Certificate signed by FreeNAS CA does not have a valid cert chain

[consulvation]

Ever since FreeNAS-11.3-U4.1, we are no longer able to issue valid certificates signed by the server. We had no issues do this prior to the upgrade. We can issue a new cert and it seems to get signed by our own intermediary CA and then we export the cert. It include the full cert chain in pem format and it appears to be in the correct order. It has 3 certs, target, then intermediary and then root. Wherever we install the cert, the browser comes back with an invalid CA error. If we try to open the cert in Windows, it cannot find the intermediary or root certs and marks it invalid.

We tried creating new CAs after the upgrade and signing new certs using the new CAs with the same results. It seems like something in the stored cert or export is failing to link the signers together with the cert being issued.

There are no CSRs involved, this is an "Internal Certificate".

The original CA certs are distributed to all the client devices and this has been working for years.

I am including some screenshots from what Windows sees.

Thanks for any assistance.

 

[consulvation]

Cool. So not a single bite after 3 business days. I did forget to mention that we see this on two different FreeNAS servers, each installed at different times but on the same version. Anyway, since this is a business and it has to function, we decided to stop using the FreeNAS CA and implemented a different solution that works. Hopefully, someone will find this bug in the future and fix it for others who may have to use the FreeNAS version. If not, try the CA in pfSense. Works like a charm.

 

[jgreco]

Cool. So not a single bite after 3 business days. I did forget to mention that we see this on two different FreeNAS servers, each installed at different times but on the same version. Anyway, since this is a business and it has to function, we decided to stop using the FreeNAS CA and implemented a different solution that works. Hopefully, someone will find this bug in the future and fix it for others who may have to use the FreeNAS version. If not, try the CA in pfSense. Works like a charm.

The number of people on the forum doing anything complicated with certificate authorities of any sort is probably on the order of a handful.

Interestingly, I just (as within the last hour) finished a weeklong project setting up two OpenSSL based enterprise CA's, one for RSA and one for EC, with offline root, and about a dozen intermediate subauthorities for each, along with all the modern extensions including things like nameConstraints, along with custom scripting to manage all of this and allow it to integrate within an automatic provisioning framework.

This totals about 5000 lines of shell code and openssl configuration, and it is complicated. Basically everything to do with SSL has ways that it can turn suddenly into a rabbit hole. I suspect this occasionally catches up with developers for things like FreeNAS, who may not be aware of all the subtleties.

So my point is this:

While I'm sorry you had trouble with FreeNAS, it is possible that it isn't particularly wise to rely on a certificate authority built into some product whose primary purpose is not actually being a CA. There's no guarantee that the pfSense CA won't turn into a quagmire at some point as well.

If you have business critical requirements for a CA, strongly consider using a project like EasyRSA if you do not have the talent or desire in-house to build your own CA.

If you need support of relatively arcane functionality, be aware that the vast majority of forum users are hobbyists and home users who are probably happy with LetsEncrypt. Those of us doing this professionally are probably not doing certificate authorities on FreeNAS, so I have no idea what you've run into or why it went sideways. Your best bet would have been to file a bug report and see if a developer could have looked at what might have changed. I still encourage you to do that.

 

[ianrm]

Hi,
just to a dd a little bit more to the fire, how do you create a CA that meets Apple's pinning requirements and add it to the FreeNAS? The current FreeNAS CAs do not and are not recognised by Safari as being valid.

Ian

 

[jgreco]

Hi,
just to a dd a little bit more to the fire, how do you create a CA that meets Apple's pinning requirements and add it to the FreeNAS? The current FreeNAS CAs do not and are not recognised by Safari as being valid.

Ian

I have no idea, offhand. Apple appears to be going off into idiot-land, apparently someone there drank too deeply of the LetsEncrypt drug, which is great where you have a system on the Internet that can have its certificates easily updated, but that's useless for stuff like where you have ILO/IPMI/BMC web interfaces or networking gear web interfaces that aren't even connected to the Internet, and where you want to restrict functionality for SSL communications to certificates issued by a particular subauthority.

 

[ianrm]

I tried to access the plugins this morning and received this error.

Cmd('git') failed due to: exit code(128) cmdline: git clone -v https://github.com/freenas/iocage-ix-plugins.git /mnt/MACdata/iocage/.plugins/github_com_freenas_iocage-ix-plugins_git stderr: 'Cloning into '/mnt/MACdata/iocage/.plugins/github_com_freenas_iocage-ix-plugins_git'... fatal: unable to access 'https://github.com/freenas/iocage-ix-plugins.git/': SSL certificate problem: self signed certificate in certificate chain '
That is an abridged version.
Ian

 

[djromberg]

I just had the same problem with TrueNAS 12-U1 and stumbled upon this thread. I have a root CA which publishes intermediate certificates. I don't want to import the root CA into TrueNAS (as a CA) as it wants me to enter its private key. When I import an externally created client certificate (for my TrueNAS domain), browsers seem to accept it when I add both the root CA and the intermediate CA into the certificate stores of the operating system. Ideally, I would only want to "manually trust" the root CA and let the web services expose the certificate chain. However, when I create a new certificate using the TrueNAS UI and set the signing authority to my imported intermediate certificate, browsers did not accept it (unknown issuer). There must be something wrong. I used the following tutorial for my manually created certificates: https://jamielinux.com/docs/openssl-certificate-authority/index.html

It is not very important (as this is intranet only with a handful of clients) but I tried to learn and understand these certificate things and wanted to do it like it should be done.

 

[djromberg]

I think I solved the issue: In my externally created certificate chain, I didn't specify any "Subject Alternative Name" but only "Common Name". The certificates issued by the TrueNAS system require this field and I just set it to something stupid. Now I read that browsers actually validate that field as the primary source if present. When I set the "Subject Alternative Name" to the same FQDN that I specified for "Common Name", it is accepted without any warning. And I only had to trust my own certificate authority root (and not the intermediate certificate). The TrueNAS server sent the correct certificate chain.
I now validated this with the new TrueNAS SCALE 20.12 but I guess that it will also work with TrueNAS Core 12.0 U1, but I haven't tested this.

 

[mururoa]

Okay the Certificate part of Truenas is broken.
And it's broken since several releases.
At least the default setup is broken and maybe it is now needed to specify some options that are not defaults.
I tried hard today issuing a certificate for an internal lab server but no way to get it working. Certificate is allways stated as invalid for browsers (firefox and chrome on linux, windows and android).
So I gave a try on pfsense certificate authority and it worked like a charm. Same server, same CN, same SAN. Of course I had to set lifetime of 398 days since Apple forced the rest of the world to use that limit but I had it set on both pfsense and Truenas so that's not the point.
Very easy to reproduce : create a CA, create certificate, export CA, certificate and key. Import CA on browser/OS. Configure server with issued certificate and try to access it. Truenas certificate : invalid, Pfsense : ok.
So now I have a Pfsense CA certificate the Truenas server. What else ?

 

[danb35]

I see a number of complaints of problems on this thread, but no indication of bug reports--have any of those posting problems filed a bug? That's the only way the devs are likely to see the issue.

I don't use Free/TrueNAS as a CA and never thought to; until some months ago I used Let's Encrypt for pretty much everything. More recently, I've started using one of these:

Build a Tiny Certificate Authority For Your Homelab

Let's make a tiny, standalone CA! We'll use a Raspberry Pi 4, YubiKey 5 NFC, and Infinite Noise TRNG.

smallstep.com

 

[ornias]

Okay the Certificate part of Truenas is broken.
And it's broken since several releases.
At least the default setup is broken and maybe it is now needed to specify some options that are not defaults.
I tried hard today issuing a certificate for an internal lab server but no way to get it working. Certificate is allways stated as invalid for browsers (firefox and chrome on linux, windows and android).
So I gave a try on pfsense certificate authority and it worked like a charm. Same server, same CN, same SAN. Of course I had to set lifetime of 398 days since Apple forced the rest of the world to use that limit but I had it set on both pfsense and Truenas so that's not the point.
Very easy to reproduce : create a CA, create certificate, export CA, certificate and key. Import CA on browser/OS. Configure server with issued certificate and try to access it. Truenas certificate : invalid, Pfsense : ok.
So now I have a Pfsense CA certificate the Truenas server. What else ?

Dude, this is the Legacy form about FreeNAS, not even the TrueNAS forum part.

 

[danb35]

Dude, this is the Legacy form about FreeNAS, not even the TrueNAS forum part.

...which was a nonsensical division in the first place, and (by observation) has been largely ignored by the users.

 

[ornias]

...which was a nonsensical division in the first place, and (by observation) has been largely ignored by the users.

Except almost all code portions, one of which is certificate, have been completely overhauled in the mean time.
The dude necro'ed a 8(!) months old thread on a legacy forum, about a product that is completely overhauled in the mean time. Thats quite relevant in my book.

 

[mururoa]

Okay I may have posted in the wrong section of the forum. I was indeed talking of latest TrueNas release.
You may trust me or not but I was unable to post any new thread. I was accepting the conditions for posting in a loop. New thread --> accept condition --> accept conditions --> ... So I was unable to post but able to reply to the closest thread about certificate problems. This appears to be working now.
But where is the bug ? The generated server certificate is unusable; that is the bug.

 

[Patrick M. Hausen]

Please open a new thread, describing the problem again - sorry - I don't have the time to weed to a necroed thread and all this off-topic discussion. I promise i will look into it. I am experienced with CAs and everything around them, so I am confident I can confirm it's a bug or tell you "you are holding it wrong", or something different altogether.

 

[HarryE]

Assuming the certificates are externally generated:
In order to ensure the correct chain of certificates, after importing the root CA, intermediate CA and server certificate with some corresponding private keys , one have to manualy enforce the chain into the database.
Use SSH and

Code:

root@freenas[~]# cd /data/
root@freenas[/data]# sqlite3 freenas-v1.db

sqlite> .headers on
sqlite> select * from system_certificateauthority ;

You get the list of imported CA certificates. Identify their IDs and use

Code:

sqlite>  update system_certificateauthority set cert_type=4,cert_signedby_id=<Root_CA id> where id=<Intermediate CA ID>;

Now you link the server certificate to the intermediate CA cert.

Code:

sqlite> select * from system_certificate ;

Identify server certificate ID. Then use

Code:

sqlite> update system_certificate set cert_type=16,cert_signedby_id=<Intermediate CA ID> where id=<Server certificate ID>;

<Root_CA id>, <Intermediate CA ID>, <Server certificate ID> are the primary keys from the tables (integers).

Code:

sqlite> select * from system_certificate ;
then
sqlite> .q

select again the certificate in the Web Server's https config section and save the option. This will trigger generation of correct CA chain.
If the Root CA exists in OS/Browser 's Trusted root vault, next time you restart the browser you will get a valid SSL connection