Hi everyone, I am a new User to FreeNAS and have been pulling my hair out with the following certificate issue.
My environment has a Windows 2019 PKI (Offline Root, Enterprise Subordinate).
I have followed the below steps:
The strange thing is that when you look at the cert via Chrome, all certs in the chain report as "OK".
From the FreeNAS shell I have run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" which gives me the error: "Verify return code: 19 (self signed certificate in certificate chain)"
Some reading tells me this is the case because a RootCA is always self signed. I therefore added the RootCA to the local store by running the following command "openssl x509 -in <Crt File> -text >> /etc/ssl/cert.pem"
Now when I run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" there are no errors. However I am still receiving the original error within Chrome.
I feel as though I am very close to cracking it. Any thoughts?
Thanks,
Rich
My environment has a Windows 2019 PKI (Offline Root, Enterprise Subordinate).
I have followed the below steps:
- Generated a CSR request via the FreeNAS web GUI (11.3-RELEASE-p7).
- Issued a Web certificate using the advanced certificate request
- Created a text file containing full chain of certificates (From top to bottom, Web cert, Sub CA, Root CA)
- Imported Certificate to FreeNAS
- Updated GUI SSL certificate to the New Cert
The strange thing is that when you look at the cert via Chrome, all certs in the chain report as "OK".
From the FreeNAS shell I have run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" which gives me the error: "Verify return code: 19 (self signed certificate in certificate chain)"
Some reading tells me this is the case because a RootCA is always self signed. I therefore added the RootCA to the local store by running the following command "openssl x509 -in <Crt File> -text >> /etc/ssl/cert.pem"
Now when I run the command "openssl s_client -showcerts -connect <myserver>:<ssl_port>" there are no errors. However I am still receiving the original error within Chrome.
I feel as though I am very close to cracking it. Any thoughts?
Thanks,
Rich