GUI certificate issues again

[Stilez]

I'm trying to understand what I have missed, and how to fix this.

The setup is a clean install of 9.10.2-u1 on a small LAN. There's no DNS or AD server locally (devices are identified by IP/Mac/NetBIOS name). I set up a CA and certificate for the GUI, and it's reliably accessible using https only (worth it even on a LAN, and especially as I eventually plan to expose FTP externally via a public IP). Obviously a self-signed cert can't really validate identity and will throw a warning about website trust, but that's not so much of an issue anyway since the server is being accessed from one of 3 selected IPs allowed by the firewall via a public IP which is linked to the house, or accessed by a private IP from within the house. I'm not too worried about someone substituting a spoof device with the same IP on the LAN, so for my purposes it seems good enough.

My question is that somehow I'm mis-configuring the CA or certificate, and I don't know how to diagnose or fix it. I can access the GUI from Internet Explorer with a warning, but Firefox flatly refuses to connect and doesn't offer the usual "Advanced->Create exception" option. How can I fix this?

 

[Spearfoot]

I'm trying to understand what I have missed, and how to fix this.

The setup is a clean install of 9.10.2-u1 on a small LAN. There's no DNS or AD server locally (devices are identified by IP/Mac/NetBIOS name). I set up a CA and certificate for the GUI, and it's reliably accessible using https only (worth it even on a LAN, and especially as I eventually plan to expose FTP externally via a public IP). Obviously a self-signed cert can't really validate identity and will throw a warning about website trust, but that's not so much of an issue anyway since the server is being accessed from one of 3 selected IPs allowed by the firewall via a public IP which is linked to the house, or accessed by a private IP from within the house. I'm not too worried about someone substituting a spoof device with the same IP on the LAN, so for my purposes it seems good enough.

My question is that somehow I'm mis-configuring the CA or certificate, and I don't know how to diagnose or fix it. I can access the GUI from Internet Explorer with a warning, but Firefox flatly refuses to connect and doesn't offer the usual "Advanced->Create exception" option. How can I fix this?

I use self-signed certificates on my FreeNAS 9.10.2-U1 servers... Did you load your CA certificate in System->CAs, using Import CA?

Here are screenshots of my certificate setup:

 

[Stilez]

I use self-signed certificates on my FreeNAS 9.10.2-U1 servers... Did you load your CA certificate in System->CAs, using Import CA?]

I created the CA on-board using "CAs->Create internal CA", then created the certificate using "Certificates->Create internal certificate".

Import didn't seem relevant as, unlike yours (which says "Internal=NO"), mine was generated internally within FreeNAS, and automatically recognised in the FreeNAS GUI that way, there's no external referent. (Which can't be the problem as I also use pfSense which also generates its own internal CA and doesn't have this problem, but I'm not sure the difference or what I'm doing wrong in FreeNAS)

How can I trace and resolve this issue?

 

[Spearfoot]

I created the CA on-board using "CAs->Create internal CA", then created the certificate using "Certificates->Create internal certificate".

Import didn't seem relevant as, unlike yours (which says "Internal=NO"), mine was generated internally within FreeNAS, and automatically recognised in the FreeNAS GUI that way, there's no external referent. (Which can't be the problem as I also use pfSense which also generates its own internal CA and doesn't have this problem, but I'm not sure the difference or what I'm doing wrong in FreeNAS)

How can I trace and resolve this issue?

Hmmm... did you use the default values for key length (2048) and digest algorithm (SHA256) when you created the internal CA?

I fired up my VirtualBox-hosted FreeNAS 9.10 instance just now and created both an internal CA and certificate for the web GUI and it 'just worked' when I opened it with Firefox, i.e., I had to create an exception, but it gave me the opportunity to do so.

I remember that Oracle 11g comes out-of-the-box with a certificate that's unusable with modern browsers, but I can't remember the specific problems. It may have been the key length.