Enabling an internal certificate makes freenas.local route to one of my jails (11.2)

[Beer]

I'm not sure what's going on here.

I have FreeNAS running on 192.168.1.201. I can access my server via IP or from freenas.local over HTTP. My goal was simply to enable HTTPS on the lan, and things got weird.

I created a CA, added a CSR, signed it.

Then I went to System > General and configured like so (http+https temporarily until I verify everything is working):

Then things went haywire...


Certificate not loading

HTTP now routes freenas.local to one of my jails 192.168.1.219

I don't understand this....

The problem resolves itself when I disable HTTPS from the above screen. Freenas.local returns to 192.168.1.201 as usual.


And that's where I'm at now. I don't know what to do, this doesn't make any damn sense. When I set up my CA, I used freenas.local as the FQDN, but I also used freenas.local as the FQDN when adding my CSR. Is that correct?


I'm puzzled. Any help appreciated.

Thanks

 

[Apollo]

Try keeping HTTPS, but reboot freenas.
That might fix it, as I suspect the issue is with IP binding.

 

[Beer]

I've tried that multiple times. I've recreated the CA and CSR from scratch too. I've also tried rebooting with my jails turned off, at which point freenas.local gives me a blank page with a shark, or it's simply unreachable.

 

[Apollo]

Do you have 443 mapped from router/firewall proxy directly to Plex IP address?

 

[Beer]

Do you have 443 mapped from router/firewall proxy directly to Plex IP address?

I have ports forwarded on 80/443 to my Nginx jail (rev proxy for other jails) at 192.168.1.222

 

[Apollo]

I've tried that multiple times. I've recreated the CA and CSR from scratch too. I've also tried rebooting with my jails turned off, at which point freenas.local gives me a blank page with a shark, or it's simply unreachable.

Do you have HTTP=>HTTPS redirection enabled?
Try https://192.168.1.201

 

[Apollo]

I have ports forwarded on 80/443 to my Nginx jail at 192.168.1.222

Then that is your problem, I think.

 

[Beer]

Do you have HTTP=>HTTPS redirection enabled?
Try https://192.168.1.201

Yeah I have redirection set up. If that's the cause, how can I work around this? This seems to be a relatively straightforward setup

EDIT: Wait maybe it's just a matter of listening internally on different ports and forward to standard 80/443 externally.. off to test

 

[Beer]

OK so I don't think that's the problem now. I reconfigured nginx and remapped my ports so locally everything is running on 8080/8443.. and configured my router. I disabled/reenabled HTTPS in Freenas and rebooted the entire box.

(router)

Now neither of them work.

 

[Apollo]

With specific ports, you need to be specific as well when you define your IP address.
Try:
http://192.168.1.201:8080
and
https://192.168.1.201:8443
With Nginx as a reverse proxy server, you want to be able to look for a FQDN and be able to forward the proper instance to the proper IP address rather than passing everything from 443 to a single IP address.

 

[Beer]

With specific ports, you need to be specific as well when you define your IP address.
Try:
http://192.168.1.201:8080
and
https://192.168.1.201:8443
With Nginx as a reverse proxy server, you want to be able to look for a FQDN and be able to forward the proper instance to the proper IP address rather than passing everything from 443 to a single IP address.

I'm not sure I totally follow what you're suggesting. Let me clarify my current configuration by simple example. First, Freenas (.201) is still running on 80, I haven't changed that so http://192.168.1.201:8080 will fail to connect for sure. For the rest of this post I'll just focus on https, to keep it short.

My nginx reverse proxy jail (192.168.1.222) has 443 opened externally pointing to 8443 internally and the configuration looks something like this (highly simplified):

Code:

server { // server1
    listen 8443;
    server_name mydomain.com
    ...
    location / {
        proxy_pass http://192.168.1.123
    }
}

server { // server2
    listen 8443;
    server_name subdomain.mydomain.com
    ...
    location / {
        proxy_pass http://192.168.1.124
    }
}

Then my router is configured like:

Code:

Forward 192.168.1.222 (Nginx jail) internal port 8443 => external 443.

That way Server1 and Server2 can both be listening on 443 publicly from my domain. This is how public services are currently being exposed to the outside world:

Code:

mydomain.com:443 <=forwarded<= nginx:8443 <=proxied<= http://192.168.1.123
subdomain.mydomain.com:443 <=forwarded<= nginx:8443 <=proxied<= http://192.168.1.124

In this example, mydomain.com and subdomain.mydomain.com are services that would each be listening on 443. I can only forward one IP in my router to external 443, so in order to run both of these web services, the nginx jail (.222) needs to be the one forwarded in my router, which it currently is.

I see no other way to accomplish this. Let me know if I'm misunderstanding what you're saying

 

[Apollo]

I think I better understand.
I thought you had Freenas mapped to port 8080 and 8443.

However, because your Nginx is intercepting 443 communications it also intercept Freenas communication.
If you set Freenas to use a different port you will not have those issues.
You don't want to expose Freenas to the world without proper layers of security and as a result, you do not want to include Freenas mapping served by Nginx, unless you set Nginx to not allow remote access to Freenas externally.

 

[Beer]

I'm not exposing Freenas to the outside world. My thread was about creating an internal certificate for Freenas on my lan so I can access it via https. Freenas admin UI is sealed up from the outside world. Nginx isn't intercepting anything.. that's why I'm so confused, this is happening even if I shut nginx off and reboot the server.

One of my other jails (Synclounge, from my screenshots above) runs on 80, and freenas.local is getting routed to it for whatever reason. But even if I change 80 to 82 on my Synclounge service, freenas.local still tries to route to that jail's IP address.. it will just fail to connect because I changed the port.