surfrock66
Dabbler
- Joined
- Apr 2, 2013
- Messages
- 36
I am using TrueNAS Core 12. I have tried and failed to get an SSL certificate to install from my separate certificate authority and am seeking some guidance.
Background, I have easy-rsa installed on an Ubuntu server, acting as my CA. The root certificate has been installed on my client machines, and separately registered in chrome. I have validated that chrome recognizes the certificates issued by this CA via other services and apache sites.
I do NOT want TrueNAS acting as my CA, which I know it can do. That being said, I have followed steps which would result in that, and still it has not worked.
No process I have tried in TrueNAS' GUI has allowed for successful import or installation of a certificate. First, I imported the root CA cert, separately I have imported the root cert AND Private Key (which would enable TrueNAS to be the CA, which I don't want). Neither of these mattered down the line.
First, I tried generating a CSR in the TrueNAS GUI. Once I did that, I exported it and imported it into my CA. I signed it, then took the resulting certificate and imported it in the TrueNAS Certificiates GUI. I tried this several times, sometimes acknowledging that the CSR was on the host with "CSR exists on this system" and sometimes not. When not, I included the private key. If I did this, selected the new cert in the "General" tab, then restarted the web UI, the cert failed to validate. One curious thing, I could not get the entry for the original CSR to ever register as signed, even when a new import of a cert with the same key and csr was also in the list.
Then, I tried generating a whole separate CSR on the CA (which is my preferred situation). I generated a private key in openSSL and a CSR, imported the CSR in TrueNAS, and imported the resulting cert. After switching to it, same thing. It says "common name invalid" though the cert shows the correct common name.
I do not believe, when importing the cert, it is correctly linking with the CA cert, thus the chain is not validating properly. I do not see in the GUI how to do this for an imported CSR/Cert. I have validated that the cert and key validate each other in openssl, and sites using certs from the same CA (in apache and other services) validate fine in chrome, but something about this isn't working. Is this a thing where rather than inputting the Root Certificate separately, I should concatenate them into a chain file?
In the apache site with the working cert from my CA, if I do "openssl s_client -CApath /etc/ssl/certs/ -connect testsite.subdomain.domain.com:443" I get a chain like this in the output:
But if I do the same for the nas, I get this, no CA cert in the chain:
Ultimately, I have a CSR, key, cert and root cert issued from my root CA. Is there any advice for how to get those pieces into TrueNAS?
Background, I have easy-rsa installed on an Ubuntu server, acting as my CA. The root certificate has been installed on my client machines, and separately registered in chrome. I have validated that chrome recognizes the certificates issued by this CA via other services and apache sites.
I do NOT want TrueNAS acting as my CA, which I know it can do. That being said, I have followed steps which would result in that, and still it has not worked.
No process I have tried in TrueNAS' GUI has allowed for successful import or installation of a certificate. First, I imported the root CA cert, separately I have imported the root cert AND Private Key (which would enable TrueNAS to be the CA, which I don't want). Neither of these mattered down the line.
First, I tried generating a CSR in the TrueNAS GUI. Once I did that, I exported it and imported it into my CA. I signed it, then took the resulting certificate and imported it in the TrueNAS Certificiates GUI. I tried this several times, sometimes acknowledging that the CSR was on the host with "CSR exists on this system" and sometimes not. When not, I included the private key. If I did this, selected the new cert in the "General" tab, then restarted the web UI, the cert failed to validate. One curious thing, I could not get the entry for the original CSR to ever register as signed, even when a new import of a cert with the same key and csr was also in the list.
Then, I tried generating a whole separate CSR on the CA (which is my preferred situation). I generated a private key in openSSL and a CSR, imported the CSR in TrueNAS, and imported the resulting cert. After switching to it, same thing. It says "common name invalid" though the cert shows the correct common name.
I do not believe, when importing the cert, it is correctly linking with the CA cert, thus the chain is not validating properly. I do not see in the GUI how to do this for an imported CSR/Cert. I have validated that the cert and key validate each other in openssl, and sites using certs from the same CA (in apache and other services) validate fine in chrome, but something about this isn't working. Is this a thing where rather than inputting the Root Certificate separately, I should concatenate them into a chain file?
In the apache site with the working cert from my CA, if I do "openssl s_client -CApath /etc/ssl/certs/ -connect testsite.subdomain.domain.com:443" I get a chain like this in the output:
Certificate chain
0 s:C = US, ST = California, L = City, O = OrgName, OU = domain, CN = testsite.subdomain.domain.com, emailAddress = sysnotice@domain.com
i:CN = subdomain.domain.com
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 18:06:07 2022 GMT; NotAfter: Nov 25 18:06:07 2024 GMT
1 s:CN = subdomain.domain.com
i:CN = subdomain.domain.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 22 22:23:14 2022 GMT; NotAfter: Aug 19 22:23:14 2032 GMT
But if I do the same for the nas, I get this, no CA cert in the chain:
Certificate chain
0 s:C = US, ST = California, L = City, O = OrgName, OU = domain Homelab, CN = nas-2.subdomain.domain.com
i:CN = subdomain.domain.com
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 22:59:36 2022 GMT; NotAfter: Nov 25 22:59:36 2024 GMT
Ultimately, I have a CSR, key, cert and root cert issued from my root CA. Is there any advice for how to get those pieces into TrueNAS?