Enabling https with a trusted cert

[toyebox]

Hey everyone. Firstly, I apologize if this was somewhere posted already. I paid for a trusted certificate for my server so I can enable https without getting the error or haVing to add the custom signed certificate. When I try to go and import the certificate, it asKS for a private key. Where would I get this from? I initially did a CSR and they signed it.. https worked on certain platforms, but on android it would say the certificate was invalid. The company I went through said I needed to follow their instructions, which was to call "cat" on two of their files. A cert and a bundle file and then upload it to where nginx is. I know we arent suppose to do anything via CLI and encouraged to so it through the browser.

Any help is appreciated. I'm on 9.10.1

 

[danb35]

When you created the csr, you used a private key. That's what goes in the private key field. For the certificate, many CAs require that you serve an intermediate cert from the CA as well as your own server cert. nginx (which is what FreeNAS uses as a web server) expects those to be together in a single file. Unfortunately, a bug in FreeNAS doesn't save those sorts of chained certificates properly, which is probably why you're seeing errors. That bug is supposed to be fixed in the next update, which is supposed to be due out on Monday.

 

[toyebox]

Thank you so much for the detailed response. I managed to get this to work.. not sure if I did it right though ha. I took the private key I used in the CSR, imported the certificate by opening the file and copying the contents and posting it in the certificate field. Then I put the private key in from the CSR. The certificate had a series of "BEGIN CERTIFICATE", "END CERTIFICATE" lines. About 6 of them. I can now access via https from all OS's

 

[toyebox]

I spoke too soon... getting the error again on android phones..

 

[danb35]

That bug is supposed to be fixed in the next update, which is supposed to be due out on Monday.

 

[toyebox]

I have just updated. the issue is still there on android. I have tried multiple browsers.

 

[danb35]

On your FreeNAS machine, what's the output of openssl s_client -connect localhost:443? In code tags, please.

 

[toyebox]

On your FreeNAS machine, what's the output of openssl s_client -connect localhost:443? In code tags, please.

Code:

WARNING: can't open config file: /usr/local/openssl/openssl.cnf
CONNECTED(00000004)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = adhdservers.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = adhdservers.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=adhdservers.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Dom                                                                                        ain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQCfLmlMUiomGNUkB236tpAzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNjA5MTgwMDAwMDBaFw0xNzA5MTgyMzU5NTlaMFMxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxGDAW
BgNVBAMTD2FkaGRzZXJ2ZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKwfIzyelAAtNOO8umyD6UCSQeeQnHCdPjITw8RjZ4oMz/kzMgwAk7Sd
DarT0X6bJ866ELHSvwZr34VNmy46o1TkZC9KhNEovyoGQMhPU0zHE3Tcq7LvVlV2
q+4gzyqMUn2BqVev+j2eqgA+p/ta1YjtBIxROLXw4VSxSk2bpPOqfSKq6r9zYuKc
OH7L2sM6JYzhz5sieMW5EhGty5iuLOLTBtML0yC6XBD4Nz3ZoUCRZp/h4iCLnLer
zRKI9WMLoJV9mx9V3zdTcUMAFZAiu41YtygbUi6kLFGze9qq7N9k+8jAquSold9z
lfQv8e97b73GxUOR3Bn1yE3exEmvzj0CAwEAAaOCAeEwggHdMB8GA1UdIwQYMBaA
FJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBTVvGaTZVWqMaZ8gSf+XL7L
ve6uITAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkG
CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
AgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYB
BQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLwYDVR0RBCgwJoIPYWRo
ZHNlcnZlcnMuY29tghN3d3cuYWRoZHNlcnZlcnMuY29tMA0GCSqGSIb3DQEBCwUA
A4IBAQA24Jdc1AqSP112JVWWcei8Zf8Y/4QyhrikkoQq8UtFp7duj5xdxbMZSwrP
cOGfm9kK+qFqjKkvLvggF4jUDL2zR+LAvvkwziieXKsEDy7M8Ugrqp3jTg/or6Ej
N66LXwhRJOmJG9W6WNmI136jOykAIE7wCrRj4ha7kx4R/UXYE58CAjjuq3jih0Ag
oRp3ek3WdTi80mo91uCP+pEBIsJrHArb5hMom/EvzANto6W/0RmGhxhabKm1LtlD
Nltbiab0tEkfrA47EQsXiwr53PlWjUY2GbiLJJSEqsfDf16PGArQt8HdqKvkF5XE
Deacq/mw0vXW0ZVyR3FnvoISI2U0
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=adhdservers.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA D                                                                                        omain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2040 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C5B4E36E8C882403530FF1A7BEDC1FC824364E532164211D4D3F98784338D328
    Session-ID-ctx:
    Master-Key: C0CDD42940FEC8931B4996AA5BC05985F0F49198C4A399A8E2ACD636EB83A016                                                                                        8CAF4BCAB7B788487FB7747AC8988ABB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 37 f9 49 ae 6e be a8 8c-c0 e0 cf 0a 31 57 f8 7f   7.I.n.......1W..
    0010 - 5d 5d f1 1e 56 96 ca 4b-bb 93 2b 30 8c 34 35 f8   ]]..V..K..+0.45.
    0020 - 30 4f 15 20 19 0c 89 e2-30 42 6d 96 8a 59 7e fb   0O. ....0Bm..Y~.
    0030 - ea 17 79 dc 4f ec 35 7d-60 d4 20 1a 4a f9 26 59   ..y.O.5}`. .J.&Y
    0040 - 42 23 88 f7 15 73 44 83-69 a4 01 9f 9f c0 81 a4   B#...sD.i.......
    0050 - 99 fe 24 3a 59 66 3a 78-21 b4 de 7d 61 d9 98 fe   ..$:Yf:x!..}a...
    0060 - 55 9f d9 42 98 5a 34 7f-9a 67 b7 06 a3 c8 c8 e4   U..B.Z4..g......
    0070 - ec 37 0c b5 d1 49 44 3c-bf df 5f 85 22 42 f2 33   .7...ID<.._."B.3
    0080 - 11 38 70 c6 f8 4f ed 51-78 f3 b7 de be ce 79 fe   .8p..O.Qx.....y.
    0090 - 00 d6 04 1a ec 20 cb 53-f5 37 2f 51 da 1d a9 4a   ..... .S.7/Q...J
    00a0 - 2d 3a 85 52 f7 d1 33 eb-f9 b7 0a b6 54 19 45 2c   -:.R..3.....T.E,

    Start Time: 1474989321
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

 

[danb35]

Hmmm, looks like it still isn't sending the intermediate certificate. When you look at the certificate in the web GUI, do you see at least two BEGIN CERTIFICATE/END CERTIFICATE blocks? Bug 9879 addressed this issue, and was reported fixed in yesterday's update. I haven't installed that update yet myself to confirm.

 

[toyebox]

yessir. I see four total. when you say intermediate certificate could you clarify? from my previous posts, does it sound like I installed it correctly?

 

[danb35]

when you say intermediate certificate could you clarify?

OK, but it's going to be long. You have been warned. (-:

SSL/TLS certificates are intended to accomplish two things: (1) they provide a public key for you to use in encrypting communications with the site; and (2) they validate, to a degree, that the site you're communicating with is who you think it is. To do the latter, they're signed by a certificate authority (CA). In the old days, when the dew of creation was fresh upon the web, SSL certificates were very expensive, and they were issued directly by trusted CAs. There were a handful of trusted CAs, and their root certificates were directly installed in your web browser, so your browser would know to trust them.

As Internet traffic grew, that quickly became impractical for a number of reasons. CAs have changed to the model we see today, where nearly all TLS certs are issued by intermediate CAs. There are a few dozen trusted root CAs, whose certificates are hard-coded into your browsers and operating systems. Those rarely, if ever, sign individual server certificates. Instead, they sign other CA certificates ("intermediate certificates"). Those certificates, in turn, are what are used to sign individual server certificates. To show that your individual server certificate is trusted, your browser needs to see a chain of trust back to a root certificate it trusts.

In your case, your certificate for adhdservers.com was signed by one of Comodo's intermediate CA certificates, Comodo RSA Domain Validation Secure Server CA. That certificate was signed by another of Comodo's intermediate CA certificates, COMODO RSA Certification Authority. That certificate, in turn, was signed by a completely different root CA, AddTrustExternalCARoot, which is presumably (hopefully) trusted by your browser.

When you browse to https://adhdservers.com, your FreeNAS box presents a certificate saying, in effect, "Comodo RSA Domain Validation Secure Server CA says I'm legitimate." The error message your seeing is saying, "great, but who's
Comodo RSA Domain Validation Secure Server CA?" To correct that error, you need to serve the cert for Comodo RSA Domain Validation Secure Server CA, as well as the cert for COMODO RSA Certification Authority.

The way you do that with nginx (the web server software used by FreeNAS) is to put all the (three, in your case) certificates together. If you have four, the fourth is probably the root, which isn't needed, but isn't likely to hurt anything. If all the certs are together in the cert file given to nginx, it will serve them properly, and things will be good. The problem is that FreeNAS got a little too clever parsing the input in the web GUI, and took only the first certificate pasted into that field, discarding anything else. They say they've fixed the bug, but what you're seeing suggests they may not have.

 

[toyebox]

that was a fantastic explanation!! that made a lot of sense.

so as I know, we are not supposed to change things via CLI if they can be done in the GUI, correct? but, what if I manually create the certificate file via the CLI?

also, should I try creating a new certificate?

edit: why does it work sometimes? or when I first make a certificate?

 

[toyebox]

so question.. why is it highly advised to not expose my freenas machine to the Internet?

 

[danb35]

In short, because it isn't designed for it. Some services (like the web GUI) could be hardened to the point where they'd be reasonably safe to expose, but haven't been, because that just isn't one of the design goals of the system. Some services (like SSH) are already pretty robust. Still others simply have no hope of being secure.

 

[snaptec]

To give a solution, ssh is the way to connect from Internet. Just tunnel the webinterface to a local Port. If you ever need the webgui remotely


Gesendet von iPhone mit Tapatalk

 

[danb35]

ssh is the way to connect from Internet.

I wouldn't agree that it's the way, but it's definitely a secure way, when it's set up properly. The other secure way is through a VPN. I favor the VPN, but both are good options.

 

[snaptec]

Lets say Most Common way for a single Server. If there are a couple of servers you're right, vpn is the way to go


Gesendet von iPhone mit Tapatalk

 

[danb35]

@toyebox, on your FreeNAS machine, take a look in /etc/certificates at the .crt file. Does it have all the BEGIN CERTIFICATE/END CERTIFICATE blocks that you entered in the web GUI?