How to manage CA trust store to blacklist expired cert

Status
Not open for further replies.

griest

Cadet
Joined
Oct 6, 2021
Messages
5
Due to a bug in OpenSSL 1.0.x and the fact that the update servers rely on an expired cert, I am not able to connect to the update servers or create jails. The problem is explained here. The workaround I wish to use is as follows:
Just remove the expired root certificate (DST Root CA X3) from the trust store used by the OpenSSL 1.0.2 TLS client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed certificate isn’t already in the trust store, add it.

I have tried removing the expired cert from /etc/ssl/cert.pem, /etc/ssl/truenas_cacerts.pem, and /usr/local/etc/ssl/cert.pem but it is readded to those files when I reboot the system. What is the correct way to remove expired certs from the CA trust store?

Before you suggest upgrading to TrueNAS Core 12.x (which would fix the problem), I can't, I only have 8GB of RAM.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
Before you suggest upgrading to TrueNAS Core 12.x (which would fix the problem), I can't, I only have 8GB of RAM.
That meets the minimum requirement for 12.0 (it hasn't changed since 9.3, at least).
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
Wow. Literally everything in that table is incorrect, if it's stated (as it is) as "absolute minimum required." It's a pretty good summary of "recommended," but that's not the same thing. Bug ticket here: https://jira.ixsystems.com/browse/NAS-112708

The RAM requirements for 12.x aren't appreciably different from 11.x, or even from 9.x. More RAM is better (for all of them), but 8 GB is safe so long as you aren't running much in the way of jails or VMs. But this really is orthogonal to your question.
 

griest

Cadet
Joined
Oct 6, 2021
Messages
5
More RAM is better (for all of them), but 8 GB is safe so long as you aren't running much in the way of jails or VMs. But this really is orthogonal to your question.

I'll be running 3 or 4 jails/plugins most likely. I thought truenas core would straight up refuse to install on 8GB so I didn't even try. "Absolute minimum requirements" is fairly unambiguous. I guess I'll give it a try.

The blog post said to upgrade to truenas core without upgrading zpool feature flags. Is this an option that will be presented to me during an upgrade in the webgui?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
"Absolute minimum requirements" is fairly unambiguous.
You'd be surprised how many people see the 8GB requirement and say to themselves (and us) "I bet I could do some serious file sharing, transcode in two jails at once and still fit in a VM with 4GB of RAM!".
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Due to a bug in OpenSSL 1.0.x and the fact that the update servers rely on an expired cert, I am not able to connect to the update servers or create jails. The problem is explained here. The workaround I wish to use is as follows:

This is being discussed over at https://www.truenas.com/community/threads/system-update-not-working.95703/ and includes both a description of how to patch your ca-root-nss file, or a download link to a latest version with DST Root X3 removed.

That meets the minimum requirement for 12.0 (it hasn't changed since 9.3, at least).

I'm the person who bumped the minimum RAM for ZFS up to 8GB years ago, and this was done in response to active panic and pool corruption events. Basically a combination of ARC stress, swapping of the middleware, etc., created an untenable situation for people trying to run the system on 4GB RAM, and people who were wish-figuring their systems for minimal RAM were getting spanked for it in the most awful way -- pool corruption/loss.

I have not been seeing such problems with 8GB systems reported here on the forums, and I am somewhat sensitive to these things. I can assure you that 8GB is probably uncomfortably tight for a minimal TrueNAS system, and you can be certain it won't run particularly well. I don't know that I'd advise jails or plugins. However, unless you do something that really tanks it like trying to put dozens of TB's in your pool, I wouldn't expect catastrophic failures, merely "this is very painful" type annoyance. You really cannot do things like VM's, though, since these eat real RAM and do not share nicely with ZFS.

The blog post said to upgrade to truenas core without upgrading zpool feature flags. Is this an option that will be presented to me during an upgrade in the webgui?

No. FreeNAS/TrueNAS will never upgrade your feature flags on its own. You have to manually command this to happen. This is an admonition against doing so (perhaps to clear the alert that FreeNAS/TrueNAS *will* give you) until you are absolutely certain that you WILL not revert. The experienced among us suggest that you wait months, possibly a year or two.
 

griest

Cadet
Joined
Oct 6, 2021
Messages
5
This is being discussed over at https://www.truenas.com/community/threads/system-update-not-working.95703/ and includes both a description of how to patch your ca-root-nss file, or a download link to a latest version with DST Root X3 removed.

ah nice I'll refer to that then, sorry to make a duplicate thread. I did do a cursory search but didn't find that thread...

I can assure you that 8GB is probably uncomfortably tight for a minimal TrueNAS system, and you can be certain it won't run particularly well. I don't know that I'd advise jails or plugins. However, unless you do something that really tanks it like trying to put dozens of TB's in your pool, I wouldn't expect catastrophic failures, merely "this is very painful" type annoyance.

yeah...its a recycled 2012 gaming build...I can upgrade to 32GB once Zen 4 is released and I build a new workstation. I have a 30TB-ish pool right now which I know is on the limit.

Does TrueNAS Core 12 have noticeable higher memory usage than FreeNAS 11? If I'm on the limit I might have to avoid upgrading until I can get better hardware.
 

griest

Cadet
Joined
Oct 6, 2021
Messages
5
Does TrueNAS Core 12 have noticeable higher memory usage than FreeNAS 11? If I'm on the limit I might have to avoid upgrading until I can get better hardware.

actually nvm, that was already answered. You can consider this thread closed.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
ah nice I'll refer to that then, sorry to make a duplicate thread. I did do a cursory search but didn't find that thread...

No worries. The searching here is a bit of a mess, which is one of the reasons I'm trying to gently nudge things towards a single thread. I figure lots of us discussing it in one place is a LOT more useful than half a dozen different threads.

Does TrueNAS Core 12 have noticeable higher memory usage than FreeNAS 11? If I'm on the limit I might have to avoid upgrading until I can get better hardware.

I think the overall trend is that the middleware and OS are somewhat larger than they used to be. I still see running an 8GB system with a modest amount of disk as being (probably) quite feasible, and if you were running lightweight jails, that's probably okay, but getting into bigger RAM-hoggy things like large jails, VM's, or having lots of disk (which increases the ARC stress) is probably not wise.

I am sure that there's been lots of people who have misinterpreted "8GB" to mean "yes you can run big jails and some 2GB VM's and many terabytes of disk on 8GB!" and who have complained upstream to iX. I am totally on board with the idea of 16GB as a recommended minimum, and there's a lot to be said for that, but you can make the same dumb mistakes at 16GB that you can make at 8GB -- so if you can listen to what I'm saying, I'm giving you the pain points and what to watch for, and there's a good chance you can have success at 8GB if you play the game the way I'm suggesting.

Of course, on the other hand, I'm just some random green guy out on the Internet. I'm not an iX employee, and your recourse against me if things blows up is limited to a cash refund of the amount you paid for this advice.

actually nvm, that was already answered. You can consider this thread closed.

I'm going to close it just for the sake of encouraging the SSL discussion to move, if that's okay. If you need anything else, message me and it can be reopened.
 
Status
Not open for further replies.
Top