views
1K
Andy81
A
M
Upgrading 11.1u7 to 11.2u7 breaks SSL cert?
Replies
4
Views
2K
pschatz100
P
L1miter
Cert-manager/ClusterIssuer local certificate authority
Replies
5
Views
3K
L1miter
L1miter
Top