Help on GUI SSL Certificate - Made my own CA and Certificate and can't delete them

[jnew]

I'm new to networking and NAS, and been wrestling with TrueNAS for weeks on end now. I got a critical error related to the GUI SSL Certificate (something about not having a self signed key or something), so I went looking for a solution. There are a lot of posts relative to this subject in general, but so many are with old versions of FreeNAS and many were way too technical for me to follow. I found one where someone made their own dummy CA and Certificate to get rid of the error so I tried doing that, but now I can't get HTTPS to work and the system won't let me delete the dummy CA and Certificate I made.
I'm just trying to run a home network storage server to give me some storage space for my M1 macbook air that only has a 512 GB drive in it. I pretty worried about my NAS being secure now and would really appreciate it if someone would be willing to help talk me through getting myself out of the mess I've created and get my HTTPS working again. I'll attach some screenshots that might help understanding my mess.
I'm not a programmer, but I've been a computer user since the commodore 64 came out and building my own desktop PC's sense then. When it comes to networking, I have a lot to learn and I'm trying. Just need a helping hand so I can get my home NAS secure again. I really don't understand how certificates work and what they do. I've been looking on the internet, but not finding much on it. Looking at "Lets Encrypt" certificates as I've seen some threads on it just to learn, but I don't think it relates to my problem right now.

 

[sretalla]

EDIT/Warning: contains incorrect information... read further in the thread for corrections.

OK, first a little discussion about what is secure...

If you're creating a self-signed certificate, you're at best just creating the perception (but more-or-less an incorrect one) that there's security there (since the key exchange must be done on the same network as the traffic it will be used to encrypt).

I would bring that back to why would you even want to encrypt in the first place...

Do you mistrust your own network? (maybe you're in some kind of shared space where the network is not only yours)

Do you have a firewall and have you configured it to protect your network from outside? (maybe you're not in control of that either)

If you feel that traffic between your PC and the TrueNAS server is at risk from snooping eyes (having answered yes and no respectively above), then I would strongly advise to use a letsencrypt certificate, which does a piublic/private key pair and therefore creates real security.

You may need to remove that certificate from the TrueNAS settings (System | General ... the first item on the page, set to ------) before you can delete it.

 

[danb35]

you're at best just creating the perception (but more-or-less an incorrect one) that there's security there (since the key exchange must be done on the same network as the traffic it will be used to encrypt).

Huh? With TLS, key exchange is always done over an insecure network. That's one of the design principles of the system, that you can securely exchange keys over an insecure network. And a self-signed cert can, assuming limited use (e.g., only by you, the system's administrator) be more secure than one issued by a CA like Let's Encrypt (or others)--verify that it's the right cert, set the exception in the browser, and you're good to go. Only your system can ever present that cert.

use a letsencrypt certificate, which does a piublic/private key pair and therefore creates real security.

You sound very confused. Every cert, by definition, uses a public/private key pair, commercial certs no more than self-signed (or local-CA-signed) ones. Every cert is used to encrypt traffic in exactly the same way (with irrelevant differences between RSA and ECC keys, etc., noted but ignored). The difference comes in how the end-user verifies that the cert belongs to the right entity. A self-signed cert says, "I'm $foo, take my word for it." A cert issued by, e.g., Let's Encrypt, has the CA saying, "that's $foo, I guarantee it." With lots of users, the latter is clearly preferable. But with a small userbase, the user can verify for himself that the cert coming over the wire is the same cert the NAS is using (e.g., he can compare cert fingerprints), and thereby confirm the identity for himself.

 

[sretalla]

Visit a website with a self-signed cert... get a prompt saying untrusted CA... select to trust it or ignore or whatever your browser allows... all of the things needed to use that cert just went over your network before you were using the public/private key pair.

Anyway, maybe I'm wrong.

I guess what I was trying to point out is that letsencrypt uses PKI for the public key exchange, so the private key isn't compromised.

OK, so apparently I've been drunk on the cool-ade... https://www.networkworld.com/articl...sl-certificates-as-insecure-as-they-say-.html

 

[Patrick M. Hausen]

get a prompt saying untrusted CA... select to trust it or ignore or whatever your browser allows... all of the things needed to use that cert just went over your network before you were using the public/private key pair.

None of this goes over the network. Browser is presented a cert by the server and either accepts it or prompts the user, because it does not know the CA. No network interaction apart from the initial transmission of the cert. Which is exactly the same no matter what CA.

 

[sretalla]

I guess what I was thinking about was something like the item "DANGER #1" in this article https://revocent.com/resources/what-is-a-self-signed-certificate-and-how-does-it-work/

Where if you don't trust all devices (or their operators) on the network you're sharing, you're potentially vulnerable at the point of setup.

Anyway, we can all agree I was wrong in communicating what actually happens (and I updated my post to reflect that).

 

[Patrick M. Hausen]

And if you trust all "official" certification authorities you are facing the dilemma of Honest Achmed:

647959 - Add Honest Achmed's root certificate

RESOLVED (kathleen.a.wilson) in CA Program - CA Certificate Root Program. Last updated 2022-11-14.

bugzilla.mozilla.org

@jnew You can only remove a certificate after you deconfigured it from every place where it is used. The UI insist on always having SOME certificate present, even if you don't force the redirection from HTTP to HTTPS. So start fresh, create a new CA and cert, assign this, then you can delete the old one. Or create a self-signed cerificate with openssl on the command line and import cert and key. Whatever suits you.

 

[jnew]

EDIT/Warning: contains incorrect information... read further in the thread for corrections.

OK, first a little discussion about what is secure...

If you're creating a self-signed certificate, you're at best just creating the perception (but more-or-less an incorrect one) that there's security there (since the key exchange must be done on the same network as the traffic it will be used to encrypt).

I would bring that back to why would you even want to encrypt in the first place...

Do you mistrust your own network? (maybe you're in some kind of shared space where the network is not only yours)

Do you have a firewall and have you configured it to protect your network from outside? (maybe you're not in control of that either)

If you feel that traffic between your PC and the TrueNAS server is at risk from snooping eyes (having answered yes and no respectively above), then I would strongly advise to use a letsencrypt certificate, which does a piublic/private key pair and therefore creates real security.

You may need to remove that certificate from the TrueNAS settings (System | General ... the first item on the page, set to ------) before you can delete it.

Thanks for the reply. Like I said, I'm just starting to learn about networking. I do trust that everything is secure within my home network, but I'm not nearly as confident about what gets in and out of my gateway/router. I do have a firewall in the gateway, and on all my computers EXCEPT the one I've dedicated to TrueNAS. I loaded and ran "Syncthing" for a short time, but removed it after I discovered that it was communicating with servers outside my home network. Obviously, I don't know how to look for that or to stop it but after I dug more into Syncthing docs I found that it did that. Had I known, I would never have loaded it. The other thing, is the HTTPS redirect isn't working and never has for me. The GUI keeps connecting through HTTP and the browser gives me the warning that it isn't secure. So is it secure, or not? If it is, why does the browser tell me its not? As I learn more through "doing" with the help of others on this forum I hope to learn more and more. I obviously need to seek out more knowledge on configuring firewalls. Again, hope that helps you understand where I'm coming from. Appreciate your comments.

 

[jnew]

From the threads so far, it sounds as though I maybe need to clarify what I am really concerned about. First, until I learn more about networking and security from the internet in general ... I would prefer for my NAS to only communicate within my home network. The very next thing I am going to try and do is develop an understanding of what is different between HTTP and HTTPS. Right now, I assume HTTPS helps protect against someone from the internet getting into my home NAS server and changing anything or getting into what's stored. Based on that, I would like to see my GUI connection use HTTPS which it never has.
Based on what I'm reading here, it sounds like I don't need to worry about it and I'm fine with HTTP connection to the GUI. It also sounds like I can't delete the self signed CA or Certificate, so I need to either reset the server or wipe the drive and reload everything fresh again.
I once had a boss that used to tell me that he was just asking what time it was, not how the watch worked. I guess that's kind of what I am asking here because the discussions about public/private key pairs and TLS is going over my head with my current level of knowledge and understanding.
Thanks in advance, I really do appreciate your input and advice ... if you could maybe just dumb it down a little bit for me?

 

[Patrick M. Hausen]

You should never expose TrueNAS to the Internet, not even over HTTPS. Always run it in your local LAN environment and only access via LAN. Don't open up any ports on your router to access your NAS.

When you feel comfortable with the basic settings and you decide you do need remote access over the Internet, there are various VPN options, that we can help you explore.

Now for that certificate: when you install TrueNAS, a self signed certificate is automatically generated and configured. If you want to delete the one you generated and the CA you create before that, you nee to set the UI certificate back to the default one. You cannot have "no certificate at all" on TrueNAS. Even if you just use HTTP there will always be a HTTPS service configured that references a certificate. And you cannot delete certificates that are in use.

If you don't use any SSL enabled service, no HTTPS, no OpenVPN, there is absolutely no harm in having a CA and a cert lying around that you don't use. Just ignore it and you are fine as long as you keep all access to your LAN.

 

[Patrick M. Hausen]

Second, and possibly why you want to use HTTPS over HTTP, even on your LAN ... HTTPS is encrypted, HTTP is not. So when you login to your UI someone in the same LAN or Wifi can possibly read your admin password. If you use HTTPS that password is secure. Unless something more severe is going on, but at least it is not transmitted in clear text over your wires or Wifi.

 

[sretalla]

The other thing, is the HTTPS redirect isn't working and never has for me. The GUI keeps connecting through HTTP and the browser gives me the warning that it isn't secure. So is it secure, or not?

The problem with self-signed certificates (which causes the browser to mark a site using HTTPS as "not secure") is that with DNS cache poisoning or other nefarious methods, it is possible to have some computers on the Internet pointed at different servers for a domain than the owners of that domain intend...

So if you're using your Service Provider's DNS and they did a bad job of securing it and someone who wanted to gain passwords for a company like "widgets.com" was able to use DNS poisoning to alter the DNS records that you are served to point at their server instead of the "real" widgets.com server... you show up with your browser to that fake server and see a website that to you looks just like the real one... and it even has a (self-signed) certificate that says it's from widgets.com (because anyone can create one of those)... hence your browser is telling you not to necessarily trust it because there's no way of knowing that your DNS wasn't poisoned...

Sounds convoluted, I know.

In the other version of the scenario, you visit the real website and see that it shows up as secure because the certificate isn't self-signed, it's signed by verisign or one of the other certification authorities... meaning the authority has confirmed (with some set of processes and rules) that the site really belongs to widgets.com and so issues the certificate with their stamp of authority on it.

As mentioned earlier in the thread, that doesn't mean that the traffic isn't encrypted in both cases... if you're connected to the wrong server with a self-signed certificate, you're still sending your password to that server in an encrypted conversation... problem is that the owners of the "wrong server" are able to see the entire conversation as they have the decryption key (since you're using their certificate).

If you want your browser to see the certificate you're using as valid, you have 2 choices...

1. Add the Certificate Authority record for the CA that generated your certificate to your computer or the browser itself... then the certificate isn't seen as self-signed, because the Certifying Authority can be confirmed

2. Create the certificate with something like letsencrypt (which has a publicly recognized CA), meaning it will not be a self-signed certificate, rather one signed by letsencrypt.

 

[jnew]

Gosh, wish I had been more patient and waited for these later posts. I thought I would try reloading TrueNAS, but this time with Windows 10 and a Docker container so that I could have maybe a bit more security. Unfortunately, I blew away my motherboard drivers apparently when I originally loaded TrueNAS. That could have been some of my problem, as the old pc had major issues with ethernet right off the bat when windows came up. Unfortunately, it is an old Intel board that they no longer support and instead of just leaving the drivers available for download they pulled them all. I can't find the CD that came with motherboard, and didn't have any luck finding them when searching the internet except for a bunch of raunchy websites that load junk software and want money to supposedly get your drivers for you. So I'm giving up on TrueNAS for awhile. I just bought a Synology DS220+ as a more cost effective way for me to get some experience with networking versus new motherboard, cpu, and memory. If I can ever find the drivers for my intel mb, then maybe I can give TrueNAS a shot again. Thanks to everyone that tried to help me!!!

 

[Patrick M. Hausen]

You cannot install TrueNAS on top of Windows 10 or as a Docker container. TrueNAS is a complete operating system running on bare hardware or in a type 1 hypervisor like ESXi. And in which way do you think this would add "security", anyway? What "security" do you feel is missing from TrueNAS?

Just reinstall. Then you can create a Windows 10 VM on top of TrueNAS!

 

[danb35]

So I'm giving up on TrueNAS for awhile.

I'm sorry, but none of this makes any sense to me. Intel doesn't provide Windows drivers for your motherboard any more, so you're giving up on TrueNAS? And this somehow has something to do with the TLS certificate?