how do I install a custom CA certificate


ddumont

Recommended Posts

This is way harder than it needs to be.

 

There's no /usr/local/share/ca-certificates directory which is the default for upgrade-ca-certificates

Making that dir and placing my ca there

Running upgrade-ca-certificates causes the certbundle to be deleted (because that's what the script does) and then it fails to construct the new bundle because perl is not on the system

 

Download perl, install, re-run upgrade-ca-certificates with --fresh now and I have it installed.

 

How do I get this to persist now? 

Can someone please add perl to the base os so that this stuff works?

Edited by ddumont
Link to comment

I'm not familiar with upgrade-ca-certificates because Unraid doesn't use that.  Just to be sure, are you asking how to install a custom SSL certificate for the Unraid webgui?

 

First, reboot to undo all of your customizations :) 

 

Then see the "Custom certificate" portion of the wiki:
  https://wiki.unraid.net/Manual/Security#Custom_certificate_-_with_option_to_have_My_Servers_Remote_Access

There is also a section for having Unraid generate a Self-signed certificate if that is what you are looking for.

 

If you have any questions, be sure to let me know what version of Unraid you are running.

Link to comment
7 hours ago, ljm42 said:

I'm not familiar with upgrade-ca-certificates because Unraid doesn't use that.

Yes it does, if it relies on openssl root certificates for things like connecting to the unraid app store thing. And downloading images for docker from public repos.

 

update-ca-certificates is used to update the installed root ca's for the slackware install and anything else that uses openssl.

 

Quote

Just to be sure, are you asking how to install a custom SSL certificate for the Unraid webgui?

No, absolutely not.   I know how to do that.

 

I'm runnning my own local CA for my home network.

Inside unraid I'm running a container with dnsmasq to serve my domain addresses (on .home)

I'm running a reverse proxy in a container to handle all ssl traffic to any other docker http endpoint. The reverse proxy is configured with a wildcard cert for my domain.

I'm running a docker registry (inside docker... woohoo!) to serve my own custom docker images, over https

  (I would like to password protect this (it already is) but launching new containers from images there requires me to ssh into the unriad host and docker login. I have another forum post about that)

 

^-- this last one is where I ran into issues, because docker uses the root CAs of openssl to verify ssl connections, and it was not trusting my root CA.

 

Not having perl installed (which is a dep of the openssl install unraid has, see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860254 ( i know it's debian and not slackware but it still applies )) breaks maintenance functionality of openssl.  This would mean that I need to wait for a patch from unRaid guys to get new root certificates when there are new or changed ones (expirations, revocations, etc...)

 

I know perl is big, but please don't remove it from the unraid images. Also, please make it easier to customize the root certs in unraid so i don't have to hack the init script to do this process on every boot....

 

 

 

Edited by ddumont
Link to comment

Keep in mind that Unraid is more of an appliance than a general purpose Linux box. Deep customizations are risky because you're basing them on how things work today and there is no guarantee that things will work that way in the future.

 

Perl is not included in the base OS but can be installed using the "nerdpack gui" plugin.

 

The /boot/config/go script runs at boot.

 

Without any knowledge of exactly what you need, in general the way to handle this sort of thing in Unraid is to place your customized files on the flash drive and then modify /boot/config/go to copy the files into the right place in RAM. Depending on exactly when this happens during the boot process you may also need to run an init script to get the system to read the files.

 

4 hours ago, ddumont said:

please make it easier to customize the root certs in unraid

 

If you think other people would want this functionality, please write up a feature request. I'd recommend including technical details to cut down on the amount of research that needs to be done up front. If you are able to get it working on your own, include details on your solution too.

Link to comment
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.