[Unraid OS version 6.10.0-rc2 available]

6 hours ago, ljm42 said:

It is very dangerous to tweak the nginx config, changes here have security implications and you are on your own if you do anything like this. Other parts of the system expect rc.nginx to behave a certain way so you may have unexpected issues by changing this file. I highly recommend that you do not do anything that exposes your webgui to the Internet after doing this, including our Remote Access solution.

 

I understand, but I can easily comment them out, reboot and go back to stock. There is no intent to expose this to the internet or use the unraid remote access solution. I just want to use SSL with a local IP address, which is properly supported by SSL certificates.

 

6 hours ago, ljm42 said:

Security is a major focus for this release. Therefore if you have enabled SSL, the certificate must match your server's settings, and the server will only respond on urls that are configured in the certificate.  Responding to urls that are not configured undermines the security of the certificate.

 

Yes I know that, which is why I am forcing the nginx configuration to use the IP address as server_name that I have configured inside my SNI certificate.

 

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.1.2

 

7 hours ago, ljm42 said:

Even so, the system is quite flexible. You can provide your own self-signed or fully legit certificate. Or Unraid will generate a self-signed certificate for you, or you can provision a fully legit unraid.net certificate from Let's Encrypt. Or even a combination of the two, with one cert for local access and an unraid.net cert for remote access.

 

There is no option to "provide your own self-signed" certificate. Which is why I had to patch the nginx script.

 

7 hours ago, ljm42 said:

As mentioned, the settings must match the certificate.

 

It does, now.

 

7 hours ago, ljm42 said:

So if your certificate's subject is myunraid.mydomain.com, you just need to set your server's hostname to "myunraid" and your Local TLD to "mydomain.com".

 

I want to use a local IP Address.

[Unraid OS version 6.10.0-rc2 available]

Updating to 6.10.0-rc2 from 6.9.2 broke my SSL and SSH setup.

 

My self signed certificate (for local SSL access) was overwritten by the new automatically generated certificate and I am now forced to use the hostname + (optional) local TLD while I wish to use IP address access. I am not turning off SSL so I can access my server with an IP address. At my first attempt to replace /boot/config/ssl/certs/Hostname_unraid_bundle.pem with my own bundle (signed by my own root CA so it is trusted) failed and it got overwritten again. Can I please just use my own stuff?

 

Regarding SSH, prior to updating I did migrate to the new way of providing authorized_keys. The file /boot/config/ssh/root/authorized_keys does contain my public keys and I confirmed ~/.ssh/authorized_keys does aswell. However when I try to connect as before I get "Server refused our key".

 

Edit: Using this comment by @maxstevens2 I created and put the following into my /boot/config/go file to disable the SSL certificate bundle overwrite and I also added something to get IP address access with SSL back. If you copy this, don't forget to replace the IP with yours.

# Patch certificate bundle overwrite.
sed -i 's/\[\[ \$SUBJECT != \$LANFQDN ]]/# Patched out by go script/g' /etc/rc.d/rc.nginx

# Patch hostname redirect.
sed -i 's/server_name \$LANFQDN;/server_name \$LANFQDN 192.168.1.2;/g' /etc/rc.d/rc.nginx

 

Edit 2: Updating my SSH client fixed the SSH issues.