Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Allow for the install of a custom root certificate authority (CA)

Featured Replies

The problem I was having was installing a custom CA in the system.  During my troubles I also found out that the update-ca-certificates command when run with --fresh will wipe the current cert bundle in order to rebuild it fresh.

 

But perl is not installed and perl is a dependency of openssl for this and possibly other reasons.

You can read about it here: 

 

 

Here's how I fixed it:

/boot/config/fix-ca-certificates

#/bin/bash
set -x;

# curl https://slackware.uk/slackware/slackware64-14.2/slackware64/d/perl-5.22.2-x86_64-1.txz -o perl-5.22.2-x86_64-1.txz
upgradepkg --install-new /boot/config/perl-5.22.2-x86_64-1.txz

mkdir -p /usr/local/share/ca-certificates
cp /boot/config/home.at.ca.crt /usr/local/share/ca-certificates/

update-ca-certificates --verbose --fresh

 

This is called in the go script to fix the perl dep and re-install my ca on system boot.

I would like this to be easier... and not as brittle as it could potentially be.

 

Edited by ddumont

  • ddumont changed the title to Allow for the install of a custom root certificate authority (CA)
  • 3 weeks later...

Thank you for the script. I ran in the exact same problem trying to add my root certificate. 

This is way more complicated than it needs to be. 

  • 1 month later...

Would also like this feature.

`docker login unraidserverdomain.local`

Response
`x509: certificate signed by unknown authority`

Luckily I could use localhost instead which skipped the ssl check. However all the docker pull / containers will need to use localhost JUST for the unraid server.

Edited by FixYouDeveloper

  • Author

I've been asked by a few how to go about creating the ca and issuing the certs.  There's a lot of information online for using openssl and doing this kind of stuff, here's a "short" rundown of what's going on: https://gist.github.com/Soarez/9688998

 

So... i guess decide what you want your domain to be.  Originally I wanted a tld (*.home) but you can't have wildcard certs for a tld, and I didn't want to issue a cert for everything I wanted to host... so I settled for (*.at.home).  I call my unraid server storage.at.home.

 

Here are the steps I took to create the ca:

# create the CA key (you should put a password on this)
openssl genrsa -out home.at.ca.key 4096

# create the CA certificate
openssl req -x509 -new -nodes -key home.at.ca.key -days 18262 -sha256 -out home.at.ca.crt

# Now import the certificate into your computer's root trust store.

 

On windows, double click the crt file and open it:

image.thumb.png.805237b54a9cb4e6d9b12db204fb5231.png

then click "Install Certificate..."

 

Then pick if you want to install it only for the current user, or for every user on the machine:

image.png.fc8633521a800f43eccdae751d83c6df.png

 

Then choose to place the cert in the trusted roots:

image.thumb.png.9294892e6731d645ac9910182719fa24.png

click next, then finish... now you're done importing.

 

One thing to remember, the ca is a root certificate you control and if compromised, it means certificates could be generated for sites like google, facebook, etc... and your computer would trust them.  Root CAs are the backbone of the secure internet... make sure to protect your key... with your life!

 

 

Now we generate our wildcard certificate for our web servers and stuff:

# create the certificate key
openssl genrsa -out home.at.wildcard.key 4096

# create a file with the following contents called ssl.conf (between the dashes)
---
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName_default = US
stateOrProvinceName_default =
localityName_default =
organizationName_default = at.home
commonName_max = 64
commonName_default = wildcard.at.home

[ req_ext ]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.at.home
---

# Now let's make a certificate signing request for our wildcard cert
openssl req -new -key home.at.wildcard.key -out home.at.wildcard.csr -config ssl.conf

# and now let's mint the cert with our CA
openssl x509 -req -in home.at.wildcard.csr -CA home.at.ca.crt -CAkey home.at.ca.key -CAcreateserial -out home.at.wildcard.crt -days 18262 -sha256 -extfile ssl.conf -extensions req_ext

 

Now you can use your wildcard cert for any webserver you want in your local deployment, and it will be valid on the computers you install your ca on.

Edited by ddumont

  • Author

So yeah...  it looks like a lot of work, but it's not too bad.   What does this get me, you may ask?

 

Well, I have a docker container that runs nginx and actually proxies all of my web traffic on the box and containers (including unraid) with my certificate.

I'll attach that here for info... the rules about web sockers are particularly important if you want working console shells on the unraid interface.

 

image.thumb.png.fd6fa50a18460e0d18c3ebd7b76fcae1.png

 

Now, once you import the root cert into the unraid os as described above, you can have a docker.at.home registry container running to host your own custom images.

I hope this helps some folks.

nginx.template init.sh

  • Author

I also run a docker container with a dns server, and i point my home router to it as #1 and google's secure dns as #2

image.thumb.png.25a2aeb497a1acfe96a08ecc843fe37d.png

 

This lets me easily define any hostname I want to whatever I want.

storage.at.home

docker.at.home

transmission.at.home

plex.at.home

 

 

etc...

I used to used openssl but I switched to  Step for this purpose :

https://smallstep.com/certificates/

 

It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts.

  • 1 month later...

Hi @j0e, would you be able to help me setup smallstep? I have pulled the image from here https://hub.docker.com/r/smallstep/step-ca and included some of the environment variables suggested like;
 

Quote

DOCKER_STEPCA_INIT_NAME

(required) the name of your CA—this will be the issuer of your CA certificates

DOCKER_STEPCA_INIT_DNS_NAMES

(required) the hostname(s) or IPs that the CA will accept requests on

 

I've been trying to follow this guide https://smallstep.com/blog/automate-docker-ssl-tls-certificates/ but I am out of my depth with the trust anchors.. How exactly do you go about installing the certificates within another container? 

 

I have tried using this command with the fingerprint of the root ca after installing the step apk

 

step ca bootstrap --ca-url https://IP:PORT --fingerprint awdhirg78124etc --install

 

I can't figure out what to do next 🤔 Will these settings persist and if this is the correct process is it likey the problem is with my DNS input for the CA? I just inserted *.tower.home as the init dns names.

Edited by wolfNZ

That's not the route I've taken.

This is for having each of your container "talking" directly and individually with step.

I use Traefik which "talks" with step and generate the certificates for each containers.

I'm sorry I can't really help you there.

Feel free to ask me if you want more info with how to use it with Traefik.

 

Yeah any info on setting it up with Traefik would be great thank you. Are you using Traefik locally or exposing ports?

  • 1 month later...

I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests.

 

@ddumont

 

I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages.

 

I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here?

 

Edited by T0a

  • 1 year later...

I'll add that I'd like the ability to import a root certificate as a trusted CA in unraid.  I want unraid to trust my firewall's certificate.

I use a Palo Alto firewall at home and want to enable MitM decryption of all traffic.  This would give me visibility to what types of traffic are initiated outbound.  Without decryption, traffic and application type show as SSL. 

 

When I was looking through logs today, I noticed telegram and telnet traffic outbound from my unraid host.  That causes concern considering I am unaware of any of my docker apps that have either as a requirement.  But my first issue to address is getting more visibility to all outbound traffic from the host.

On 7/16/2022 at 5:28 AM, T0a said:

I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests.

 

@ddumont

 

I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages.

 

I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here?

 

Thank you for contributing your suggested Perl version. Would you still recommend that version?  Your reply is over a year old and thought I would check before I follow the steps to import my CA.  I'm on 6.12.x, if that matters.

  • 5 months later...

Any update on this feature request?

  • 8 months later...

I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it.

5 hours ago, ads103 said:

I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it.

 

How would this work? Certificates are issued for domain names. Docker containers don't know anything about their domain name, that's the job of DNS.

 

A Reverse Proxy, with for example, Certbot, solves all these issues, including procuring certs on a schedule. But even that still needs a hosts list on your machine or DNS entry to direct a FQDN to an IP address. If you read the info for the step-ca local CA being talked about in this thread, you'll see it still needs all these other services, cerbot, reverse proxy, DNS resolver.

 

 

Edited by Espressomatic

  • 6 months later...
  • Author

jeeze, I don't know why I didn't get any notifications of responses to this thread. is anyone still looking for help on this?

  • Author
On 12/22/2024 at 11:47 AM, ads103 said:

I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it.

That's not what this request is for. There are ways to either bake in a CA yourself into a customized container, or run update-ca-certificates in a linux container by either leveraging an init script (if the container supports that) or running your own command post container creation. It would be up to you to modify the container or automate the command to do all that.

This request was for adding a CA to the unraid system itself so that the docker commands would accept certificates being offered by docker containers (for example, a docker registry).

And this is really only necessary because I wanted my own CA. LE is great, but I don't want to worry about updating all of my certs every 3 months or whatever timeline they are moving to now.

Edited by ddumont

  • Author
On 7/16/2022 at 5:28 AM, T0a said:

I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests.

 

@ddumont

 

I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages.

 

I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here?

 

It was and is still working fine for me. I wish there was a supported way, but I haven't heard from the dev team about this in a looooooong time.

  • Author
On 12/22/2024 at 5:33 PM, Espressomatic said:

 

How would this work? Certificates are issued for domain names. Docker containers don't know anything about their domain name, that's the job of DNS.

 

A Reverse Proxy, with for example, Certbot, solves all these issues, including procuring certs on a schedule. But even that still needs a hosts list on your machine or DNS entry to direct a FQDN to an IP address. If you read the info for the step-ca local CA being talked about in this thread, you'll see it still needs all these other services, cerbot, reverse proxy, DNS resolver.

 

 

true. As I stated, I'm running dnsmasq to add my own dns resolution for "my" at.home domain.

The certificate I created was a wildcard for it, so it will work for any server on "at.home".

I don't think LE will let issue and let you renew wildcards... which is another reason I'm not using it.

This is for my personal use, not for production. I don't want to manage n certs for my n servers.

You can definitely get wildcard certs with LE as I have a couple for two domains, in addition to also managing unique ones for some services/machines.

image.png

NGINX Proxy Manager provides a suitable UI for managing this, and scripts on Unraid via User Scripts plugin handles copying/installing certs onto machines where I don't want to rely only on NPM's reverse proxy and automatic HTTPS. Like installing certs onto my Unraid machines themselves.

Edited by Espressomatic

  • Author

Oh that must be relatively new. That's nice they did that, it wasn't always the case.

  • 2 months later...

You can easily add your custom self signed certificates to the trusted ca certificates by adding them to /boot/config/ssl/certs/Develop_unraid_bundle.pem and then rebooting. If you have multiple certs to add, just cat them all together in that file.

  • 1 month later...

I'd argue custom CAs are more important as of 7.2.0 with the addition of the OIDC capabilities. I'm unable to integrate in my Keycloak provider since the certificates I'm issuing are from my homelab CA, and Unraid is failing to access the discovery URL since it is an untrusted certificate.

I see the /boot/config/ssl/certs/<host>.pem file, but at minimum, there should be some official workaround.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.