Fix common problems warning about invalid certificate


Go to solution Solved by Steviewunda,

Recommended Posts

I'm seeing similar warning, but with a slightly different setup. My domain is setup as "DOMAINNAME.local" within my router. I currently have set:

Settings > ManagementAccess > Local TLD: DOMAINNAME.local
Settings > ManagementAccess > Use SSL/TLS: Auto

 

For the Server's name, I have:

Settings > Identification > Server name: SERVER

 

During the last Fix Common Problems run, i got the warning that lists:

Your SERVER_unraid_bundle.pem certificate is for 'SERVER.local' but your system's hostname is 'SERVER.DOMAINNAME.local'. 
Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings. 
Even if things generally work now, this mismatch could cause issues in future versions of Unraid. The local TLD can be adjusted here

 

As the message indicates, things are currently working, but I'd like to avoid any future issues. Trying to understand how this works and how to resolve. Should "Server name" and "Local TLD" be adjusted in unraid. Should i not be using "DOMAINNAME.local" on my router?

Thanks in advance!

Link to comment
2 hours ago, xta101 said:

I'm seeing similar warning, but with a slightly different setup. My domain is setup as "DOMAINNAME.local" within my router. I currently have set:

Settings > ManagementAccess > Local TLD: DOMAINNAME.local
Settings > ManagementAccess > Use SSL/TLS: Auto

 

For the Server's name, I have:

Settings > Identification > Server name: SERVER

 

During the last Fix Common Problems run, i got the warning that lists:

Your SERVER_unraid_bundle.pem certificate is for 'SERVER.local' but your system's hostname is 'SERVER.DOMAINNAME.local'. 
Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings. 
Even if things generally work now, this mismatch could cause issues in future versions of Unraid. The local TLD can be adjusted here

 

As the message indicates, things are currently working, but I'd like to avoid any future issues. Trying to understand how this works and how to resolve. Should "Server name" and "Local TLD" be adjusted in unraid. Should i not be using "DOMAINNAME.local" on my router?

Thanks in advance!

 

Did the system autogenerate SERVER_unraid_bundle.pem or did you create it?

 

Based on your settings, the server's hostname is 'SERVER.DOMAINNAME.local', but the certificate is for 'SERVER.local'.  Those need to match.

 

Which url is correct for accessing your server?

Link to comment

I'm also seeing a similar warning message, also with a slightly different setup. I currently have the following set in Unraid:

Settings > Management Access > Local TLD: local
Settings > Management Access > Use SSL/TLS: Auto

 

For the Server's name, I have

Settings > Identification > Server name: PHOENIX

 

My last Fix Common Problems run resulted with this warning:

Your PHOENIX_unraid_bundle.pem certificate is for 'Phoenix.local' but your system's hostname is 'PHOENIX.local'. 
Either adjust the system name and local TLD to match the certificate, or get a certificate that matches your settings.
Even if things generally work now, this mismatch could cause issues in future versions of Unraid.

 

Things are currently working as expected, but I'd like to avoid any future issues.

Edited by nerdzero
Fixed a formating error
Link to comment
26 minutes ago, nerdzero said:
Your PHOENIX_unraid_bundle.pem certificate is for 'Phoenix.local' but your system's hostname is 'PHOENIX.local'.

 

This is an error with our test, the next version of Fix Common Problems will fix this. It should be doing a case-insensitive match since 'Phoenix.local' and 'PHOENIX.local' are the same as far as DNS is concerned.

Link to comment
43 minutes ago, ljm42 said:

Did the system autogenerate SERVER_unraid_bundle.pem or did you create it?

the SERVER_unraid_bundle.pem was autogenerated (I'm assuming - when I used the "provision" tool when enabling SSL??)

 

45 minutes ago, ljm42 said:

Based on your settings, the server's hostname is 'SERVER.DOMAINNAME.local', but the certificate is for 'SERVER.local'.  Those need to match.

 

Which url is correct for accessing your server?

SERVER.DOMAINNAME.local should be the correct url. In testing however, both "https://SERVER.DOMAINNAME.local" and "https://SERVER.local" are producing certificate errors, as they are trying to utilize my LetsEncrypt wildcard cert which is pulled via SWAG for a different domain I own (let's call it "OTHERDOMAIN.com").

 

What does work for me however is using the URL "https://xxxxxxxx.unraid.net:HTTPS_PORT".  This is what I've been using, and assumed that things were "working as expected", which now seems less accurate. I can also use http://SERVER.DOMAINNAME.local:HTTP_PORT and it will redirect to the "https://xxxxxxxx.unraid.net:HTTPS_PORT" page with no certificate warning.

 

If i use "https://SERVER.DOMAINNAME.local" and ignore the certificate warning, it does take me to the unraid login and lists the connection as secure. When i check the certificate, under the "Subject Alt Names", it's listing the correct internal IP address, the "SERVER.DOMAINNAME.local" DNS name, and the "xxxxxxxx.unraid.net" & "www.xxxxxxxx.unraid.net" DNS Names.

 

In all my poking around, I have not seen "SERVER.local" listed anywhere on any of the certificates.

 

Should I wipe out the .pem files in "\config\ssl\certs\" and let unraid re-provision a new cert for SSL? How do I guarantee i get the System Name and Local TLD matching correctly?

 

thanks again!

 

Link to comment

I also just realized if I enter the URL "https://SERVER.DOMAINNAME.local:HTTPS_PORT" into my browser, I land on the login page with no certificate issues. I'm not using 80 for HTTP or 443 for HTTPS. When I connect this route, the address listed in my address bar remains "https://SERVER.DOMAINNAME.local:HTTPS_PORT/Main" after login. If I view the certificate using this method, it lists a DNS Name entry for "SERVER.DOMAINNAME.local", in addition to the xxx.unraid.net entries.

 

If I enter the URL "http://SERVER.DOMAINNAME.local:HTTP_PORT" into my browser, I redirect to the "https://xxxxxxxx.unraid.net:HTTPS_PORT/login" page (this feels correct). Again, no certificate issues this way. After login, the address bar remains in the "https://xxxxxxxx.unraid.net:HTTPS_PORT/Main" format. If I view the certificate using this method, it does not lists a DNS Name entry for "SERVER.DOMAINNAME.local", only the xxx.unraid.net entries.

 

hopefully this adds useful info. thanks

 

 

Link to comment
14 minutes ago, xta101 said:

In testing however, both "https://SERVER.DOMAINNAME.local" and "https://SERVER.local" are producing certificate errors, as they are trying to utilize my LetsEncrypt wildcard cert which is pulled via SWAG for a different domain I own (let's call it "OTHERDOMAIN.com").

 

OK it sounds like you have SWAG setup on port 443, so the proper test for these would be to go to Settings -> Management Access and lookup your webgui HTTPS_PORT, then use https://SERVER.DOMAINNAME.local:HTTPS_PORT   

 

EDIT: looks like you just figured this out :)  

 

17 minutes ago, xta101 said:

SERVER.DOMAINNAME.local should be the correct url.

 

Although things seem to be working based on what you wrote above, it doesn't fully make sense to me :) I'd recommend that we delete and recreate the self-signed cert so it uses the proper domain name.

 

Probably the easiest way to do that is go to Settings -> Management Access and set "Use SSL/TLS" to "No" (this will temporarily change your url to http://SERVER.DOMAINNAME.local:HTTP_PORT or http://ipaddress:HTTP_PORT and you'll need to sign in again). 

 

Then open a web terminal and type:
  rm /boot/config/ssl/certs/SERVER_unraid_bundle.pem
  exit

 

Then go back to the web gui and change "Use SSL/TLS" back to "Auto". This will generate a new self-signed certificate that works on https://SERVER.DOMAINNAME.local:HTTPS_PORT . The cert for https://xxxxxxxx.unraid.net:HTTPS_PORT will continue to work as well.

Link to comment

Getting Closer!

 

After following the steps above, I no longer get the warning when running "fix common problems" scan. That's good!

 

However, a new SERVER_unraid_bundle.pem file was not regenerated after turn "Use SSL/TLS" back to "auto". I even restarted the server, as I figured that would initiate the process (per the "renewcert" help under the "Use SSL/TLS" section), but there is only a "certificate_bundle.pem" file left in "/boot/config/ssl/certs/".

 

Is there something else needed to regenerate the self-signed cert? or just patience?

 

Without the cert, when I browse to "https://SERVER.DOMAINNAME.local:HTTPS_PORT", I'm getting a certificate warning again. If i look at the certificate warning, it's telling me the cert is issued to "xxxxxxx.unraid.net". Interestingly, the properties of the certificate, in the Windows title bar, it lists the certificate as "SERVER.DOMAINNAME.local"....

 

the warning I'm getting now reads:

URL: SERVER.DOMAINNAME.local

Reason: Invalid name of certificate. Either the name is not on the allowed list, or was explicitly excluded. View certificate 

 

I'm guessing the problem is that the "SERVER_unraid_bundle.pem" file wasn't regenerated.

 

thanks again!

Link to comment
16 minutes ago, xta101 said:

However, a new SERVER_unraid_bundle.pem file was not regenerated after turn "Use SSL/TLS" back to "auto". I even restarted the server, as I figured that would initiate the process (per the "renewcert" help under the "Use SSL/TLS" section), but there is only a "certificate_bundle.pem" file left in "/boot/config/ssl/certs/".

 

Is there something else needed to regenerate the self-signed cert?

 

Sorry, I mostly work in 6.10 these days and 6.9 handles this differently. It isn't regenerating the cert because 6.9 can only use one cert at a time and it is already using the unraid.net cert so it doesn't need the self-signed one. All that to say, as long as https://xxxxxxxx.unraid.net:HTTPS_PORT is working then you are good to go.

 

Also, I've done more research into 6.10 and realized that it will automatically recover from any issues with self-signed certs. We are going to modify Fix Common Problems so that it will no longer report issues with self-signed certs; they aren't causing problems in 6.9 and will automatically be fixed in 6.10. Nice!

Link to comment

Thanks for all your help! Truly appreciated. Shortly after my last post, under the help for "Use SSL/TLS", I noticed what lines up with your explanation... how it's checking for certs in order, starting with certificate_bundle.pem & only if that file doesn't exist, does it create the "<server-name>_unraid_bundle.pem" cert. Before deleting the SERVER_unraid_bundle.pem file, I made a backup. Should I drop it back into place, or is that a moot point... or worse, would it cause problems?

 

Glad to hear it's a "non-issue", and I have no problem accessing the WebUI in this way. Also excited for 6.10!

 

thanks for the tools and all your help!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.