Looking for dedicated, slightly masochistic BETA testers!

[reqlez]

Nope, can't reproduce that at all. Did you try to upload your own certificate, perhaps? If the cert you tried to use was malformed or in some way invalid, that would account for this too. If you did this at some point in the distant past, it would also be getting pulled forward with your upgrades. I would check!

nope brand new installs, i was actually thinking that maybe there is a new procedure to enable HTTPS in freenas because i could not get it to work, but it seems like i'm doing something during my set-ups that other people are not doing... I'll try to recreate and once i do ill consult whether i should file a ticket or not

 

[reqlez]

Nope, can't reproduce that at all. Did you try to upload your own certificate, perhaps? If the cert you tried to use was malformed or in some way invalid, that would account for this too. If you did this at some point in the distant past, it would also be getting pulled forward with your upgrades. I would check!

Okay VERY easy to reproduce, just follow my instructions here:

1. Install fresh Latest BETA ( june 3rd 2014 build ) from ISO.
2. First boot, on the console screen configure static IP, DNS and default gateway ( set DNS to ABC.local ) add DNS server 8.8.8.8 and 4.2.2.2
3. Without rebooting, go into the freenas UI, set a password when asked. rename the freenas box to fs1.ABC.local ( it will show as freenas.ABC.local ) click okay. set up a mirror Zpool.
4. Click under settings and now click on HTTP + HTTPS for the web UI option. Click save and reboot freenas.
5. When freenas boots, log into HTTP and look in the top right corner, the alert will turn yellow saying it reverted back to HTTP because there is a problem with certificate.

And let me know if i should create a ticket about this when done testing...

BONUS: Think that changing the hostname of freenas back to fs1.local instead of fs1.ABC.local and restarting will fix the issue ? Not so fast ... even if you clear and save the certificate under the SSL tab and reboot, SSL still doesn't work ... for all intents and purposes your freenas box is now bricked as far as SSL WEB UI goes ...

Scenario 2: Install fresh freenas from ISO, don't change any settings and just log in to address on DHCP, create a password when freenas asks and go directly to the HTTP + HTTPS option under settings, click save... after reboot ... STILL BROKEN !

So if nobody can recreate what i just tried, there are 4 possibilities:

A. I break everything I touch.

B. I have the ability to modify RAM contents with my mind during SSL cert creation without ECC ram noticing.

C. I live in the Matrix and this is all a dream.

D. There is a certain procedure that you have to do to enable SSL that was not required in previous freenas versions that I am not aware of.

 

[jkh]

Okay VERY easy to reproduce, just follow my instructions here:

OK, I followed your steps exactly with only one small exception, which is that I made sure that the WebGUI IPv4 address was set to the actual IPv4 address, since leaving it set to 0.0.0.0 would obviously be stupid, before hitting save in Settings->General and the box works just fine with http://IPADDR and https://IPADDR.

Obviously I can't use your exact DNS name since no machine I own (or anyone else owns, for that matter, since .local is reserved) is going to resolve fns1.ABC.local, but I did verify that the box responds to its IPv4 address over both HTTP and HTTPS. Sorry, I just can't reproduce this one!

 

[reqlez]

well ... thats the difference, i did not set the IP to the IP address, i left it at 0.0.0.0 because that means listen on all addresses ! ( and i guess now it makes sense, an SSL cert has to be bound to an IP address ... isn't it ? )

wait what do you mean .local is reserved ? it will resolve inside a local network ... if you have a DNS server set-up responding to ABC.local queries that is ...

 

[reqlez]

OK, I followed your steps exactly with only one small exception, which is that I made sure that the WebGUI IPv4 address was set to the actual IPv4 address, since leaving it set to 0.0.0.0 would obviously be stupid, before hitting save in Settings->General and the box works just fine with http://IPADDR and https://IPADDR.

Obviously I can't use your exact DNS name since no machine I own (or anyone else owns, for that matter, since .local is reserved) is going to resolve fns1.ABC.local, but I did verify that the box responds to its IPv4 address over both HTTP and HTTPS. Sorry, I just can't reproduce this one!

Okay ... so i just tried setting the WebIP4 to the IP address from DHCP instead of 0.0.0.0 and selecting the HTTP + HTTPS option... and guess what ... still get the error ... Do you want to see for yourself ? "HTTP SSL certificate is not valid, falling back to HTTP" thats logging in after a reboot.

Also just tried installing a fresh copy again, went to the options and set the WebIP4 address to the IP address of the NIC instead of 0.0.0.0, then clicked save. Then went and clicked on HTTP + HTTPS, clicked save ... no problem so far... then REBOOTED THE NAS... when logging in after reboot i see the dam warning message saying falling back to HTTP

Come over with team viewer when you have time, and i will show you that i'm not crazy ...

 

[jkh]

well ... thats the difference, i did not set the IP to the IP address, i left it at 0.0.0.0 because that means listen on all addresses ! ( and i guess now it makes sense, an SSL cert has to be bound to an IP address ... isn't it ? )

Yes.

wait what do you mean .local is reserved ? it will resolve inside a local network

FreeNAS uses mDNSResponder (Zeroconf) which reserves the .local namespace for its own use, same as for any Mac shop and indeed a lot of Windows networks. The .local domain is "magic" now and should not be used explicitly - see http://en.wikipedia.org/wiki/.local - specifically the section that says using .local, erm, locally has fallen into disfavor (and now violates RFC6762). Knock that off! :)

 

[reqlez]

Yes.


FreeNAS uses mDNSResponder (Zeroconf) which reserves the .local namespace for its own use, same as for any Mac shop and indeed a lot of Windows networks. The .local domain is "magic" now and should not be used explicitly - see http://en.wikipedia.org/wiki/.local - specifically the section that says using .local, erm, locally has fallen into disfavor (and now violates RFC6762). Knock that off! :)

well crap, i didn't know using .local was a bad idea, but then again i'm not setting up huge networks ( yet ). Please see the post I made above about restarting the NAS and checking if the SSL still works ;-)

 

[jkh]

Restarting my NAS with SSL enabled works totally fine. To be perfectly honest, I think we're into diminishing returns territory here. You have some weird practices that break SSL on FreeNAS, and that list of weird practices is only growing with each exchange such that I honestly don't want to know any more of the details. It's like going to one of those clubs in Amsterdam where you think you'll just see some standard, normal, run-of-the-mill perversions but as the show gets weirder and weirder, at some point you just have to cover your eyes and wait for the show to end because you just don't want to see any more. This thread is getting to the eye-covering stage. :)

 

[reqlez]

Restarting my NAS with SSL enabled works totally fine. To be perfectly honest, I think we're into diminishing returns territory here. You have some weird practices that break SSL on FreeNAS, and that list of weird practices is only growing with each exchange such that I honestly don't want to know any more of the details. It's like going to one of those clubs in Amsterdam where you think you'll just see some standard, normal, run-of-the-mill perversions but as the show gets weirder and weirder, at some point you just have to cover your eyes and wait for the show to end because you just don't want to see any more. This thread is getting to the eye-covering stage. :)

hahahaha... okay if you say so ... i'm going to try very hard to make SSL on freenas work ... how about this ... i want somebody to give me a step-by-step procedure and say "hey ... if you follow this, and restart your NAS... your SSL will work" cmon man my practices can't be that bad lol

 

[reqlez]

okay ... so ... can anybody besides Jordan try this ( he thinks i'm crazy ):

Install freenas beta build from June 3rd 2014 from ISO ( fresh version ).
When you arrive to freenas for first time, set the password and go in an add an interface and set a static IP for the NAS. Log in to the new static IP address ( don't reboot yet ).
Go to Settings, under WebIPv4 choose the static IP that you selected when you created the interface. Now choose "HTTP + HTTPS" for the protocol and click SAVE.
Check HTTPS://IP ... IT WILL WORK FINE.
Now reboot freenas and try going to HTTPS again ...

 

[Middling]

okay ... so ... can anybody besides Jordan try this ( he thinks i'm crazy ):

You're not crazy, but your process is unnecessarily complicated to reproduce the problem.

I've just checked the ISO (64bit) in virtualbox.

Steps to reproduce:

1). Install from ISO.
2). Connect to web gui (http).
3). Change root password as required on initial login.
4). In Settings/General/Protocol choose "HTTP + HTTPS" from drop down.
5). Click "Save" button.
6). Reboot.

Attempts to connect via HTTPS will fail. Login via HTTP will succeed and show the flashing "Alert" button (with the message "WARNING: HTTP SSL certificate is not valid, failling back to HTTP").

 

[reqlez]

You're not crazy, but your process is unnecessarily complicated to reproduce the problem.

I've just checked the ISO (64bit) in virtualbox.

Steps to reproduce:

1). Install from ISO.
2). Connect to web gui (http).
3). Change root password as required on initial login.
4). In Settings/General/Protocol choose "HTTP + HTTPS" from drop down.
5). Click "Save" button.
6). Reboot.

Attempts to connect via HTTPS will fail. Login via HTTP will succeed and show the flashing "Alert" button (with the message "WARNING: HTTP SSL certificate is not valid, failling back to HTTP").

OMG ! THANK YOUUUU... Anybody else care to try SSL on freenas ?

 

[Milkwerm]

My experience with the latest suggested good Beta has been entirely positive. https is working just fine. apart from some anoying "api_rpcTNP: \svcctl: SVCCTL_GETSERVICEKEYNAMEW failed" message in the console i havent been able to fault it.

as a side note... i may have behaved a bit Labrador puppy wee'd a little in excitement when i saw this.. http://download.freenas.org/nightlies/10.0.0/ALPHA/20140604/x64/

yay 10.0.0!!!!

 

[jkh]

Another good build to test: http://download.freenas.org/nightlies/9.2.1.6/BETA/20140607/

This build features some key improvements over the last "semi-official nightly" we asked everyone to test:

• Samba updated to 4.1.8, ldv to version 1.1.17, and tdb to version 1.3.0
• Netatalk updated to 3.1.2
• Added extra safety belts and sane ACL behavior for CIFS sharing.
  • Now when a ZFS dataset is created with the type set to Windows, or a Windows share is created on an existing dataset with "Apply Default Permissions" checked (a new GUI option in the CIFS sharing dialog), FreeNAS will make sure that the ACLs / ownerships are set properly for Windows and it will also make sure that the behavior of chmod(2) is set in ZFS such that it does not also destroy the Inherit, Delete or Delete Child ACLs whenever it's used.
• The ISO installation image can, in addition to being used as CD install media, can also be written to a USB device and booted directly now. To facilitate this, the installer now uses the GRUB boot manager.
• The .system dataset code has been completely refactored, hopefully addressing some of the reporting graph issues people have been seeing.

As always, a principle goal of 9.2.1.6 is to make CIFS more useable, and more bullet-proof, than in previous releases. Any emphasis on testing CIFS and AFP would therefore be appreciated!

Thanks!

The FreeNAS Development Team

 

[joeschmuck]

Good news, it's time for me to check out another nightly, been a few weeks since the last one I downloaded.

 

[reqlez]

kool will start testing... regarding the ACLs ... i deployed a CIFS shares for windows and mac pcs and used unix permissions and then went in and used setfacl to set the ACLs from shell since clients don't need to change permissions. Is that a shady way of doing it ? is this new option with the latest beta the way to go for a mixed windows/mac environment ? Or is this strictly for windows sharing only ?

 

[jkh]

kool will start testing... regarding the ACLs ... i deployed a CIFS shares for windows and mac pcs and used unix permissions and then went in and used setfacl to set the ACLs from shell since clients don't need to change permissions. Is that a shady way of doing it ? is this new option with the latest beta the way to go for a mixed windows/mac environment ? Or is this strictly for windows sharing only ?

Yes, that was shady. :) Also, it doesn't protect you from going back in with chmod and nuking the ACLs. The only good way of supporting mixed Windows / Mac environments now is either to create the dataset as a Windows (or Apple) dataset or, if it's already created, to select the "Apple Default Permissions" checkbox when you create a CIFS share for that dataset.

 

[andyclimb]

So going back to the beta ... nobody commented on my post regarding new versions of freenas ( don't know when that started ) not being able to enable HTTPS, every time i get warning that there is problem with certificate and it reverts back to HTTP. Maybe this should be addressed in the next release version ? or am i doing something wrong ? ( i basically make a new install, change the hostname, set-up IPs and then go and enable HTTP and HTTPS and then restart freenas, after boot ... you get the warning that it reverted back to HTTP

I've been getting this with versions : FreeNAS-9.2.1.5-RELEASE-x64 (80c1d35) and the one before.
I made a post about it here: http://forums.freenas.org/index.php...alid-failling-back-to-http.20712/#post-124294

I'm wondering if it is something to do with changing the hostname.

This error appears after a reboot, and as I can HTTPS to work by disabling it, and reenabling it, it is not something i keep wanting to do to my server to test, as every reboot requires a bunch of jail configurations... etc...

I'm going to try an run it in a virtual box to test. But you are definitely not alone! my web GUI address is bound to the right IP too, so its not that. I should say that its done it on a fresh install and from upgrades..

 

[jkh]

Another good build: http://download.freenas.org/nightlies/9.2.1.6/BETA/20140609/

We’re getting down to our last handful of bugs for 9.2.1.6-BETA (and very close to an “official BETA” release at this point). Nonetheless, the 20140609 build is a really good one and fixes a number of AD problems that crept in due to an incomplete merge from the master branch and also imports OpenSSL 0.9.8za, which fixes a number of security vulnerabilities.
See https://bugs.freenas.org/projects/freenas/issues?query_id=78 for a complete list of all bugs closed in 9.2.1.6 so far, 9 being closed today in this build alone (Hmm, 9 on 6/09 - nice symmetry!).

Thanks, as always, for your testing efforts - they’re all helping to make 9.2.1.6 a very good release!

 

[RoboKaren]

Yay on fixing the OpenSSL bug!