Allow for the install of a custom root certificate authority (CA)

[ddumont]

The problem I was having was installing a custom CA in the system.  During my troubles I also found out that the update-ca-certificates command when run with --fresh will wipe the current cert bundle in order to rebuild it fresh.

 

But perl is not installed and perl is a dependency of openssl for this and possibly other reasons.

You can read about it here: 

 

 

Here's how I fixed it:

/boot/config/fix-ca-certificates

#/bin/bash
set -x;

# curl https://slackware.uk/slackware/slackware64-14.2/slackware64/d/perl-5.22.2-x86_64-1.txz -o perl-5.22.2-x86_64-1.txz
upgradepkg --install-new /boot/config/perl-5.22.2-x86_64-1.txz

mkdir -p /usr/local/share/ca-certificates
cp /boot/config/home.at.ca.crt /usr/local/share/ca-certificates/

update-ca-certificates --verbose --fresh

 

This is called in the go script to fix the perl dep and re-install my ca on system boot.

I would like this to be easier... and not as brittle as it could potentially be.

 

Edited February 3, 2022 by ddumont

[j0e]

Thank you for the script. I ran in the exact same problem trying to add my root certificate. 

This is way more complicated than it needs to be. 

[FixYouDeveloper]

Would also like this feature.

`docker login unraidserverdomain.local`

Response
`x509: certificate signed by unknown authority`

Luckily I could use localhost instead which skipped the ssl check. However all the docker pull / containers will need to use localhost JUST for the unraid server.

Edited April 3, 2022 by FixYouDeveloper

[ddumont]

I've been asked by a few how to go about creating the ca and issuing the certs.  There's a lot of information online for using openssl and doing this kind of stuff, here's a "short" rundown of what's going on: https://gist.github.com/Soarez/9688998

 

So... i guess decide what you want your domain to be.  Originally I wanted a tld (*.home) but you can't have wildcard certs for a tld, and I didn't want to issue a cert for everything I wanted to host... so I settled for (*.at.home).  I call my unraid server storage.at.home.

 

Here are the steps I took to create the ca:

# create the CA key (you should put a password on this)
openssl genrsa -out home.at.ca.key 4096

# create the CA certificate
openssl req -x509 -new -nodes -key home.at.ca.key -days 18262 -sha256 -out home.at.ca.crt

# Now import the certificate into your computer's root trust store.

 

On windows, double click the crt file and open it:

then click "Install Certificate..."

 

Then pick if you want to install it only for the current user, or for every user on the machine:

 

Then choose to place the cert in the trusted roots:

click next, then finish... now you're done importing.

 

One thing to remember, the ca is a root certificate you control and if compromised, it means certificates could be generated for sites like google, facebook, etc... and your computer would trust them.  Root CAs are the backbone of the secure internet... make sure to protect your key... with your life!

 

 

Now we generate our wildcard certificate for our web servers and stuff:

# create the certificate key
openssl genrsa -out home.at.wildcard.key 4096

# create a file with the following contents called ssl.conf (between the dashes)
---
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName_default = US
stateOrProvinceName_default =
localityName_default =
organizationName_default = at.home
commonName_max = 64
commonName_default = wildcard.at.home

[ req_ext ]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.at.home
---

# Now let's make a certificate signing request for our wildcard cert
openssl req -new -key home.at.wildcard.key -out home.at.wildcard.csr -config ssl.conf

# and now let's mint the cert with our CA
openssl x509 -req -in home.at.wildcard.csr -CA home.at.ca.crt -CAkey home.at.ca.key -CAcreateserial -out home.at.wildcard.crt -days 18262 -sha256 -extfile ssl.conf -extensions req_ext

 

Now you can use your wildcard cert for any webserver you want in your local deployment, and it will be valid on the computers you install your ca on.

Edited April 10, 2022 by ddumont

[ddumont]

So yeah...  it looks like a lot of work, but it's not too bad.   What does this get me, you may ask?

 

Well, I have a docker container that runs nginx and actually proxies all of my web traffic on the box and containers (including unraid) with my certificate.

I'll attach that here for info... the rules about web sockers are particularly important if you want working console shells on the unraid interface.

 

 

Now, once you import the root cert into the unraid os as described above, you can have a docker.at.home registry container running to host your own custom images.

I hope this helps some folks.

nginx.template init.sh

[ddumont]

I also run a docker container with a dns server, and i point my home router to it as #1 and google's secure dns as #2

 

This lets me easily define any hostname I want to whatever I want.

storage.at.home

docker.at.home

transmission.at.home

plex.at.home

 

 

etc...

[j0e]

I used to used openssl but I switched to  Step for this purpose :

https://smallstep.com/certificates/

 

It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts.

[wolfNZ]

Hi @j0e, would you be able to help me setup smallstep? I have pulled the image from here https://hub.docker.com/r/smallstep/step-ca and included some of the environment variables suggested like;
 

Quote

DOCKER_STEPCA_INIT_NAME

(required) the name of your CA—this will be the issuer of your CA certificates

DOCKER_STEPCA_INIT_DNS_NAMES

(required) the hostname(s) or IPs that the CA will accept requests on

 

I've been trying to follow this guide https://smallstep.com/blog/automate-docker-ssl-tls-certificates/ but I am out of my depth with the trust anchors.. How exactly do you go about installing the certificates within another container? 

 

I have tried using this command with the fingerprint of the root ca after installing the step apk

 

step ca bootstrap --ca-url https://IP:PORT --fingerprint awdhirg78124etc --install

 

I can't figure out what to do next 🤔 Will these settings persist and if this is the correct process is it likey the problem is with my DNS input for the CA? I just inserted *.tower.home as the init dns names.

Edited May 30, 2022 by wolfNZ

[j0e]

That's not the route I've taken.

This is for having each of your container "talking" directly and individually with step.

I use Traefik which "talks" with step and generate the certificates for each containers.

I'm sorry I can't really help you there.

Feel free to ask me if you want more info with how to use it with Traefik.

 

[wolfNZ]

Yeah any info on setting it up with Traefik would be great thank you. Are you using Traefik locally or exposing ports?

[T0a]

I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests.

 

@ddumont

 

I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages.

 

I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here?

 

Edited July 16, 2022 by T0a

[GreatAbe]

I'll add that I'd like the ability to import a root certificate as a trusted CA in unraid.  I want unraid to trust my firewall's certificate.

I use a Palo Alto firewall at home and want to enable MitM decryption of all traffic.  This would give me visibility to what types of traffic are initiated outbound.  Without decryption, traffic and application type show as SSL. 

 

When I was looking through logs today, I noticed telegram and telnet traffic outbound from my unraid host.  That causes concern considering I am unaware of any of my docker apps that have either as a requirement.  But my first issue to address is getting more visibility to all outbound traffic from the host.

[GreatAbe]

On 7/16/2022 at 5:28 AM, T0a said:

I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests.

 

@ddumont

 

I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages.

 

I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here?

 

Thank you for contributing your suggested Perl version. Would you still recommend that version?  Your reply is over a year old and thought I would check before I follow the steps to import my CA.  I'm on 6.12.x, if that matters.

[dopeytree]

Any update on this feature request?