Cannot complete CSR request by importing certificate from certificate authority

[hansch]

I cannot paste a certificate that has been signed by a certificate authority into the appropriate part of the website. I simply cannot enter text there.

(Using a Let's encrypt cert is not an easy option now bc it involves creating that ACME DNS account, which involves making an Amazon user, and key pair or whatever, way too complicated bc this is a testing machine that I upgraded from v. 12 to v. 13). Seems like the certificate signing system is broken because of that.

I already have a signed certificate!)

In version 12 11.3 I could simply paste the certificate into that field.

 

[danb35]

Using a Let's encrypt cert is not an easy option now bc it involves creating that ACME DNS account, which involves making an Amazon user

No, it doesn't, unless you insist on using the built-in, and extremely limited, LE support. You were already shown in your earlier thread that there are other ways to handle that. And the script I linked you to in that thread will work with any cert, whether it comes from LE or someone else.

But be that as it may, why are you trying to enter a private key, a CSR, and a cert? If you're wanting to import a cert, and you already have the cert, there's no reason to enter the CSR as well.

 

[hansch]

You seem not to give me any choice.

My choice is to use the web interface.

Do you even know the web interface? What I showed is the part that is meant for - exactly that - signing a CSR. By pasting the resulting certificate into the field that is read only in version 13. Your question

But be that as it may, why are you trying to enter a private key, a CSR, and a cert? If you're wanting to import a cert, and you already have the cert, there's no reason to enter the CSR as well.

... shows that you don't understand or don't know the web interface.

There is no other way to sign the CSR (in the WEB INTERFACE that is) than this form. Which happens to be read only now.

Maybe I am not seeing something, and that's why I ask this question here.
I don't ask that question here to get my face slapped by you.

I CAN use the command line but I prefer to use the web interface. Why else would we have that?
I find the instructions needlessly complicated if the web interface - if it works! - is much simpler.

Maybe for you the command line is easier, but not for me.

Clicking a website and pasting a bunch of characters I got from a certificate authority is easier than entering like 25 commands. You disagree? That's your choice.

 

[danb35]

There is no other way to sign the CSR (in the WEB INTERFACE that is) than this form

If you have a certificate, the CSR is already signed, and not by you.

Maybe for you the command line is easier, but not for me.

Not the point. You said--incorrectly--that you need to do a bunch of things in order to use a Let's Encrypt cert. That's true only if you want to obtain a Let's Encrypt cert through the UI, which I personally discourage due to how limited iX have made that feature in CORE (it's a little better in SCALE). There are other ways to obtain and use a Let's Encrypt cert--that don't require you to use Route53 DNS--that have worked well for a number of users for several years. But fine, you want to use a cert from somewhere else, go for it.

If you have a cert from a commercial CA that you want to import, in the UI, you go to System -> Certificates and click the Add button. That brings up this screen:

You set Type to Import Certificate, whereupon the screen changes to look like this:

Type in a name, paste in the cert and the private key, and click Submit. Done. I have no idea what page your posted screen shot is from.

 

[hansch]

For one, I have already paid for that cert, it is a reissue.

Where I got that interface? I got that here:

When clicking View I get this:

And there is the problem. Again, in version 12 I could just paste the cert in there and have it working.

It is perfectly normal to want to sign a CSR with a cert attained from an external authority.
Installing lets cert using the command line involves A LOT more steps.

This is only a temporary test system (I use it to test if the update from 12 to 13 does not break anything that I am using).
So far, it does break something, namely... signing the CSR!
If it had worked like it should, I would have been FAR faster ready than using the Let's encrypt way.
Still is because that page you refer to only suggest "a way".
I am not ready to troubleshoot for ages (I know how this goes in Linux/FreeBSD... something is not exactly the same is in the howto... then I have to google, tinker, and find out for myself).
I just want things to work. Easy. And usually FreeNAS does this. The GUI.

Of course there are command line ways to do it, but if something has worked in the past, why looking for a different way?
I may be getting old but why using a different way if the GUI works? I could not have known that it is broken in 13.
I just figured out how that works (see last thread lol).

Thank you for your efforts in helping me out, but the tone could be a bit friendlier. You constantly make me feel like I'm stupid and should have done things entirely different. Is it too much to ask that the GUI just works how it should?

BTW my boot disk was bricked so I will have to reinstall and load a config backup. Will start with 12 and load the cert there.
Problem solved. Let's encrypt is for a different round.

[Stupid not to use a RAID1 boot disk... yep, you got me there. It is a test system. SSDs breaking down? It happens.]

 

[danb35]

When clicking View I get this:

...and view is, well, view. It isn't "Edit", or "Modify," or anything else that should have made you think you could change it in any way. The Certificate field is read-only under 13.0-U3, 12.0-U8.1, and 12.0-U1 (in FreeNAS 11.3-U2.1, the field doesn't appear at all when you view a CSR).

It is perfectly normal to want to sign a CSR with a cert attained from an external authority.

"sign a CSR with a cert attained from an external authority" is word salad--it's a nonsensical, meaningless assortment of words. What I think you mean by that is to use an external authority to sign a CSR created on the NAS, and import the resulting cert to the NAS--and that is indeed perfectly normal.

in version 12 I could just paste the cert in there and have it working.

No, you couldn't. I just tried. Under CORE 12.0-U8.1 (and 12.0-U1), you can view the CSR (looks just like the screen shot you posted), but you can't paste or enter anything in the Certificate field--exactly like what you're reporting under 13. To do this, you'd follow these steps:

• Create the CSR on your NAS
• Take whatever steps you need in order to have your CA sign that CSR, which will give you a cert
• Back on the NAS, go to System -> Certificates, and click Add.
• In the drop-down for Type, select Import Certificate, and check the box for CSR exists on this system. Then enter a cert name and paste in the cert contents, like this:
  
  
• Click Submit. You'll see it listed among the certificates:
  
  

I think what's had me confused is that you keep mentioning "signing a CSR" (or "signing a CSR request", which is redundant), when that just isn't what you're doing. The Certificate Authority signs the CSR, and in so doing creates the cert. You now want TrueNAS to use that cert. Well and good--the way to do that is to import the certificate; it has nothing to do with you signing a CSR.

So, you want to add a cert to TrueNAS through the UI. There are two ways to do it:

• Go to System -> Certificates, click Add.
• Enter a name/identifier, set Type to Import Certificate, paste in the cert and private key, and click Save

Or

• Go to System -> Certificates, click Add.
• Enter a name/identifier, set Type to Certificate Signing Request, fill in the relevant fields, click Save
• View the CSR and copy its contents
• Do whatever you need to do to get it signed by your CA--this step has nothing to do with Free/TrueNAS
• Having obtained a cert from the CA, go back to the NAS UI, System -> Certificates, Add
• Enter a name/identifier and set Type to Import Certificate. Check CSR exists on this system and select your CSR from the "Signing Certificate Authority" drop-down (which I'd argue is mis-labeled, but that's a separate issue)
• Paste in the cert contents and click Save

Neither of these workflows has changed since (at least) 11.3.

 

[hansch]

Seems like I skipped a version, I seem to still have 11.3 on the other system. There, it is NOT read-only. And that is the way I signed the certificate (Sorry, imported? pasted? added? the certificate) last time.
It is very puzzling that this function has been removed like that.

Still, to me it seems logical that if there is an unsigned CSR certificate one can complete that workflow from the same interface (as it is, in version 11).

There should be a third item besides VIEW and DELETE called SIGN or "complete signing" or whatever you want to call it.

It is the same on a Windows system. Haha I will get a ton of shit over me because of this.
Yes.... MS does some things right. Like being enabling to complete the signing from the same interface, instead of "adding a cert" using a "CSR that is already on the system". WHY NOT COMPLETE THE THING FROM THE PLACE WHERE IT SAYS: External - Signature Pending????
(I must say that that interface in Windows often replies that it has failed, and then it has not.)

Like that:

See? Simple, right?
Only kidding lol.
(The rest is semantics, but you are of course absolutely right about the signing thing. Thanks for taking the trouble.)

 

[PIC_1996]

Hi all. I've read the back/forth regarding issuing CSR, signing it, and loading the subsequently signed cert into TrueNAS Core in a way that eliminates/closes the signature pending status of the original CSR.

I issued a TrueNAS CSR and signed it using my OpenSSL subordinate CA. I loaded the signed cert successfully using the steps that were outlined by danb35 to hansch back in 2022. I selected my newly installed cert as the "GUI SSL Certificate," saved it, and was able to get a secure HTTPS connection to the web UI using either of my SAN (FQDN or IP). Great! So far so good. I achieved the objective of eliminating the Chrome webpage warning.

However, why is the TrueNAS CSR still showing "external-signature pending?" The chain is complete: CSR>signed by OpenSSL intermediate CA>PEM certificate issued>TrueNAS CSR identified as subject CSR that is "located on the system">PEM and intermediate CA PK loaded.

Thanks for your help.