How to renew TrueNAS certificate?

Durandal

Durandal

Explorer
Joined
Nov 18, 2013
Messages
54
Hi,

Been having some strange problems with my TrueNAS. In the alerts, i get the "Certificate 'freenas_default' has expired." error. When i check the certificates, i see that the current certificate is from 2013 and lasts to 2015. I have no clue to why the certificate is a couple of years old. Is there any easy way of renewing it or replace it?

Truenas_fel 1.png


Running TrueNAS-12.0-U6.1.
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Well, you could always generate a new cert through the UI, which would probably be the easiest way to go. My answer for some time had been to get certs from Let's Encrypt and use a script to install them (see https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/), and more recently I've been using an internal CA to issue more short-lived certs (more on that here: https://www.truenas.com/community/r...from-a-local-certificate-authority.170/)--but both of those methods are going to be a bit more work to set up.
 
Durandal

Durandal

Explorer
Joined
Nov 18, 2013
Messages
54
danb35 said:
Well, you could always generate a new cert through the UI, which would probably be the easiest way to go. My answer for some time had been to get certs from Let's Encrypt and use a script to install them (see https://www.truenas.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/), and more recently I've been using an internal CA to issue more short-lived certs (more on that here: https://www.truenas.com/community/r...from-a-local-certificate-authority.170/)--but both of those methods are going to be a bit more work to set up.
Click to expand...
Thanks for the info! Let's Encrypt is on the way, but that is for another day. The second link you posted does not work - ive also read through the documentation on the certificates but i cannot find anything about generate a new internal certificate?
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Durandal said:
i cannot find anything about generate a new internal certificate?
Click to expand...
First go to System -> CAs -> Add, type defaults to Internal CA, fill out remaining fields as desired:
1638960959908.png

Then go to System -> Certificates -> Add, set the Type to Internal Certificate. Set the Signing Certificate Authority to the one you just created. Fill out the other fields as desired:
1638961096294.png

You can now select that new cert for whatever you had been using the default cert for, then delete the default cert.
 
Durandal

Durandal

Explorer
Joined
Nov 18, 2013
Messages
54
Thats the exact info i needed, big thanks! A new certificate is created, but it seems hard to get rid of the old one. Some services on the machine is dependent on it. Getting the following error message:

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 367, in run
await self.future
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 405, in __run_body
rv = await self.middleware.run_in_thread(self.method, *([self] + args))
File "/usr/local/lib/python3.9/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 52, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 979, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/crypto.py", line 2063, in do_delete
self.middleware.call_sync('certificate.check_dependencies', id)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1272, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1312, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 438, in result
return self.__get_result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 390, in __get_result
raise self._exception
File "/usr/local/lib/python3.9/site-packages/middlewared/service.py", line 598, in check_dependencies
raise CallError('This object is being used by other objects', errno.EBUSY,
middlewared.service_exception.CallError: [EBUSY] This object is being used by other objects
Click to expand...

Sorry, don't want you to hold my hand here, but how would i remove the old one the easiest way you think?
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
I'd say it's worth a bug report in any event, as a "normal" or expected error shouldn't raise a traceback; it should rather raise a nice GUI-fied error message (that really should tell you which service(s) is/are still using that cert. Failing that, you'll have to go digging; find whatever service is using the freenas-default cert and change it to use your new cert. The most likely candidate is the GUI itself; you can change that in System -> General. Other than that, FTP can use a cert. So can OpenVPN (client and server). So can S3 and WebDAV. I think that's it, but I'm not sure.
 
Durandal

Durandal

Explorer
Joined
Nov 18, 2013
Messages
54
danb35 said:
I'd say it's worth a bug report in any event, as a "normal" or expected error shouldn't raise a traceback; it should rather raise a nice GUI-fied error message (that really should tell you which service(s) is/are still using that cert. Failing that, you'll have to go digging; find whatever service is using the freenas-default cert and change it to use your new cert. The most likely candidate is the GUI itself; you can change that in System -> General. Other than that, FTP can use a cert. So can OpenVPN (client and server). So can S3 and WebDAV. I think that's it, but I'm not sure.
Click to expand...

It worked just changing the certificate the web interface was using. Thanks alot for all the help, all related problems are now gone!
 
L

Ludensen

Cadet
Joined
Mar 12, 2016
Messages
6
danb35 said:
I'd say it's worth a bug report in any event, as a "normal" or expected error shouldn't raise a traceback; it should rather raise a nice GUI-fied error message (that really should tell you which service(s) is/are still using that cert. Failing that, you'll have to go digging; find whatever service is using the freenas-default cert and change it to use your new cert. The most likely candidate is the GUI itself; you can change that in System -> General. Other than that, FTP can use a cert. So can OpenVPN (client and server). So can S3 and WebDAV. I think that's it, but I'm not sure.
Click to expand...
Consider it done:

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.
jira-redirect.ixsystems.com jira-redirect.ixsystems.com
and thank you for your posts!

BSD-wishes
Tom Ludensen

PS.
Report made through the TrueNAS-interface. Jira is HEAVY! During bug-searching it crashed the browser-tab several times...
Hopefully I still "played by the rules"...
 
You must log in or register to reply here.

Similar threads

P
Certificate expired
Replies
2
Views
3K
danb35
danb35
A
How to update new Certificate after been expired.. Simple way?
Replies
0
Views
288
atgpud2003
A
A
SOLVED Certificate has expired
Replies
3
Views
8K
sretalla
sretalla
C
Certificate About To Expire
Replies
7
Views
692
cgcmgr
C
danb35
How to restart sshd from CLI?
Replies
2
Views
3K
danb35
danb35
Top