Problems enabling HTTPS with CA generated cert

[errmatt]

So I'm trying to set up HTTPS on my 9.10 FreeNAS box. I have an MS AD integrated CA with an offline root and an online issuing CA that I am using to issue a certificate. I loaded the Certificates section and generated a CSR. I used the text of the CSR to request a new certificate from the CA, utilizing a "general web server" template I already have configured. I went and approved that certificate request on the issuing CA, and then downloaded the certificate chain file (p7b) from the issuing CA. Next, I opened the p7b file in Windows cert manager, and exported out the individual certs for the CA, Intermediate/Issuing, and the FreeNAS certificate into Base 64 encoded .cer files.

Next, I opened up the FreeNAS certificate and copied/pasted the contents of the issued certificate (just the one cert, not the Issuing or CA cert) into the waiting "Certificate" spot in the CSR in the web GUI and saved it. It is now listed as a proper certificate in the Certificates section, with the Issuer type "external" and all the correct identifying information. If I view it, I can see the private key section filled out and the Certificate section filled out. However, when I move to the "General" page and drop down the Certificates menu, it is not in the list. If I try to enable "HTTP + HTTPS" it complains that I have not selected a certificate. I can't, because despite it being listed in the "Certificates" section, it is not in the drop down on the general page.

Things I have tried/verified:
1. I restarted nginx and django with "service restart nginx" and "service restart django" from the shell
2. I rebooted the whole FreeNAS system, just because
3. I verified that my certificate, key and CSR are all in /etc/certificates with the name (I chose WebHTTPS for an identifer/name, so they are named "WebHTTPS.crt", "WebHTTPS.key" and "WebHTTPS.csr".
4. I used open SSL to verify the MD5 of the .crt against the .key, they are the same.
5. I tried creating a chain, by pasting first the host's Base 64 certificate text, then the Intermediate/Issuing base64 certificate text, then the Root CA base64 certificate text in when populating the "Certificate" section. This creates a certificate just fine, but still does not make it appear in the dropdown list to select for HTTPS (or HTTP + HTTPS) in the General tab.

What am I missing here? I'm certainly open to the idea that my certificate template is not generating a cert that FreeNAS likes, but how can I tell? Are there other steps I'm not aware of to get the certificate to show up in the drop down? Help!

 

[dlavigne]

Which build version of FreeNAS (from System -> Information)?

 

[errmatt]

FreeNAS-9.10.2-U1 (86c7ef5)

 

[dlavigne]

Please create a bug report at bugs.freenas.org and post the issue number here.

 

[Spearfoot]

So I'm trying to set up HTTPS on my 9.10 FreeNAS box. I have an MS AD integrated CA with an offline root and an online issuing CA that I am using to issue a certificate. I loaded the Certificates section and generated a CSR. I used the text of the CSR to request a new certificate from the CA, utilizing a "general web server" template I already have configured. I went and approved that certificate request on the issuing CA, and then downloaded the certificate chain file (p7b) from the issuing CA. Next, I opened the p7b file in Windows cert manager, and exported out the individual certs for the CA, Intermediate/Issuing, and the FreeNAS certificate into Base 64 encoded .cer files.

Next, I opened up the FreeNAS certificate and copied/pasted the contents of the issued certificate (just the one cert, not the Issuing or CA cert) into the waiting "Certificate" spot in the CSR in the web GUI and saved it. It is now listed as a proper certificate in the Certificates section, with the Issuer type "external" and all the correct identifying information. If I view it, I can see the private key section filled out and the Certificate section filled out. However, when I move to the "General" page and drop down the Certificates menu, it is not in the list. If I try to enable "HTTP + HTTPS" it complains that I have not selected a certificate. I can't, because despite it being listed in the "Certificates" section, it is not in the drop down on the general page.

Things I have tried/verified:
1. I restarted nginx and django with "service restart nginx" and "service restart django" from the shell
2. I rebooted the whole FreeNAS system, just because
3. I verified that my certificate, key and CSR are all in /etc/certificates with the name (I chose WebHTTPS for an identifer/name, so they are named "WebHTTPS.crt", "WebHTTPS.key" and "WebHTTPS.csr".
4. I used open SSL to verify the MD5 of the .crt against the .key, they are the same.
5. I tried creating a chain, by pasting first the host's Base 64 certificate text, then the Intermediate/Issuing base64 certificate text, then the Root CA base64 certificate text in when populating the "Certificate" section. This creates a certificate just fine, but still does not make it appear in the dropdown list to select for HTTPS (or HTTP + HTTPS) in the General tab.

What am I missing here? I'm certainly open to the idea that my certificate template is not generating a cert that FreeNAS likes, but how can I tell? Are there other steps I'm not aware of to get the certificate to show up in the drop down? Help!

Did you try importing your CA certificate into the FreeNAS server in System->CAs->Import CA?

I use self-signed certificates on my two FreeNAS boxes. I import the CA certificate and then import the certificate with System->Certificates->Import Certificate. I realize you have a bona fide CA instead of a roll-your-own like mine, but the situations may be analogous.

 

[Dennis1984120]

I'm having a similar issue. I generated a CSR in System->Certificates->Create certificate signing request. I then signed my certificate with an external CA and edited the CSR in FreeNAS. I entered both the certificate (chained) and the private key.

The certificate is correctly showing at the System->Certificates tab with all information correct. Similar to another FreeNAS instance I'm running. However, the list of certificates to choose from at the General tab (for https) is not populated and is only showing '------'. A reboot of my machine did not make a difference.

Perhaps a bug indeed?

 

[Dennis1984120]

The assigned bug for this issue is https://bugs.freenas.org/issues/21395.Unfortunately, it does not have a high priority while I'm unable to get to my FreeNAS web interface over https (it's insecure right now).

Does anybody know where I can find the query which is used to ask the SQLite database for the list of certificates? I want to know how this bug happens :).

 

[Ericloewe]

(it's insecure right now).

Why do you care if it's on your LAN? If it's a big enterprise network, it should probably only be accessible from a restricted management VLAN, anyway.

 

[zoomzoom]

@Ericloewe Even if a device is on a LAN, regardless if it's a router or a server, it should always be accessed via HTTPS if a password is required anywhere, otherwise passwords are sent via plain text.

 

[Ericloewe]

@Ericloewe Even if a device is on a LAN, regardless if it's a router or a server, it should always be accessed via HTTPS if a password is required anywhere, otherwise passwords are sent via plain text.

Hence the management VLAN. Sure, best practices and all, but security is only useful if you can get things done.
In other words, don't let a less than optimal solution paralyze you.

 

[zoomzoom]

@Ericloewe Great point =]