February 3, 20224 yr The problem I was having was installing a custom CA in the system. During my troubles I also found out that the update-ca-certificates command when run with --fresh will wipe the current cert bundle in order to rebuild it fresh. But perl is not installed and perl is a dependency of openssl for this and possibly other reasons. You can read about it here: Here's how I fixed it: /boot/config/fix-ca-certificates #/bin/bash set -x; # curl https://slackware.uk/slackware/slackware64-14.2/slackware64/d/perl-5.22.2-x86_64-1.txz -o perl-5.22.2-x86_64-1.txz upgradepkg --install-new /boot/config/perl-5.22.2-x86_64-1.txz mkdir -p /usr/local/share/ca-certificates cp /boot/config/home.at.ca.crt /usr/local/share/ca-certificates/ update-ca-certificates --verbose --fresh This is called in the go script to fix the perl dep and re-install my ca on system boot. I would like this to be easier... and not as brittle as it could potentially be. Edited February 3, 20224 yr by ddumont
February 23, 20224 yr Thank you for the script. I ran in the exact same problem trying to add my root certificate. This is way more complicated than it needs to be.
April 3, 20224 yr Would also like this feature. `docker login unraidserverdomain.local` Response `x509: certificate signed by unknown authority` Luckily I could use localhost instead which skipped the ssl check. However all the docker pull / containers will need to use localhost JUST for the unraid server. Edited April 3, 20224 yr by FixYouDeveloper
April 10, 20224 yr Author I've been asked by a few how to go about creating the ca and issuing the certs. There's a lot of information online for using openssl and doing this kind of stuff, here's a "short" rundown of what's going on: https://gist.github.com/Soarez/9688998 So... i guess decide what you want your domain to be. Originally I wanted a tld (*.home) but you can't have wildcard certs for a tld, and I didn't want to issue a cert for everything I wanted to host... so I settled for (*.at.home). I call my unraid server storage.at.home. Here are the steps I took to create the ca: # create the CA key (you should put a password on this) openssl genrsa -out home.at.ca.key 4096 # create the CA certificate openssl req -x509 -new -nodes -key home.at.ca.key -days 18262 -sha256 -out home.at.ca.crt # Now import the certificate into your computer's root trust store. On windows, double click the crt file and open it: then click "Install Certificate..." Then pick if you want to install it only for the current user, or for every user on the machine: Then choose to place the cert in the trusted roots: click next, then finish... now you're done importing. One thing to remember, the ca is a root certificate you control and if compromised, it means certificates could be generated for sites like google, facebook, etc... and your computer would trust them. Root CAs are the backbone of the secure internet... make sure to protect your key... with your life! Now we generate our wildcard certificate for our web servers and stuff: # create the certificate key openssl genrsa -out home.at.wildcard.key 4096 # create a file with the following contents called ssl.conf (between the dashes) --- authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName_default = US stateOrProvinceName_default = localityName_default = organizationName_default = at.home commonName_max = 64 commonName_default = wildcard.at.home [ req_ext ] keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = *.at.home --- # Now let's make a certificate signing request for our wildcard cert openssl req -new -key home.at.wildcard.key -out home.at.wildcard.csr -config ssl.conf # and now let's mint the cert with our CA openssl x509 -req -in home.at.wildcard.csr -CA home.at.ca.crt -CAkey home.at.ca.key -CAcreateserial -out home.at.wildcard.crt -days 18262 -sha256 -extfile ssl.conf -extensions req_ext Now you can use your wildcard cert for any webserver you want in your local deployment, and it will be valid on the computers you install your ca on. Edited April 10, 20224 yr by ddumont
April 10, 20224 yr Author So yeah... it looks like a lot of work, but it's not too bad. What does this get me, you may ask? Well, I have a docker container that runs nginx and actually proxies all of my web traffic on the box and containers (including unraid) with my certificate. I'll attach that here for info... the rules about web sockers are particularly important if you want working console shells on the unraid interface. Now, once you import the root cert into the unraid os as described above, you can have a docker.at.home registry container running to host your own custom images. I hope this helps some folks. nginx.template init.sh
April 10, 20224 yr Author I also run a docker container with a dns server, and i point my home router to it as #1 and google's secure dns as #2 This lets me easily define any hostname I want to whatever I want. storage.at.home docker.at.home transmission.at.home plex.at.home etc...
April 10, 20224 yr I used to used openssl but I switched to Step for this purpose : https://smallstep.com/certificates/ It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts.
May 30, 20224 yr Hi @j0e, would you be able to help me setup smallstep? I have pulled the image from here https://hub.docker.com/r/smallstep/step-ca and included some of the environment variables suggested like; Quote DOCKER_STEPCA_INIT_NAME (required) the name of your CA—this will be the issuer of your CA certificates DOCKER_STEPCA_INIT_DNS_NAMES (required) the hostname(s) or IPs that the CA will accept requests on I've been trying to follow this guide https://smallstep.com/blog/automate-docker-ssl-tls-certificates/ but I am out of my depth with the trust anchors.. How exactly do you go about installing the certificates within another container? I have tried using this command with the fingerprint of the root ca after installing the step apk step ca bootstrap --ca-url https://IP:PORT --fingerprint awdhirg78124etc --install I can't figure out what to do next 🤔 Will these settings persist and if this is the correct process is it likey the problem is with my DNS input for the CA? I just inserted *.tower.home as the init dns names. Edited May 30, 20224 yr by wolfNZ
May 30, 20224 yr That's not the route I've taken. This is for having each of your container "talking" directly and individually with step. I use Traefik which "talks" with step and generate the certificates for each containers. I'm sorry I can't really help you there. Feel free to ask me if you want more info with how to use it with Traefik.
May 31, 20224 yr Yeah any info on setting it up with Traefik would be great thank you. Are you using Traefik locally or exposing ports?
July 16, 20223 yr I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests. @ddumont I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages. I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here? Edited July 16, 20223 yr by T0a
October 19, 20232 yr I'll add that I'd like the ability to import a root certificate as a trusted CA in unraid. I want unraid to trust my firewall's certificate. I use a Palo Alto firewall at home and want to enable MitM decryption of all traffic. This would give me visibility to what types of traffic are initiated outbound. Without decryption, traffic and application type show as SSL. When I was looking through logs today, I noticed telegram and telnet traffic outbound from my unraid host. That causes concern considering I am unaware of any of my docker apps that have either as a requirement. But my first issue to address is getting more visibility to all outbound traffic from the host.
October 20, 20232 yr On 7/16/2022 at 5:28 AM, T0a said: I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests. @ddumont I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages. I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here? Thank you for contributing your suggested Perl version. Would you still recommend that version? Your reply is over a year old and thought I would check before I follow the steps to import my CA. I'm on 6.12.x, if that matters.
December 22, 20241 yr I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it.
December 22, 20241 yr 5 hours ago, ads103 said: I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it. How would this work? Certificates are issued for domain names. Docker containers don't know anything about their domain name, that's the job of DNS. A Reverse Proxy, with for example, Certbot, solves all these issues, including procuring certs on a schedule. But even that still needs a hosts list on your machine or DNS entry to direct a FQDN to an IP address. If you read the info for the step-ca local CA being talked about in this thread, you'll see it still needs all these other services, cerbot, reverse proxy, DNS resolver. Edited December 22, 20241 yr by Espressomatic
June 27, 20251 yr Author jeeze, I don't know why I didn't get any notifications of responses to this thread. is anyone still looking for help on this?
June 27, 20251 yr Author On 12/22/2024 at 11:47 AM, ads103 said:I would also like to express interest in this feature request. It'd be great if I could just... drop a CA cert somewhere and automatically have Docker containers pick up on it.That's not what this request is for. There are ways to either bake in a CA yourself into a customized container, or run update-ca-certificates in a linux container by either leveraging an init script (if the container supports that) or running your own command post container creation. It would be up to you to modify the container or automate the command to do all that.This request was for adding a CA to the unraid system itself so that the docker commands would accept certificates being offered by docker containers (for example, a docker registry).And this is really only necessary because I wanted my own CA. LE is great, but I don't want to worry about updating all of my certs every 3 months or whatever timeline they are moving to now. Edited June 27, 20251 yr by ddumont
June 27, 20251 yr Author On 7/16/2022 at 5:28 AM, T0a said:I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests. @ddumont I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages. I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here? It was and is still working fine for me. I wish there was a supported way, but I haven't heard from the dev team about this in a looooooong time.
June 27, 20251 yr Author On 12/22/2024 at 5:33 PM, Espressomatic said: How would this work? Certificates are issued for domain names. Docker containers don't know anything about their domain name, that's the job of DNS. A Reverse Proxy, with for example, Certbot, solves all these issues, including procuring certs on a schedule. But even that still needs a hosts list on your machine or DNS entry to direct a FQDN to an IP address. If you read the info for the step-ca local CA being talked about in this thread, you'll see it still needs all these other services, cerbot, reverse proxy, DNS resolver. true. As I stated, I'm running dnsmasq to add my own dns resolution for "my" at.home domain.The certificate I created was a wildcard for it, so it will work for any server on "at.home".I don't think LE will let issue and let you renew wildcards... which is another reason I'm not using it. This is for my personal use, not for production. I don't want to manage n certs for my n servers.
June 30, 20251 yr You can definitely get wildcard certs with LE as I have a couple for two domains, in addition to also managing unique ones for some services/machines.NGINX Proxy Manager provides a suitable UI for managing this, and scripts on Unraid via User Scripts plugin handles copying/installing certs onto machines where I don't want to rely only on NPM's reverse proxy and automatic HTTPS. Like installing certs onto my Unraid machines themselves. Edited June 30, 20251 yr by Espressomatic
June 30, 20251 yr Author Oh that must be relatively new. That's nice they did that, it wasn't always the case.
September 16, 2025Sep 16 You can easily add your custom self signed certificates to the trusted ca certificates by adding them to /boot/config/ssl/certs/Develop_unraid_bundle.pem and then rebooting. If you have multiple certs to add, just cat them all together in that file.
October 30, 2025Oct 30 I'd argue custom CAs are more important as of 7.2.0 with the addition of the OIDC capabilities. I'm unable to integrate in my Keycloak provider since the certificates I'm issuing are from my homelab CA, and Unraid is failing to access the discovery URL since it is an untrusted certificate. I see the /boot/config/ssl/certs/<host>.pem file, but at minimum, there should be some official workaround.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.