Automatically-Generated SSL Certificate Can't be replaced

[ProtoSD]

I was just following up on this and checked to see if there was a ticket. I thought is was important to put this in the BUG thread so it didn't get missed. The original thread about this is here:

http://forums.freenas.org/search.php?searchid=34838

 

[djoole]

Hi,
I would really like to install my own SSL certificate (being fed up having to confirm security warnings in my browser, and i want the nice green https logo :) )

Is there a workaround ?

Thanks

 

[djoole]

I found where is the SSL certificate info on the system :
/etc/ssl/freenas/httpd.pem (contains certificate and RSA key)
/etc/ssl/freenas/CA/cacert.pem (contains certificate)
/etc/ssl/freenas/CA/private/cakey.pem (contains RSA key)

I've tried to mount -uw /, modify the 3 files, mount -ur /, reboot, but the files after the reboot are back to original.

I don't understand where does the original RSA info come from....

EDIT : i'm sure of the cert and key validity, i use them with Sabnzbd and it's ok.

 

[djoole]

Doesn't anybody have a clue on permanently writing to the /etc/ssl/freenas/ files?

I can't be the only one wanting to have a SSL certificate on FreeNAS

 

[netweazel]

hack,....

Can't claim to have a clue, but here is a hack of a workaround,...

You must run the following before you can change files,...
mount -uw /

Create a directory to store your cert,...
mkdir /conf/base/etc/ssl/certs

Next, through vi, create a PEM file to store your private/public key pair. Copy paste the RSA Private/Public key,....
vi /conf/base/etc/ssl/certs/yourcerthere.pem

Next, through vi, modify /conf/base/etc/rc.freenas to point the SSL certificiate to your file by modifying the HTTPDCERT variable...
vi /conf/base/etc/rc.freenas

Modify the HTTPDCERT variable value to point to your certificate...
: ${HTTPDCERT:="/conf/base/etc/ssl/certs/yourcerthere.pem"}

Next, comment out the line in /conf/base/etc/rc.d/ix-ssl that will try to generate the default certificate and overwrite yours on boot...
vi /conf/base/etc/rc.d/ix-ssl
Find the call to generate_certificate, and comment out
#generate_certificate

Finally, reboot and connect via https.,...
shutdown -r now

I wish I had the time to find out the real fix,.....but this worked for me.

FYI,...I'm running FreeBSD 8.2-RELEASE-p3 (FREENAS.amd64)

 

[djoole]

Thanks very, very much, this works perfectly :)

 

[marcusmarcus]

Supposedly this is fixed per http://support.freenas.org/ticket/564 but when I try to replace the auto generated certificates and save and then reload the webpage, the auto generated certificates are back and mine are gone. I haven't done the hack as I want to make sure it works through the GUI the way it is supposed to.

 

[dscott]

I've just upgraded to 8.0.4-RELEASE and this bug is still not fixed in the GUI :-(

I keep applying the workaround detailed above but it's a pain having to do this after each new release.

Please can anyone say when this bug fix (which I believe has actually been fixed on trunk) will be available in one of the releases? Thanks.

 

[freenasSYS]

My solution: copy our certificate every reboot
The 'database' part is a issue. However I like the way NAS4Free has implemented this:
Store the certificate in a backup config file

Mount the filesystem as read / write (mount -uw / )
Move the certificate and key to a directory (ex. /certs) (cacert.pem and cakey.pem)

Backup and edit this file:
cd /conf/base/etc/rc.d/ && cp ix-ssl ix-ssl.orig && ee ix-ssl

Completely remove these functions
create_CA() create_CSR() sign_CSR() verify_CA() verify_CSR() verify_signature()

Add/Change these functions

keep_CA()
{
cp /certs/cakey.pem ${SSLCAKEY}
cp /certs/cacert.pem ${SSLCACERT}
}

do_openssl_config()
{
generate_openssl_conf
keep_CA
#Added to the database
generate_certificate
}

 

[djoole]

Happy to see this issue has been solved on 8.2-RC1 ! :)

 

[dscott]

After upgrading to 8.2.0-RELEASE-p1-x64 recently I thought I'd give this a try again... and I've managed to lock myself out of the GUI by using an incorrect key :( The GUI is configured to use SSL and it's no longer accessible. I try using http instead and it reverts (understandably) to https during the login process.

I found the cert and key files in /etc/ssl/freenas/nginx and edited them with the correct contents for my SSL cert, but they got overwritten again on reboot (I assume from the details stored in the config DB?)

Other than restoring the config from a previously saved backup, is there an easy way to either allow me to manually enter the correct key file contents or configure the GUI to be served over http rather than https?

Thanks in advance,
Darren