ddumont Posted February 3, 2022 Share Posted February 3, 2022 (edited) The problem I was having was installing a custom CA in the system. During my troubles I also found out that the update-ca-certificates command when run with --fresh will wipe the current cert bundle in order to rebuild it fresh. But perl is not installed and perl is a dependency of openssl for this and possibly other reasons. You can read about it here: Here's how I fixed it: /boot/config/fix-ca-certificates #/bin/bash set -x; # curl https://slackware.uk/slackware/slackware64-14.2/slackware64/d/perl-5.22.2-x86_64-1.txz -o perl-5.22.2-x86_64-1.txz upgradepkg --install-new /boot/config/perl-5.22.2-x86_64-1.txz mkdir -p /usr/local/share/ca-certificates cp /boot/config/home.at.ca.crt /usr/local/share/ca-certificates/ update-ca-certificates --verbose --fresh This is called in the go script to fix the perl dep and re-install my ca on system boot. I would like this to be easier... and not as brittle as it could potentially be. Edited February 3, 2022 by ddumont 4 Quote Link to comment
j0e Posted February 23, 2022 Share Posted February 23, 2022 Thank you for the script. I ran in the exact same problem trying to add my root certificate. This is way more complicated than it needs to be. Quote Link to comment
FixYouDeveloper Posted April 3, 2022 Share Posted April 3, 2022 (edited) Would also like this feature. `docker login unraidserverdomain.local` Response `x509: certificate signed by unknown authority` Luckily I could use localhost instead which skipped the ssl check. However all the docker pull / containers will need to use localhost JUST for the unraid server. Edited April 3, 2022 by FixYouDeveloper Quote Link to comment
ddumont Posted April 10, 2022 Author Share Posted April 10, 2022 (edited) I've been asked by a few how to go about creating the ca and issuing the certs. There's a lot of information online for using openssl and doing this kind of stuff, here's a "short" rundown of what's going on: https://gist.github.com/Soarez/9688998 So... i guess decide what you want your domain to be. Originally I wanted a tld (*.home) but you can't have wildcard certs for a tld, and I didn't want to issue a cert for everything I wanted to host... so I settled for (*.at.home). I call my unraid server storage.at.home. Here are the steps I took to create the ca: # create the CA key (you should put a password on this) openssl genrsa -out home.at.ca.key 4096 # create the CA certificate openssl req -x509 -new -nodes -key home.at.ca.key -days 18262 -sha256 -out home.at.ca.crt # Now import the certificate into your computer's root trust store. On windows, double click the crt file and open it: then click "Install Certificate..." Then pick if you want to install it only for the current user, or for every user on the machine: Then choose to place the cert in the trusted roots: click next, then finish... now you're done importing. One thing to remember, the ca is a root certificate you control and if compromised, it means certificates could be generated for sites like google, facebook, etc... and your computer would trust them. Root CAs are the backbone of the secure internet... make sure to protect your key... with your life! Now we generate our wildcard certificate for our web servers and stuff: # create the certificate key openssl genrsa -out home.at.wildcard.key 4096 # create a file with the following contents called ssl.conf (between the dashes) --- authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName_default = US stateOrProvinceName_default = localityName_default = organizationName_default = at.home commonName_max = 64 commonName_default = wildcard.at.home [ req_ext ] keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = *.at.home --- # Now let's make a certificate signing request for our wildcard cert openssl req -new -key home.at.wildcard.key -out home.at.wildcard.csr -config ssl.conf # and now let's mint the cert with our CA openssl x509 -req -in home.at.wildcard.csr -CA home.at.ca.crt -CAkey home.at.ca.key -CAcreateserial -out home.at.wildcard.crt -days 18262 -sha256 -extfile ssl.conf -extensions req_ext Now you can use your wildcard cert for any webserver you want in your local deployment, and it will be valid on the computers you install your ca on. Edited April 10, 2022 by ddumont Quote Link to comment
ddumont Posted April 10, 2022 Author Share Posted April 10, 2022 So yeah... it looks like a lot of work, but it's not too bad. What does this get me, you may ask? Well, I have a docker container that runs nginx and actually proxies all of my web traffic on the box and containers (including unraid) with my certificate. I'll attach that here for info... the rules about web sockers are particularly important if you want working console shells on the unraid interface. Now, once you import the root cert into the unraid os as described above, you can have a docker.at.home registry container running to host your own custom images. I hope this helps some folks. nginx.template init.sh Quote Link to comment
ddumont Posted April 10, 2022 Author Share Posted April 10, 2022 I also run a docker container with a dns server, and i point my home router to it as #1 and google's secure dns as #2 This lets me easily define any hostname I want to whatever I want. storage.at.home docker.at.home transmission.at.home plex.at.home etc... Quote Link to comment
j0e Posted April 10, 2022 Share Posted April 10, 2022 I used to used openssl but I switched to Step for this purpose : https://smallstep.com/certificates/ It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts. Quote Link to comment
wolfNZ Posted May 30, 2022 Share Posted May 30, 2022 (edited) Hi @j0e, would you be able to help me setup smallstep? I have pulled the image from here https://hub.docker.com/r/smallstep/step-ca and included some of the environment variables suggested like; Quote DOCKER_STEPCA_INIT_NAME (required) the name of your CA—this will be the issuer of your CA certificates DOCKER_STEPCA_INIT_DNS_NAMES (required) the hostname(s) or IPs that the CA will accept requests on I've been trying to follow this guide https://smallstep.com/blog/automate-docker-ssl-tls-certificates/ but I am out of my depth with the trust anchors.. How exactly do you go about installing the certificates within another container? I have tried using this command with the fingerprint of the root ca after installing the step apk step ca bootstrap --ca-url https://IP:PORT --fingerprint awdhirg78124etc --install I can't figure out what to do next 🤔 Will these settings persist and if this is the correct process is it likey the problem is with my DNS input for the CA? I just inserted *.tower.home as the init dns names. Edited May 30, 2022 by wolfNZ Quote Link to comment
j0e Posted May 30, 2022 Share Posted May 30, 2022 That's not the route I've taken. This is for having each of your container "talking" directly and individually with step. I use Traefik which "talks" with step and generate the certificates for each containers. I'm sorry I can't really help you there. Feel free to ask me if you want more info with how to use it with Traefik. Quote Link to comment
wolfNZ Posted May 31, 2022 Share Posted May 31, 2022 Yeah any info on setting it up with Traefik would be great thank you. Are you using Traefik locally or exposing ports? Quote Link to comment
T0a Posted July 16, 2022 Share Posted July 16, 2022 (edited) I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests. @ddumont I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages. I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here? Edited July 16, 2022 by T0a Quote Link to comment
GreatAbe Posted October 19, 2023 Share Posted October 19, 2023 I'll add that I'd like the ability to import a root certificate as a trusted CA in unraid. I want unraid to trust my firewall's certificate. I use a Palo Alto firewall at home and want to enable MitM decryption of all traffic. This would give me visibility to what types of traffic are initiated outbound. Without decryption, traffic and application type show as SSL. When I was looking through logs today, I noticed telegram and telnet traffic outbound from my unraid host. That causes concern considering I am unaware of any of my docker apps that have either as a requirement. But my first issue to address is getting more visibility to all outbound traffic from the host. Quote Link to comment
GreatAbe Posted October 20, 2023 Share Posted October 20, 2023 On 7/16/2022 at 5:28 AM, T0a said: I would love having the ability to add custom root CA certificates as well. In my case, I have services available via HTTPS with a custom wildcard certificate on another Host. When I want to query the services with CURL from my Unraid box, I always have to add the "-k" flag to allow for insecure requests. @ddumont I suggest to use this Perl version for the latest Unraid version, which is based on Slackware 15.0. Right now, you install Perl from Slackware 14.x. That shouldn't be a problem in general, but can cause problems in certain situations with certain packages. I wonder if there is a problem executing your /boot/config/fix-ca-certificates script from within the USB stick. Didn't Unraid prevent you from executing scripts from the USB stick directly or am I wrong here? Thank you for contributing your suggested Perl version. Would you still recommend that version? Your reply is over a year old and thought I would check before I follow the steps to import my CA. I'm on 6.12.x, if that matters. Quote Link to comment
dopeytree Posted April 11 Share Posted April 11 Any update on this feature request? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.