• Currently using VMware at work? We want to hear from you.

    Thinking of making a switch from VMware? We'd love to hear your thoughts and feedback about which hypervisor you have been researching or already using. Click here to vote and share your thoughts! You can vote HERE!

Automatically-Generated SSL Certificate Can't be replaced

Status
Not open for further replies.

djoole

Contributor
Joined
Oct 3, 2011
Messages
158
Hi,
I would really like to install my own SSL certificate (being fed up having to confirm security warnings in my browser, and i want the nice green https logo :) )

Is there a workaround ?

Thanks
 

djoole

Contributor
Joined
Oct 3, 2011
Messages
158
I found where is the SSL certificate info on the system :
/etc/ssl/freenas/httpd.pem (contains certificate and RSA key)
/etc/ssl/freenas/CA/cacert.pem (contains certificate)
/etc/ssl/freenas/CA/private/cakey.pem (contains RSA key)

I've tried to mount -uw /, modify the 3 files, mount -ur /, reboot, but the files after the reboot are back to original.

I don't understand where does the original RSA info come from....

EDIT : i'm sure of the cert and key validity, i use them with Sabnzbd and it's ok.
 

djoole

Contributor
Joined
Oct 3, 2011
Messages
158
Doesn't anybody have a clue on permanently writing to the /etc/ssl/freenas/ files?

I can't be the only one wanting to have a SSL certificate on FreeNAS :confused:
 

netweazel

Cadet
Joined
Nov 3, 2011
Messages
1
hack,....

Can't claim to have a clue, but here is a hack of a workaround,...

You must run the following before you can change files,...
mount -uw /

Create a directory to store your cert,...
mkdir /conf/base/etc/ssl/certs

Next, through vi, create a PEM file to store your private/public key pair. Copy paste the RSA Private/Public key,....
vi /conf/base/etc/ssl/certs/yourcerthere.pem

Next, through vi, modify /conf/base/etc/rc.freenas to point the SSL certificiate to your file by modifying the HTTPDCERT variable...
vi /conf/base/etc/rc.freenas

Modify the HTTPDCERT variable value to point to your certificate...
: ${HTTPDCERT:="/conf/base/etc/ssl/certs/yourcerthere.pem"}

Next, comment out the line in /conf/base/etc/rc.d/ix-ssl that will try to generate the default certificate and overwrite yours on boot...
vi /conf/base/etc/rc.d/ix-ssl
Find the call to generate_certificate, and comment out
#generate_certificate

Finally, reboot and connect via https.,...
shutdown -r now

I wish I had the time to find out the real fix,.....but this worked for me.

FYI,...I'm running FreeBSD 8.2-RELEASE-p3 (FREENAS.amd64)
 

marcusmarcus

Explorer
Joined
May 27, 2011
Messages
89
Supposedly this is fixed per http://support.freenas.org/ticket/564 but when I try to replace the auto generated certificates and save and then reload the webpage, the auto generated certificates are back and mine are gone. I haven't done the hack as I want to make sure it works through the GUI the way it is supposed to.
 

dscott

Dabbler
Joined
Dec 24, 2011
Messages
15
I've just upgraded to 8.0.4-RELEASE and this bug is still not fixed in the GUI :-(

I keep applying the workaround detailed above but it's a pain having to do this after each new release.

Please can anyone say when this bug fix (which I believe has actually been fixed on trunk) will be available in one of the releases? Thanks.
 

freenasSYS

Cadet
Joined
Jul 4, 2012
Messages
2
My solution: copy our certificate every reboot
The 'database' part is a issue. However I like the way NAS4Free has implemented this:
Store the certificate in a backup config file

Mount the filesystem as read / write (mount -uw / )
Move the certificate and key to a directory (ex. /certs) (cacert.pem and cakey.pem)

Backup and edit this file:
cd /conf/base/etc/rc.d/ && cp ix-ssl ix-ssl.orig && ee ix-ssl

Completely remove these functions
create_CA() create_CSR() sign_CSR() verify_CA() verify_CSR() verify_signature()

Add/Change these functions

keep_CA()
{
cp /certs/cakey.pem ${SSLCAKEY}
cp /certs/cacert.pem ${SSLCACERT}
}

do_openssl_config()
{
generate_openssl_conf
keep_CA
#Added to the database
generate_certificate
}
 

dscott

Dabbler
Joined
Dec 24, 2011
Messages
15
After upgrading to 8.2.0-RELEASE-p1-x64 recently I thought I'd give this a try again... and I've managed to lock myself out of the GUI by using an incorrect key :( The GUI is configured to use SSL and it's no longer accessible. I try using http instead and it reverts (understandably) to https during the login process.

I found the cert and key files in /etc/ssl/freenas/nginx and edited them with the correct contents for my SSL cert, but they got overwritten again on reboot (I assume from the details stored in the config DB?)

Other than restoring the config from a previously saved backup, is there an easy way to either allow me to manually enter the correct key file contents or configure the GUI to be served over http rather than https?

Thanks in advance,
Darren
 
Status
Not open for further replies.
Top