Steviewunda Posted January 8, 2022 Share Posted January 8, 2022 Hi - I'm getting a warning about an invalid certificate from Fix Common Problems (screenshots attached). Do I simply change the Local TLD on the Management Settings page to "Tower.local" instead of just "local"? Quote Link to comment
ljm42 Posted January 8, 2022 Share Posted January 8, 2022 Ah, you hit a bug We need to update the test to do a case-insensitive compare of Tower.local to TOWER.local. You don't need to make any changes on your end. Quote Link to comment
Evil Tactician Posted January 9, 2022 Share Posted January 9, 2022 Good too know, I was getting this as well. Quote Link to comment
Solution Steviewunda Posted January 9, 2022 Author Solution Share Posted January 9, 2022 Thanks Squid - that did the trick Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 I'm seeing similar warning, but with a slightly different setup. My domain is setup as "DOMAINNAME.local" within my router. I currently have set: Settings > ManagementAccess > Local TLD: DOMAINNAME.local Settings > ManagementAccess > Use SSL/TLS: Auto For the Server's name, I have: Settings > Identification > Server name: SERVER During the last Fix Common Problems run, i got the warning that lists: Your SERVER_unraid_bundle.pem certificate is for 'SERVER.local' but your system's hostname is 'SERVER.DOMAINNAME.local'. Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings. Even if things generally work now, this mismatch could cause issues in future versions of Unraid. The local TLD can be adjusted here As the message indicates, things are currently working, but I'd like to avoid any future issues. Trying to understand how this works and how to resolve. Should "Server name" and "Local TLD" be adjusted in unraid. Should i not be using "DOMAINNAME.local" on my router? Thanks in advance! Quote Link to comment
ljm42 Posted January 10, 2022 Share Posted January 10, 2022 2 hours ago, xta101 said: I'm seeing similar warning, but with a slightly different setup. My domain is setup as "DOMAINNAME.local" within my router. I currently have set: Settings > ManagementAccess > Local TLD: DOMAINNAME.local Settings > ManagementAccess > Use SSL/TLS: Auto For the Server's name, I have: Settings > Identification > Server name: SERVER During the last Fix Common Problems run, i got the warning that lists: Your SERVER_unraid_bundle.pem certificate is for 'SERVER.local' but your system's hostname is 'SERVER.DOMAINNAME.local'. Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings. Even if things generally work now, this mismatch could cause issues in future versions of Unraid. The local TLD can be adjusted here As the message indicates, things are currently working, but I'd like to avoid any future issues. Trying to understand how this works and how to resolve. Should "Server name" and "Local TLD" be adjusted in unraid. Should i not be using "DOMAINNAME.local" on my router? Thanks in advance! Did the system autogenerate SERVER_unraid_bundle.pem or did you create it? Based on your settings, the server's hostname is 'SERVER.DOMAINNAME.local', but the certificate is for 'SERVER.local'. Those need to match. Which url is correct for accessing your server? Quote Link to comment
nerdzero Posted January 10, 2022 Share Posted January 10, 2022 (edited) I'm also seeing a similar warning message, also with a slightly different setup. I currently have the following set in Unraid: Settings > Management Access > Local TLD: local Settings > Management Access > Use SSL/TLS: Auto For the Server's name, I have Settings > Identification > Server name: PHOENIX My last Fix Common Problems run resulted with this warning: Your PHOENIX_unraid_bundle.pem certificate is for 'Phoenix.local' but your system's hostname is 'PHOENIX.local'. Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings. Even if things generally work now, this mismatch could cause issues in future versions of Unraid. Things are currently working as expected, but I'd like to avoid any future issues. Edited May 29, 2022 by nerdzero Fixed a formating error Quote Link to comment
ljm42 Posted January 10, 2022 Share Posted January 10, 2022 26 minutes ago, nerdzero said: Your PHOENIX_unraid_bundle.pem certificate is for 'Phoenix.local' but your system's hostname is 'PHOENIX.local'. This is an error with our test, the next version of Fix Common Problems will fix this. It should be doing a case-insensitive match since 'Phoenix.local' and 'PHOENIX.local' are the same as far as DNS is concerned. Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 43 minutes ago, ljm42 said: Did the system autogenerate SERVER_unraid_bundle.pem or did you create it? the SERVER_unraid_bundle.pem was autogenerated (I'm assuming - when I used the "provision" tool when enabling SSL??) 45 minutes ago, ljm42 said: Based on your settings, the server's hostname is 'SERVER.DOMAINNAME.local', but the certificate is for 'SERVER.local'. Those need to match. Which url is correct for accessing your server? SERVER.DOMAINNAME.local should be the correct url. In testing however, both "https://SERVER.DOMAINNAME.local" and "https://SERVER.local" are producing certificate errors, as they are trying to utilize my LetsEncrypt wildcard cert which is pulled via SWAG for a different domain I own (let's call it "OTHERDOMAIN.com"). What does work for me however is using the URL "https://xxxxxxxx.unraid.net:HTTPS_PORT". This is what I've been using, and assumed that things were "working as expected", which now seems less accurate. I can also use http://SERVER.DOMAINNAME.local:HTTP_PORT and it will redirect to the "https://xxxxxxxx.unraid.net:HTTPS_PORT" page with no certificate warning. If i use "https://SERVER.DOMAINNAME.local" and ignore the certificate warning, it does take me to the unraid login and lists the connection as secure. When i check the certificate, under the "Subject Alt Names", it's listing the correct internal IP address, the "SERVER.DOMAINNAME.local" DNS name, and the "xxxxxxxx.unraid.net" & "www.xxxxxxxx.unraid.net" DNS Names. In all my poking around, I have not seen "SERVER.local" listed anywhere on any of the certificates. Should I wipe out the .pem files in "\config\ssl\certs\" and let unraid re-provision a new cert for SSL? How do I guarantee i get the System Name and Local TLD matching correctly? thanks again! Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 I also just realized if I enter the URL "https://SERVER.DOMAINNAME.local:HTTPS_PORT" into my browser, I land on the login page with no certificate issues. I'm not using 80 for HTTP or 443 for HTTPS. When I connect this route, the address listed in my address bar remains "https://SERVER.DOMAINNAME.local:HTTPS_PORT/Main" after login. If I view the certificate using this method, it lists a DNS Name entry for "SERVER.DOMAINNAME.local", in addition to the xxx.unraid.net entries. If I enter the URL "http://SERVER.DOMAINNAME.local:HTTP_PORT" into my browser, I redirect to the "https://xxxxxxxx.unraid.net:HTTPS_PORT/login" page (this feels correct). Again, no certificate issues this way. After login, the address bar remains in the "https://xxxxxxxx.unraid.net:HTTPS_PORT/Main" format. If I view the certificate using this method, it does not lists a DNS Name entry for "SERVER.DOMAINNAME.local", only the xxx.unraid.net entries. hopefully this adds useful info. thanks Quote Link to comment
ljm42 Posted January 10, 2022 Share Posted January 10, 2022 14 minutes ago, xta101 said: In testing however, both "https://SERVER.DOMAINNAME.local" and "https://SERVER.local" are producing certificate errors, as they are trying to utilize my LetsEncrypt wildcard cert which is pulled via SWAG for a different domain I own (let's call it "OTHERDOMAIN.com"). OK it sounds like you have SWAG setup on port 443, so the proper test for these would be to go to Settings -> Management Access and lookup your webgui HTTPS_PORT, then use https://SERVER.DOMAINNAME.local:HTTPS_PORT EDIT: looks like you just figured this out 17 minutes ago, xta101 said: SERVER.DOMAINNAME.local should be the correct url. Although things seem to be working based on what you wrote above, it doesn't fully make sense to me I'd recommend that we delete and recreate the self-signed cert so it uses the proper domain name. Probably the easiest way to do that is go to Settings -> Management Access and set "Use SSL/TLS" to "No" (this will temporarily change your url to http://SERVER.DOMAINNAME.local:HTTP_PORT or http://ipaddress:HTTP_PORT and you'll need to sign in again). Then open a web terminal and type: rm /boot/config/ssl/certs/SERVER_unraid_bundle.pem exit Then go back to the web gui and change "Use SSL/TLS" back to "Auto". This will generate a new self-signed certificate that works on https://SERVER.DOMAINNAME.local:HTTPS_PORT . The cert for https://xxxxxxxx.unraid.net:HTTPS_PORT will continue to work as well. Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 Getting Closer! After following the steps above, I no longer get the warning when running "fix common problems" scan. That's good! However, a new SERVER_unraid_bundle.pem file was not regenerated after turn "Use SSL/TLS" back to "auto". I even restarted the server, as I figured that would initiate the process (per the "renewcert" help under the "Use SSL/TLS" section), but there is only a "certificate_bundle.pem" file left in "/boot/config/ssl/certs/". Is there something else needed to regenerate the self-signed cert? or just patience? Without the cert, when I browse to "https://SERVER.DOMAINNAME.local:HTTPS_PORT", I'm getting a certificate warning again. If i look at the certificate warning, it's telling me the cert is issued to "xxxxxxx.unraid.net". Interestingly, the properties of the certificate, in the Windows title bar, it lists the certificate as "SERVER.DOMAINNAME.local".... the warning I'm getting now reads: URL: SERVER.DOMAINNAME.local Reason: Invalid name of certificate. Either the name is not on the allowed list, or was explicitly excluded. View certificate I'm guessing the problem is that the "SERVER_unraid_bundle.pem" file wasn't regenerated. thanks again! Quote Link to comment
ljm42 Posted January 10, 2022 Share Posted January 10, 2022 16 minutes ago, xta101 said: However, a new SERVER_unraid_bundle.pem file was not regenerated after turn "Use SSL/TLS" back to "auto". I even restarted the server, as I figured that would initiate the process (per the "renewcert" help under the "Use SSL/TLS" section), but there is only a "certificate_bundle.pem" file left in "/boot/config/ssl/certs/". Is there something else needed to regenerate the self-signed cert? Sorry, I mostly work in 6.10 these days and 6.9 handles this differently. It isn't regenerating the cert because 6.9 can only use one cert at a time and it is already using the unraid.net cert so it doesn't need the self-signed one. All that to say, as long as https://xxxxxxxx.unraid.net:HTTPS_PORT is working then you are good to go. Also, I've done more research into 6.10 and realized that it will automatically recover from any issues with self-signed certs. We are going to modify Fix Common Problems so that it will no longer report issues with self-signed certs; they aren't causing problems in 6.9 and will automatically be fixed in 6.10. Nice! Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 Thanks for all your help! Truly appreciated. Shortly after my last post, under the help for "Use SSL/TLS", I noticed what lines up with your explanation... how it's checking for certs in order, starting with certificate_bundle.pem & only if that file doesn't exist, does it create the "<server-name>_unraid_bundle.pem" cert. Before deleting the SERVER_unraid_bundle.pem file, I made a backup. Should I drop it back into place, or is that a moot point... or worse, would it cause problems? Glad to hear it's a "non-issue", and I have no problem accessing the WebUI in this way. Also excited for 6.10! thanks for the tools and all your help! Quote Link to comment
ljm42 Posted January 10, 2022 Share Posted January 10, 2022 I would just leave the system as it is. You could restore <server-name>_unraid_bundle.pem but it would have no effect in 6.9 and would get deleted by 6.10 anyway since it has the wrong url Thanks for working through it Quote Link to comment
xta101 Posted January 10, 2022 Share Posted January 10, 2022 Right on. Thanks for explaining everything. Quote Link to comment
ljm42 Posted January 13, 2022 Share Posted January 13, 2022 For anyone who finds this topic in the future, please see this thread for an explanation and discussion of the updated certificate/DNS/LocalTLD tests in Fix Common Problems: Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.