Hello, my first post -- I coincidentally started building my first FreeNAS server about the same time as Chrome 58 was released. I've been banging my head against the Chrome SSL problem for a few days now, and I finally came up with a workaround that should tide people over until the bug fix is released.
The following instructions assume that you're running (or want to run) the FreeNAS server with your own CA certificate and server certificate. The instructions should be run on the command line on a Unix system with
openssl installed, except for the parts that require modification of the server through the FreeNAS web UI. Myself, I did all this on the FreeNAS host.
- Create a work directory where you'll generate the SAN (subjectAlternateName) certificate, then change to it:
Code:
mkdir ~/sslwk
export WKDIR=~/sslwk # if in the bash shell
cd $WKDIR
- Create an openssl.cnf file with the subjectAlternateName extension:
Code:
cat > subjAltName_openssl.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
# Edit these to match your data
C=US
ST=YourState
L=YourTown
O=FreeNASCSR
emailAddress=youraddress@yourdomain.com
# Primary IP of your FreeNAS server
CN = 192.168.1.233
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
# The first entry should be your primary Common Name (CN),
# the same as configured in your CA certificate
IP.1 = 192.168.1.233
DNS.1 = freenas.local
DNS.2 = www.yourotherdomain.com
EOF
- Create a CA in the FreeNAS web UI (or use an existing CA)
If you create a CA certificate, make sure to export it, then add it to your browser or system's Trusted Root Authority Certificate database.
- Export the CA certificate and key in the FreeNAS web UI, then copy them to your work directory
If you're working on the FreeNAS host, you can also directly copy them:
Code:
sudo cp /etc/certificates/CA/freenas_CA.crt /etc/certificates/CA/freenas_CA.key $WKDIR
- Generate a certificate key:
Code:
openssl genrsa -out freenas_CRT.key 2048
- Generate a CSR with the certificate key, and the subjAltNames included:
Code:
openssl req -new -sha256 -nodes -out freenas_CSR.csr -key freenas_CRT.key -config subjAltName_openssl.cnf
- Verify the CSR:
Code:
openssl req -text -noout -in freenas_CSR.csr
You should see lines like this, with your alternate names:
Code:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.1.233, DNS:freenas.local, DNS:www.yourotherdomain.com
- Create the certificate, using the CSR as input, including the CA and the subjAltNames:
Code:
openssl x509 -req -in freenas_CSR.csr \
-CA freenas_CA.crt \
-CAkey freenas_CA.key \
-CAcreateserial \
-out freenas_CRT.crt \
-days 500 \
-sha256 \
-extfile subjAltName_openssl.cnf \
-extensions req_ext
- Verify the certificate
Code:
openssl x509 -text -noout -in freenas_CRT.crt
You should see a line like this, with your alternate names:
Code:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.1.233, DNS:freenas.local, DNS:www.yourotherdomain.com
- Copy and paste the certificate and key into FreeNAS web UI (System/Certificates -> Import certificate):
Code:
cat freenas_CRT.crt
cat freenas_CRT.key
- Select this new certificate in the FreeNAS web UI System/General tab, and save the updated config.
- Test with openssl at the command line:
Code:
openssl s_client -showcerts -connect 192.168.1.233:443 -CAfile freenas_CA.crt
You should see lines like this:
Code:
CONNECTED(00000004)
depth=1 C = US, ST = YourState, L = YourTown, O = FreeNAS CA, CN = 192.168.1.233, emailAddress = youraddress@yourdomain.com
verify return:1
depth=0 C = US, ST = YourState, L = YourTown, O = FreeNASCSR, emailAddress = youraddress@yourdomain.com, CN = 192.168.1.233
verify return:1
[...]
Verify return code: 0 (ok)
HTTPS should now work in Chrome 58+, and you should be able to access the secure site from any of your domain name aliases.
- Once you have verified that everything is working as it should, remove your SSL work files:
