Certificate About To Expire

[cgcmgr]

Hello everyone,

I'm on TrueNAS 12.0-U8.1 and it looks like my certificate is about to expire in 6 days. I don't know much about certificates and have no idea where to even start. I did read a few posts on this forum regarding replacing the expired certificate, but unfortunately, they do not make sense to me. Here is one post that I was going to follow, but as I said, I'm not too familiar with certificates, so I don't know if there is more too it. https://www.truenas.com/community/threads/how-to-renew-truenas-certificate.97268/
Do I check the enable boxes? Do I check all of them? What does fill out remaining fields as desired mean? I'm sure I can't just arbitrarily fill out the fields. There must be something more to it. In the second image in the post, the user shows the subject alternate name with a value of Freenas.yourdomain. I don't have a domain.

What will happen if the certificate expires? Will I still be able to access my TrueNAS? Is the certificate only for remote access of TrueNAS or local as well? I've been reading a lot of posts about renewing or replacing certificates, but I'm really not understanding them. Does anyone know of any straight forward tutorial or Youtube video that will explain how to do this? Do I actually have to buy a domain name to keep my TrueNAS going?

Thanks in advance for any replies and assistance,
Chris

 

[danb35]

What exactly is the error you're seeing?

 

[cgcmgr]

Hey danb35, thanks for answering. I'm not seeing any errors as I haven't set it up yet. I'm just not sure how to proceed. I was looking at your post and wasn't really sure how to proceed. In your attached pictures, you don't show any of the enabled boxes checked and in the "Subject Alternate Names" field, you show freenas.yourdomain. Am I actually typing "freenas.yourdomain" or do I need to enter an actual domain here? If so, I don't own a domain so I can't enter anything here.

Am I supposed to just leave everything exactly as you have in your pictures, just filling in the stared fields?

Chris

 

[danb35]

You don't need to check any of the checkboxes. The "subject" fields do need to be filled in, but it doesn't matter what you enter. For the subject alt names field, if you're using a domain (even a home domain, like .lan or .home), go ahead and put the name you're using there (likely something like truenas.lan). If you aren't going to be using the cert (e.g., you aren't accessing the web UI via HTTPS), it doesn't really much matter what you enter for any of these fields. If you are, it's good if they reflect reality.

 

[Mr_Flibble]

I don't know anything about your setup, and how you are using certificates, or even *IF* you are using certificates in your setup, so I cannot advise your direction.

However, I can highly recommend reading this article:

Everything you should know about certificates and PKI but are too afraid to ask

Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who''ve avoided this particular rabbit hole. Eventually, I was forced to learn this stuff because of what it enables: PKI lets you define a system cryptographically. It''s universal and...

smallstep.com

It will cover what certificates are, why you do (or do not) need them, and where you may or may not use them. Its very good knowledge to have to hand in the IT world.

 

[cgcmgr]

Understood. Here is where my lack of knowledge shows, I'm not using any type of domain that I'm aware of. I just access my TrueNAS locally by typing the IP address in the browser's address bar and then make any changes I need to via the GUI. My Emby server is running on my TrueNAS and I access that locally as well, but if I need to access Emby it remotely, I just connect to my VPN at the remote site and connect to it that way. I don't think I'm going to be accessing the web UI via HTTPS, so I'm guessing I'm fine with entering anything in the fields.

 

[danb35]

I'm guessing I'm fine with entering anything in the fields.

Pretty much. If Emby does TLS (I'm not sure if it does; Plex does), it manages it itself; it doesn't rely on the server's cert. If you're just using the server's IP address to access it, try entering that in the subject alt name field.

 

[cgcmgr]

Thanks, I'll give that a try a little later today. Appreciate the assistance.