Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Trouble Adding Certificate

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

joeschultz

Newbie
Joined
Jun 5, 2020
Messages
3
I am trying to import a certificate from LetsEncrypt, but I keep receiving the error shown below. I am giving the Certificate a name, selecting "Import Certificate", NOT selecting "CSR exists on this system" (and leaving Signing CA blank by doing so), pasting the contents of cert.pem, and privkey.pem, and there is no passphrase. Is there a known issue or am I missing something? Not sure field which field is throwing an error saying "null not allowed".

Code:
Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 378, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 414, in __run_body
    rv = await self.method(*([self] + args))
  File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 998, in nf
    args, kwargs = clean_and_validate_args(args, kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 992, in clean_and_validate_args
    raise verrors
middlewared.service_exception.ValidationErrors: [EINVAL] certificate_create: null not allowed


Thank you.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
2,695
The null could be in any field. For the PEM cut-n-pastes, are you adding a blank line after the ending ----? For the cert name, are you using spaces in the name?
 

joeschultz

Newbie
Joined
Jun 5, 2020
Messages
3
The null could be in any field. For the PEM cut-n-pastes, are you adding a blank line after the ending ----? For the cert name, are you using spaces in the name?
No spaces in the certificate name. I am not adding a blank line after the "ending" (-----END PRIVATE KEY-----), and I've tried with and without including the BEGIN and END private key statements with no luck.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
2,695
You'll need the BEGIN and END statements in both the private key and certificate fields.
 

GldnDuck

Newbie
Joined
Feb 23, 2021
Messages
2
I am having the same issue on my latest attempt at 21.02 Scale. I have a CSR and a the signed reply from a local Microsoft CA.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
2,695
The only cert field that can't be NULL is the country. Do your certs have a country code applied?
 

ornias

Neophyte Sage
Joined
Mar 6, 2020
Messages
1,033
Anyone created the Jira ticked or do I need to do it?

Yes I can confirm importing is broken.
(while working on implementing the new k8s certificate integration, so that as kinda annoying)


Code seems to indicate that this PR is the cause of this:
 
Last edited:

norjms

Newbie
Joined
Dec 14, 2019
Messages
2
It is also effecting me. Using the same wildcard assigned to another system (TrueNAS-12.0-U2.1) and working fine.
 

ornias

Neophyte Sage
Joined
Mar 6, 2020
Messages
1,033
After some talk, it seems IX is currently aware of the multitude of bugs/issues with the certificate system.
They are actively working on both expanding the system and fix the issues, and are clearly aware this needs work.
 

kinvaris

Newbie
Joined
Mar 11, 2021
Messages
2
Hi,

I've had this issue also on my test setup. I've been investigating what the exact issue is. First I thought it was located in the middleware which validates the input before executing the import.
But I saw that the frontend is sending null data through the websocket to the middleware, and then the middleware obviously flips off the frontend.

In the first image, you will see that the frontend is sending null data to the middleware when executing the method certificate.create
truenas_issue.png

In the second image, I captured the parameters of the creation of a user, which are correctly being pushed to the middleware.
truenas_issue2.png
 

ornias

Neophyte Sage
Joined
Mar 6, 2020
Messages
1,033
In the first image, you will see that the frontend is sending null data to the middleware when executing the method certificate.create
View attachment 45847
In the second image, I captured the parameters of the creation of a user, which are correctly being pushed to the middleware.
View attachment 45848
There where a multitude if these similair issues with the certificate UI, all of them are kinda the same grade of issue (null or wrong var type send to middleware or from middleware to UI) 3 that I know of:
- Cloudflare not showing
- CSR not processing SAN correctly
- Can't add or import certificate (yours)

2 out of these 3 where fixed the last week-and-a-half... It just takes some time ;-)
When you have a whole bag of these "minimal effort bugs", it still takes a lot of time to go over all of them ;-)
 

ornias

Neophyte Sage
Joined
Mar 6, 2020
Messages
1,033
I am just running in to the same issue, obviously now update yet.
Issues with letsencrypt are mostly solved in Nightly/master about 2 weeks ago.

It will take time to make it into release. First release with the fixes would be SCAL 21.04ALPHA
 

silverback

Member
Joined
Jun 26, 2016
Messages
121
Issues with letsencrypt are mostly solved in Nightly/master about 2 weeks ago.

It will take time to make it into release. First release with the fixes would be SCAL 21.04ALPHA
Thank you for the certificate creation write-up on the Truecharts web site.

I believe I complied with the requirements.

I am using the latest nightly

I am unable to obtain a certificate for may domain with the following error:

return f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/crypto.py", line 1639, in __create_acme_certificate
final_order = self.middleware.call_sync('acme.issue_certificate', job, 25, data, csr_data)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1266, in call_sync
return methodobj(*prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/plugins/acme_protocol_/issue_cert.py", line 117, in issue_certificate
raise CallError(f'Certificate request for final order failed: {msg}')
middlewared.service_exception.CallError: [EFAULT] Certificate request for final order failed:
Authorization for identifier Identifier(typ=IdentifierType(dns), value=‘blabla.xyz') failed.
Here are the challenges that were not fulfilled:
Challenge Type: dns-01

Error information:
- Type: urn:ietf:params:acme:error:unauthorized
- Details: No TXT record found at _acme-challenge.blabla.xyz

I am able to create a certificate in the Traefik app with no TXT record.

Am I missing something with configuration in the Scale Certificate menu?

Thanks
 

ornias

Neophyte Sage
Joined
Mar 6, 2020
Messages
1,033
I am able to create a certificate in the Traefik app with no TXT record.
Our 21.04 and nightly version of TrueCharts, does have the option to generate certificates.
You should NOT be mixing the older versions of TrueCharts with the new method of generating certificates!

I am able to create a certificate in the Traefik app with no TXT record.

Am I missing something with configuration in the Scale Certificate menu?

Thanks
Are you SURE your ACME DNS-Authenticator settings are correct?


It could be very likely you are creating conflicts by running an depricated version of truecharts (for 21.02) with nightly, instead of a version of TrueCharts that is suited for 21.04.
 
Top