FreeNAS SSL Certs and Windows 10 browsers

[cygnus]

Hi all, I followed the Youtube video for FreeNAS 9.10 and created CA and Cert and it works great on my RedHat 7.4 machine running Firefox but having imported the CA cert into Windows any browser fails to even connect with SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA
I have tried various attempts to connect clearing cache, renaming Hosts file, checking firewall all to no avail.

Any idea what I can do to access from Windows 10?

All help greatly appreciated.
FreeNAS Server is on 11.1
Many thanks

 

[Nick2253]

the Youtube video

There are many youtube videos about FreeNAS. Do you have a link to the Youtube video you watched?

imported the CA cert into Windows

How did you import the cert? The CA cert needs to be added to the "Trusted Root Certification Authorities" store in Windows. Also, Firefox does not trust the Windows certificate store. There are different steps to import the CA into Firefox.

SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA

This is specifically a Firefox error. What errors are you getting in IE or Chrome?

Any idea what I can do to access from Windows 10?

Have you tried using a self-signed cert for FreeNAS, just to verify you can connect?

 

[cygnus]

Thanks for Looking and commenting here are the details.
I firstly used the following youtube video - https://www.youtube.com/watch?v=OT1Le5VQIc0
Yes I have imported the CA Cert into the "Trusted Root Certification Authorities" within Windows
I fails to connecting IE or Chrome or Firefox on Windows not tried others
BUT it does work on FireFox on Red Hat 7.4 correctly.
I believe the video creates and uses a self-signed cert for FreeNAS.

Thanks again and have a good day.
Rgds
Cygnus

 

[Nick2253]

I fails to connecting IE or Chrome or Firefox on Windows not tried others

Again, the error you provided is specifically a Firefox error. What errors are you getting in IE or Chrome?

I believe the video creates and uses a self-signed cert for FreeNAS.

Can you provide a screenshot of your CA, certificate, and System->General screen?

 

[cygnus]

Apologies for delay in response here are the screenshots hopefully might shed some light once again thanks all for looking. I have tried this on a 3rd Windows 10 machine and that gets an exception but allows me to advance and carry on to connect even though states its unsafe and no PAdlock in browser!. Please See files in the Zip file attached. Includes responses from Firefox and Chrome and the CA, Cert and General screenshots.

 

[Nick2253]

Includes responses from Firefox and Chrome

AGAIN, what errors are you getting in IE?

and the CA, Cert

Can I see the details of your certificate?

Chrome

A quick Google search of your Chrome error reveals many tips for fixing this error. This is why it's essential that you provide all this troubleshooting info the first time (I shouldn't have to ask three times for these errors!). One of the common solutions to clearing this error is correcting your system time. Because you are having the issue with multiple computers, that could mean an issue with the FreeNAS clock. Can you verify that you have NTP set up and configured on FreeNAS and and all your clients? If the hardware in your signature is your FreeNAS server, that hardware is pretty old, and you may have a dying mobo battery (which translates to clock issues).

 

[cygnus]

Thanks again for looking at this for me. I'm uploading the screen shots as we speak. Hopefully I might get all the details you required. Apologies....

 

[cygnus]

In regard to the certificate details - do you mean a screen capture from the view button for the Certificate? Should all the laptops trying to access Freenas use the same NTP server as FreeNAs is using as currently appears the windows ones are defaulting to time.windows.com?

 

[Nick2253]

In a perfect world, you would have a central NTP for your network, and all devices on your network would use that NTP server to update their time. That NTP server would update from a publically accessible NTP servers, like time.windows.com or the NTP Pool. However, for the purposes of SSL timing, the errors between using different NTP servers shouldn't be a big deal.

To check NTP, go to the shell, and run ntpq -p and paste the output here (in code tags).

Based on the errors from the three browsers, we can pretty safely assume the issue is with the SSL protocol negotiation. In my experience, this usually translates to a protocol mismatch, but I think that's highly unlikely here, largely because FreeNAS doesn't let you tweak those settings (so unless you made a non-standard change, like forcing an outdated SSL version, everything should be good). If not a protocol mismatch, the usual other reason is some browser issue (clear the cache, and you clear the problem). However, given that this is happening on multiple machines with multiple browsers, that tells me it's something with the server, and time is probably the next most common issue.

Something else just occurred to me: have you configured your default gateway and DNS server(s) in the Network configuration? If you don't have your gateway or DNS servers configured, FreeNAS won't be able to resolve the NTP pool IPs.

EDIT: For the certificate, nevermind. I was thinking that viewing the certificate details showed you the parameters used to generate it.

 

[cygnus]

In a perfect world, you would have a central NTP for your network, and all devices on your network would use that NTP server to update their time. That NTP server would update from a publically accessible NTP servers, like time.windows.com or the NTP Pool. However, for the purposes of SSL timing, the errors between using different NTP servers shouldn't be a big deal.

To check NTP, go to the shell, and run ntpq -p and paste the output here (in code tags).

Code:

	 remote		   refid	  st t when poll reach   delay   offset  jitter
==============================================================================
*eggburt.positiv 85.199.214.100   2 u   28  128  377   28.988	3.424   2.023
+time.rdg.uk.as4 85.199.214.101   2 u	6  128  377   24.699	1.247   4.958
 x.ns.gin.ntt.ne 249.224.99.213   2 u 1010   64	0   31.417	4.201   0.000

Based on the errors from the three browsers, we can pretty safely assume the issue is with the SSL protocol negotiation. In my experience, this usually translates to a protocol mismatch, but I think that's highly unlikely here, largely because FreeNAS doesn't let you tweak those settings (so unless you made a non-standard change, like forcing an outdated SSL version, everything should be good). If not a protocol mismatch, the usual other reason is some browser issue (clear the cache, and you clear the problem). However, given that this is happening on multiple machines with multiple browsers, that tells me it's something with the server, and time is probably the next most common issue.

Response :- Thanks I have checked the NTP Server and I will change the battery as its an easy option.

Something else just occurred to me: have you configured your default gateway and DNS server(s) in the Network configuration? If you don't have your gateway or DNS servers configured, FreeNAS won't be able to resolve the NTP pool IPs.

response:- default gateway I have as my router IP Address, and nameservers as 8.8.8.8 and second as 8.8.4.4

Response :- what I don't get is I have RedHat Laptop and another Windows 10 laptop that can access without issue!??!

EDIT: For the certificate, nevermind. I was thinking that viewing the certificate details showed you the parameters used to generate it.

Response :- Again not aware of any thing specific that I would have changed as being a Noob I would not want to risk it!

 

[Nick2253]

It looks like your FreeNAS server is maintaining time properly.

what I don't get is I have RedHat Laptop and another Windows 10 laptop that can access without issue!??!

So, let me make sure I understand this: only this one Windows 10 laptop is having this problem? Your comment above about trying it from a 3rd Windows 10 laptop and still having problems made me think that everything was having this problem. If it's only the one Windows 10 laptop that's having an issue, we can probably narrow down our issues to the client side, and not the server side.

Are you by chance on a domain? It is possible that group policy settings are causing some of our problems. And that would explain why there are consistent issues with Windows machines.

I'd suggest that you do the following on the problematic Windows 10 laptop:

1. Check the time and timezone, and make sure that it's correct. A spot check against https://www.time.gov/ is sufficient (click the arrows to change your timezone if that helps). If you're within a second or so, you're more than fine.
2. Create a new user profile on the machine. Log in to this new user profile.
3. Open a browser, and try connecting to FreeNAS.

If you can connect, this tells us the issue is with your Windows user profile, or your browser profile(s).

 

[cygnus]

It looks like your FreeNAS server is maintaining time properly.


So, let me make sure I understand this: only this one Windows 10 laptop is having this problem? Your comment above about trying it from a 3rd Windows 10 laptop and still having problems made me think that everything was having this problem. If it's only the one Windows 10 laptop that's having an issue, we can probably narrow down our issues to the client side, and not the server side.

OK Sorry wasn't clear on my part - 1 RH Laptop (works fine) 1 Win10 Laptop connects fine - 2 other Windows 10 Laptops fail with messages above.

Are you by chance on a domain? It is possible that group policy settings are causing some of our problems. And that would explain why there are consistent issues with Windows machines.

I'd suggest that you do the following on the problematic Windows 10 laptop:

1. Check the time and timezone, and make sure that it's correct. A spot check against https://www.time.gov/ is sufficient (click the arrows to change your timezone if that helps). If you're within a second or so, you're more than fine.
2. Create a new user profile on the machine. Log in to this new user profile.
3. Open a browser, and try connecting to FreeNAS.

If you can connect, this tells us the issue is with your Windows user profile, or your browser profile(s).

1. First Windows 10 Laptop using my Microsoft account works to connect OK.
2. Second windows 10 Laptop gives CA unknown authority error but allows to connect (unsafe using Chrome) using same Microsoft Account.
3. Third Windows 10 machine gives the
This site can’t provide a secure connection
192.168.0.225 sent an invalid response.

ERR_SSL_PROTOCOL_ERROR
again using same Microsoft account.
4. RedHat works fine

Not aware of any Domain set other than that of Local in FreeNAS.
Many thanks again

 

[Nick2253]

It's not clear that you actually attempted the provided troubleshooting steps. Did you create another user account on your computer (https://support.microsoft.com/en-us...user-or-administrator-account-in-windows-10)? Did you try using a browser in this user account?

 

[Nick2253]

Also, when you reply, can you please separate out your replies from the quote? You can highlight some text, and a "reply" button will pop up, allowing you to add just that part to your reply. It's very difficult to parse your responses when they are embedded in the quoted post.

 

[cygnus]

Hi, yes I have now attempted to connect to FreeNAS using another created User on the failing Windows 10 machine with same error as on the original .
This site can’t provide a secure connection
192.168.0.225 sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

 

[Nick2253]

Just to rule out any errors with your certificates, I'm going to suggest that we make a completely new CA and new certificates:

For your CA, use the following settings exactly (with one exception, replace freenas.local.domain with the FQDN of your FreeNAS server):

• Name: testCA
• Key length: 4096
• Digest: SHA256
• Lifetime: 3650
• Country: United States
• Locality: Test City
• Organization: Test Org
• Email: test@email.com
• Common Name: freenas.local.domain

For the certificate, again, use the following settings exactly (with the same exception):

• Signing Certificate Authority: testCA
  
• Name: testCert
• Key length: 2048
• Digest: SHA256
• Lifetime: 1825
• Country: United States
• Locality: Test City
• Organization: Test Org
• Email: test@email.com
  
• Common Name: freenas.local.domain

Now, change the certificate setting in System->General to point at "testCert".

 

[cygnus]

Thanks for the update I did try this with similar results using those exact settings - but was unable to find my Fully Qualified Domain Name as it s on a home Network. So I'm trying to add in my domain I use to external connect into the server on lefrancis.co.uk. So having set this on the FreeNAS Server, General Page. But alas still no joy! For now its bearable as I can access via 2 machines. So I think I must have something set incorrectly in the FreeNAS to. But for the life of me I cannot think of what it might be!

 

[Nick2253]

Do you own lefrancis.co.uk? If yes, then you can easily use that for your home "domain". This is a pretty advanced topic, but when you start getting in to NASes and providing servers, I believe that it is worthwhile to configure a DNS, and makes sure all your machines are set up with a proper host and domain. If you own lefrancis.co.uk, you could use the subdomain " local" for your home stuff, which would make your FQDN: nsfnas.local.lefrancis.co.uk. (This is general best practice if you want to segregate your internal devices from your external devices. However, with a small home network, especially if you do not have any If you don't own lefrancis.co.uk, then you should not use a publically addressable domain. Instead, use something like cygnus.lan, and your FreeNAS FQDN would be nsfnas.cygnus.lan.

In any event, I do not think this is your issue. In fact, I do not think your problem has anything to do with FreeNAS. To rule out any FreeNAS issue, I would recommend that you install FreeNAS in a new thumb drive (your data will not be touched in this process), import the following certificate, enable HTTPS, and attempt to connect. Just exit out of the startup wizard. Do not try to configure any else whatsoever.

This certificate was generated from http://www.selfsignedcertificate.com/ as a self-signed certificate. DO NOT use this in a production environment.

Certificate

Code:

-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIJAPG9kLQivu49MA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
BAMMFGZyZWVuYXMubG9jYWwuZG9tYWluMB4XDTE4MDExNzIwMjQ0N1oXDTI4MDEx
NTIwMjQ0N1owHzEdMBsGA1UEAwwUZnJlZW5hcy5sb2NhbC5kb21haW4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4F73AoPy7tkObcmRTV7wit6aODUid
bo1M3l4lG5JzO/fX2Jwrdu+KiS/MKJx3dcqygXDPc1mztk4Zdrz6/qEIQhY4GDTo
2mDFLAcASIvCM39McjXdTxcv71HXbKSuTTy5li59tsh59wIohfz+x4mW+dseebRD
MPIsZeJ0I6Y5ngKgzLDNE0IYggIlOCu6sBOWjUkvgdTPALpEQq4l6vdVFUj6hDb8
F4mTpY7DVYJYokExJFUz8uFBUBBkmuv9jysNMkFtbUFn9/rxl74wlVnkG1ZDrFqI
CFsPGZAWuo33gOcpL9oesup9XMet78mhELlDok8RDswXW77zKJkHtPbjAgMBAAGj
UDBOMB0GA1UdDgQWBBQyVplhYrnujY/huvDAMcr1VMrqRTAfBgNVHSMEGDAWgBQy
VplhYrnujY/huvDAMcr1VMrqRTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQBaZ2g1D6FnHfqYqTfH4w3Ivg0MLktWem7b2YNE5j3MRhChGbdMDiHxCB8F
ocLwGLCYnP1+A6nWUJDg6DcHLRjvk4zMnNonGxUkmj//7JMd8bM0ndLYlPmuG7/O
71UsOg3cSuw+hfrdwz266GLIyxkeky9JBCWZs49iMGvyvE59MgDpsP7aWnYh4w8o
fFkAkGiFNV2Bc/PlPPdMIXfh34QU06Xt3BFU98MF+B9iBYyPSNfTUKMWe81htTjv
DzgtvwMHqzk9hF4eaOM5oSpMSkAyZPPTz1uROl22zP1Zj08ceBU2AHhI96/IHEDo
wtKSLzBk0PxORbhfK6xCZ6hN8WNm
-----END CERTIFICATE-----

Key

Code:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuBe9wKD8u7ZDm3JkU1e8Iremjg1InW6NTN5eJRuSczv319ic
K3bviokvzCicd3XKsoFwz3NZs7ZOGXa8+v6hCEIWOBg06NpgxSwHAEiLwjN/THI1
3U8XL+9R12ykrk08uZYufbbIefcCKIX8/seJlvnbHnm0QzDyLGXidCOmOZ4CoMyw
zRNCGIICJTgrurATlo1JL4HUzwC6REKuJer3VRVI+oQ2/BeJk6WOw1WCWKJBMSRV
M/LhQVAQZJrr/Y8rDTJBbW1BZ/f68Ze+MJVZ5BtWQ6xaiAhbDxmQFrqN94DnKS/a
HrLqfVzHre/JoRC5Q6JPEQ7MF1u+8yiZB7T24wIDAQABAoIBAEwJWlG+7MSnkqMZ
C4E1ArsgOcYAjJah+/DdA+u1yLaZ9VOM32xAcs44vapIt9/Lok46kprM3ScSTI3N
8l6FX4PmsAC5Vtk6oa+u8LFYRYmP9atgnQjsyvn8kkQ1Vou70TIias93+LQPpy+P
sCCX0CewyaV7xU3fYJef+XnY46Z1/hxFzOM2mMcb+RZl1XkCH8joG6TDXHHsMQZW
YIUacLpdfL24GUKDFBBnC/8N82pDUcEl84HNLgm9aUENC9I6S+jFaD3jjDrgR5xe
8DjNK5pq3WOIGaldZJqrJnAQYSWNCJT6S0dGDtB6SmAzSDwpyijpvNhxqK/rIvnt
JnWsd9ECgYEA7v814FRGf7qQTjqq8UC6MK2ChrbgKLBTeD+L5C2GTkoQfVENPdpY
9D/4cEJ+fQgZ+FpjrD6T8OMfdJDuNT5LqZwugACqzirmBscI0ofFLJqHmlMRUyZn
Vk0OHZLzRyGhMrPOWS7oFr+7X5cGZU7LhVrY9j1MW6Swdz452Bsr4esCgYEAxTCT
OBOciVeXWIRp1yNmyitxXcVePV88YDrCPjvj8qkdVhYybUCcJM8EePr9tzRhZVkn
HURQYrn83if0lMiH3wozg87CG8rPv3ucmYQC1f2op9IGhNGaYT2PPlFc++V3ndFO
n9tS0B97/EMUoGivFXM7q1TApCBuEFyqlObfCOkCgYBbFMfjhjqX0vHL3m/nIVPT
2Uw1KtyipRAqc41MmEzm6TL/jzQMrnnYG8kCf1TVMZE0JL53liGrW+NQ+SrO/762
FN9jyN1PVOn1C0VBdpyeMwYaui2QEsKvEQ6gFrDAGwDj4cJyGn44rTkrZNL7KNxH
JigpL5M6GblmuEAzK6e9oQKBgQCl9goR6j+XQEc60scZsMv0X7fcSh7U3HC+NPYC
1vk05KyyJaBvXy+Ls0h6YhRjuww19mD7OuHFFfADMfGhv1zLlZRh3QR1y64p5Oma
MwcH/6ORCy09YAPkz6DdvDDcOPcBtoXL+RWr4LPDTtnvX+vry75uprgz6q93yeYv
yFfy8QKBgQDLeBsvnDTgVv8R4oWrK1/K7GrVg1W01QFF7HUrZ/H32GZVYChAKVlN
ABDR5oWh7onaov5Ek55i1y2V1lQrVbcQh9NPjEjzQG1XGseL3X3vO8l7rUXe4rsd
sDEhUVZNYUGJQ6UcU4WGNJHIEoxTBWMARSIfC/+/1tK1jpgD5Sinyw==
-----END RSA PRIVATE KEY-----

 

[cygnus]

Thanks I'll certainly give that a go and see how I get on. I do own lefrancis.co.uk so that might be the best option. Thanks again for your patience and updates its really appreciated!

 

[Nick2253]

I do own lefrancis.co.uk so that might be the best option.

Then I would definitely use it (or a subdomain). Best practices for corporate domains recommend using a subdomain of a domain that you own (e.g. local.corp.com or ad.corp.com). Personally, I use my domain directly for my home network, because I find it easier to manage (then I don't have to worry about split horizon DNS and alt subject names for my certificates, etc.)

On the other hand, there is a school of thought out there than says you should use a fake or non-existent TLD for your internal resources (for example, lefrancis.lan or lefrancis.home). The argument as I understand it is basically: internal resources should be internal, and you want clear separation from external resources; furthermore, these are fake, so you don't have to pay anything.

However, here's the problem with that school of thought. First off, there's no guarantee that the domain you've selected will stay fake. For example, many sites recommended .home domains, but ICANN has gone through the bidding processed and sold .home to a registrar (however, they have yet to start issuing domains due to the possible conflicts). If you were using a .home, and the ICANN releases the registrar to start issuing domains, you're going to be in a world of name collisions. Secondly, if you want local stuff to stay local, your pseudo domain provides no real security (just like with NAT). If you want to protect local resources, make sure you have a firewall configured to protect those resources.