Web GUI inaccessible after configuring incorrect SSL key

[dscott]

After upgrading to 8.2.0-RELEASE-p1-x64 recently I thought I'd try configuring my own SSL cert using the web GUI again after reading that the previous issues with this feature had been resolved. Unfortunately I've managed to lock myself out of the GUI by using an incorrect key! The GUI is configured to use SSL and it's no longer accessible. I try using HTTP instead and it reverts (understandably) to HTTPS during the login process.

I found the cert and key files in /etc/ssl/freenas/nginx and edited them with the correct contents for my SSL cert, but they got overwritten again on reboot (I assume from the details stored in the config DB?)

Other than restoring the config from a previously saved backup, is there an easy way to either allow me to manually enter the correct key file contents or configure the GUI to be served over HTTP rather than HTTPS?

Thanks in advance for your help.

 

[dscott]

Is anyone able to help with this please?

 

[jgreco]

Hahah, no one wants to break you worse.

I don't have an 8.2 system here; did they switch to nginx? On this older system they're using lighttpd. In your situation, I'd just log in on the console, edit /usr/local/etc/lighttpd/lighttpd.conf the way I wanted, do a "ps" to get the FreeNAS invocation, kill the FreeNAS invocation, and then run it by hand with the same flags. Assuming it was properly edited, that'd let me back in on a non-SSL connection, and I'd then upload the correct cert this time.

 

[dscott]

Thanks for the reply jgreco.

Yes - they have switched from lighttpd to nginx in 8.2.

What you say makes sense... however, looking at the config in /usr/local/etc/nginx/nginx.conf, it only appears to be configured to listen on port 80 with all the SSL related config commented out.

I can hit the web server on port 80, but it always redirects to https. If I try to login using http it then redirects to a page reporting:

Forbidden (403)
CSRF verification failed. Request aborted.

I've tried changing the port to 443 and uncommenting the SSL related config, pointing it at the correct .crt and .key files and restarting nginx, but it complains when I try to request a page:

SSl Connection Error
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error

So, it looks like I am stuck in limbo between the nginx config telling it to do one thing and the FreeNAS web GUI config telling it to do another (i.e. redirect to https if accessed over http). And I can't work out how to easily get the two in sync again.

 

[jgreco]

Try this, just for grins.

1) Reboot. Just to clear up any mess you've made.

2) Install the correct certs like you did in your initial post. DO NOT REBOOT.

3) Do a "ps agxlww | grep nginx" to see how FreeNAS ran it. Kill it.

4) Start nginx with the same args FreeNAS did.

One would kind of expect this would work, but it's just a guess.

 

[dscott]

Thanks.

I tried that and it still didn't work. It seems to revert the nginx.conf file to non SSL if the cert/key combination is invalid, even though the web GUI config thinks it is being served over https. (Is there a startup script which generates the nginx.conf based on whether a valid SSL configuration exists?) Updating the cert/key files to be consistent therefore has no effect because the nginx config is still non SSL.

In the end I restored a saved config back to /data/freenas-v1.db, rebooted and confirmed I could get into the web GUI (using the auto generated SSL cert). Then I set my own SSL cert/key and restarted nginx - and everything is good again :)

I'm sure this would have been repairable somehow but in the end it was just quicker and easier to restore the backup config.

Thanks for your help anyway.

 

[jgreco]

Sorry. At least it wasn't a total waste,

http://support.freenas.org/ticket/1762