Can't delete a certificate - Error: [EBUSY] This object is being used by other objects

Diox

Diox

Cadet
Joined
Dec 17, 2021
Messages
1
Hello everyone !
I'm a new user to truenas scale. The last few days i was experimenting some stuff with openVPN.
I want to delete the OpenVPN server certificate i created, but when i'm trying to i got an error "[EBUSY] This object is being used by other objects".
The openVPN service is disabled and i have no clue what could cause this error. I didn't apply the certificate anywhere else

I'm sorry if i missed something important, i just want to understand how i can fix that.

Thanks !
 
W

Wong KY

Dabbler
Joined
Jun 9, 2013
Messages
18
Same here. No Service using the Expired Cert.
The New Let's Encrypted Cert been selected properly but still not allowing me to remove.

The problem lasted for a few versions. Since 12.0.U7... still now 12.0.U8.1
 
tinsukE

tinsukE

Cadet
Joined
Jul 15, 2016
Messages
5
Hey all, I was affected by the same issue after testing the OpenVPN Server service and I figured a way to solve it. Skip to bottom if you want just the solution.

I searched TrueNAS issues to see if I could find this problem reported and follow the ticket. I found this:

[NAS-107856] - iXsystems TrueNAS Jira

ixsystems.atlassian.net ixsystems.atlassian.net

It states our problem and says it is fixed. I thought the bugfix could be coming in a future release, but the ticket says it was fixed since 12.0-U1 and SCALE-20.10-ALPHA.

I scratched my head and went to check the linked 12.0 code changes:
github.com

NAS-107856 / 12.0 / Allow resetting openvpn server/client certs (by sonicaj) by bugclerk · Pull Request #5860 · truenas/middleware

This commit introduces changes to allow user to set openvpn certs to null in case he/she does not want to use the service and wants to delete the related certs which would not be possible if they a...
github.com github.com

I'm not familiar with TrueNAS' codebase, but the changes seemed to happen on the back-end of things; which suggests that the issue we're facing (not being able to clear/unset certificates in OpenVPN services) is a front-end only one.

So I thought about trying to make the changes via TrueNAS' API, documented in https://www.truenas.com/docs/core/api/.

Solution

In short, create an API Key (Web GUI -> Settings -> API Keys), copy its value and choose your way to access the API. I went with REST via Postman.

A simple GET request to http://YOUR_SERVER_IP/api/v2.0/openvpn/server will return your current configuration. Save the output.

Then perform a PUT request to http://YOUR_SERVER_IP/api/v2.0/openvpn/server with the body being the previous command's output, but without the field id, and modifying the fields server_certificate and root_ca to null.

Check the Service configuration in the Web GUI, the certificates are unset and now you can delete them!

(don't forget to delete the API Key if you don't plan to keep using them)
 
awasb

awasb

Patron
Joined
Jan 11, 2021
Messages
415
Will this work with "normal" CAs/certificates as well?
 
tinsukE

tinsukE

Cadet
Joined
Jul 15, 2016
Messages
5
awasb said:
Will this work with "normal" CAs/certificates as well?
Click to expand...
I don't understand you mean by "normal", but the aforementioned method works around an issue with the OpenVPN Server/Client Services configuration via Web GUI, that doesn't allow you to unset previously configured CAs/Certificates, and if you try to delete those CAs/Certificates while they're "in use", you'd get the error the OP posted.

I believe it'll work for any certificate that is "blocked" from deleting because it is used in OpenVPN Server/Client Services configuration.
 
awasb

awasb

Patron
Joined
Jan 11, 2021
Messages
415
OK. My bad. Didn't describe it well.

I deleted all default certificates on installation and generated new ones. (Not just OpenVPN but ssl/CAs as well.) While I could delete retired OpenVPN certs, my old ssl certs can't be deleted. The error message is the above mentioned. That's why I thought ... but I'll just try. I guess it's in the API docs.

Edit: Read this

kaanlabs.com

Remove TrueNAS OpenVPN Client: Resolving the Deadlock - kaanlabs

This guide will show to you, how to solve the problem of unremovable OpenVPN Client configurations in your TrueNAS server.
kaanlabs.com kaanlabs.com

searched for the cert-name string within freenas db file with SQLiteBrowser and found the certificate selected for the disabled (!) WebDAV-config. Problem solved.

Reminded me a bit of those NT4.0 regedit days ...
 
Last edited:
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Can't delete a certificate - Error: [EBUSY] This object is being used by other objects"

Similar threads

G
pfsense certificate and firefox problem
Replies
0
Views
972
gwaitsi
G
mholin
SOLVED cannot delete expired certificate
Replies
5
Views
5K
profwalken
profwalken
M
Certificate 'freenas_default' is expiring within 9 days
Replies
3
Views
493
Macaroni323
M
metri
Help with VPN setup (OpenVPN Client) so all NAS outgoing traffic uses the VPN connection
Replies
0
Views
3K
metri
metri
E
Best practices for routing through a VPN
Replies
1
Views
5K
electricsquid
E
Top