Joining Core in Truenas not possible because of "x509: unsupported elliptic curve"

[hjboven]

Seem to be unable to connect a Core system to Truecommand. The 2 other Scale systems connect fine however.
Searing the forum & Google did not get me anywhere and a fresh Coresystem delivered the same problem.

Has anyone encounterde and hopefully solved this?

Error is:
System offline: failed to WebSocket dial: failed to send handshake request: Get "https://xx.xx.xx.xx:443/websocket": tls: failed to parse certificate from server: x509: unsupported elliptic curve

Core system: TrueNAS-13.0-U3.1
Scale system: TrueNAS-SCALE-22.12.2
TrueCommand Cloud from IX Systems

Regards
Henk

 

[idzgen]

Hi

It may already be too late.
This is how I resolved a similar error when adding scale to command.

Simply put, add it on port 80, with "do not require SSL" and "set root password".

Specifically,,
・Uncheck [Administration]-[SSL Options]-[Require SSL for all connections] in TrueCommand.
・On the scale to be added, in [Credentials]-[Local Users], turn off [Disable Password] in the root edit and set the root password.
In this state, select [NEW SYSTEM] in TrueCommand and enter the root password with port "80" to add.

*Please note that this is not a security measure of any kind.

I hope this is helpful....

 

[Ericloewe]

That sounds like taking a sledgehammer to a problem that needs a screwdriver. Surely updating both TrueCommand and TrueNAS would make both endpoints happy?

 

[danb35]

Surely updating both TrueCommand and TrueNAS

...but TrueCommand isn't under OP's control; it's the Cloud version from iX. And OP is reporting a pretty current version of CORE.

 

[ZWelch]

I believe this is due to Go not supporting Brainpool EC curves. I don't know why that is, given OpenSSL3 does, which is what TC and TrueNAS uses. Despite adding custom definitions for the curves to the TLS library, the issue still persists from the NAS HTTP server. It appears TLS v1.3 does not support Brainpool curves at all, as explictly providing the full output of `openssl ecparam -list_curves` to NGINx and forcing client and server side usage of TLS v1.2 enabled a successfully TLS handshake. There's a TrueNAS ticket about this here.

Unfortunately, this seems to come about as both CORE and SCALE have brainpool available for building a certificate, and I believe SCALE has it as a default option. I'd just use SECP curves from here on out, or you can connect via port `80` as a previous commenter suggested. This error came about by defaulting to TLS on TC in the first place.