Need help with x509: certificate signed by unknown authority

kakachen001

Cadet
Joined
Jan 19, 2021
Messages
1
i am trying to add a cloud credential for a minio server with ssl sign by sectigo but i am getting x509: certificate signed by unknown authority. does anyone know how to fix this error?
 

nostromo007

Cadet
Joined
Apr 23, 2021
Messages
3
Hi, I am having exactly the same problem. Have been searching for a solution in the forum and internet but couldn't find anything that I understand deep enough. So I hope it is ok if I follow the existing thread. Otherwise, please tell me and I would open a new one.

In my case, I want to access another NAS I have no control over (a DSM one). I have access to it through WebDAV, and I want to keep a backup in my TrueNAS-12.0-U7. I can access it from my PC using a web browser or RaiDrive, but I would like to use a Cloud Sync task so TrueNAS can periodically do a cloud sync.
I am using Cloud Sync tasks with different providers such as Google or Dropbox, but when I try to do the same with this I get the error "x509: certificate signed by unknown authority" both while verifying the credential and when running the task.

I don't know this should be solved. The owner of the DSM NAS sent to me the certificate (from TrustCor), and I also got a copy of it through the web browser on my PC. I added it in the section System --> CAs --> Add --> Import CA. I have no private key, but I don't know if I should have one. So just copy the certificate content and leave private key empty:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I am really lost on this issue. I have read a lot about CSR, importing certificates and keys without understanding what should I do. Should I add it in System --> Certificates (private key is required there)? Should I add a CSR (also requiring keys)? Similarly couldn't find a solution in the official documentation. Any help would be great.

I also understand that probably it has to be with my lack of knowledge about how certificates work, so any specific documentation that can guide me would be much appreciated.

Thanks in advance!
 

nostromo007

Cadet
Joined
Apr 23, 2021
Messages
3
Hi again, I have been trying some ideas found out there but without success.

- First got a .cer certificate from the web browser and converted to .crt
Code:
openssl x509 -inform PEM -in certificate.cer -out certificate.crt

- Followed this guide to install it in a FreeBSD system:
Guide to install a CA in Free BSD

Unfortunately, although the process was ok, I could not solve the issue. Still could not connect successfully through verify cloud credential nor using
Code:
openssl s_client -connect website.local.url.com:port


Not sure if the certificate I got directly from my browser is the problem or this is not the right way.
 

nostromo007

Cadet
Joined
Apr 23, 2021
Messages
3
Finally solved! I found a solution that worked on TrueNAS, although I am not sure if it is the right one. But it works :)

The clue was in finding the right place for certificate info for a FreeBSD based system as TrueNAS is:

"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/ssl/cert.pem", // OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/certs/ca-certificates.crt", // Solaris 11.2+

(got it from https://stackoverflow.com/questions...wn-authority-both-with-docker-and-with-github)

First uploaded the certificate to the NAS using this command:
Code:
scp filename username@ip_address:/home/username

(from this guide https://linuxhandbook.com/transfer-files-ssh/)

Then as my certificate was not .crt I converted it following the same command I used before
Code:
openssl x509 -inform PEM -in certificate.cer -out certificate.crt

(some info about here and here)

And then installed it following this:
Code:
openssl x509 -in startssl.crt -text >> /etc/ssl/cert.pem

(reference in https://forums.freebsd.org/threads/adding-certificate-to-ca_root_nss.51945/)

What is not making me feel right is that the process adds the certificate to that file but seems a kind of copy-paste at the end instead of the original file that seemed generated by the system

My only concern now is if the solution will survive a system reboot, as what I tried in the previous message disappeared after rebooting. Anyway, it works and could be done again easily again afterward.

Hope this can be useful for others!
 
Top