Nodiaque Posted May 19, 2022 Share Posted May 19, 2022 Hello everyone, I'm currently on unraid 6.9.2 and I ran into an issue this morning. I cannot access my webgui from firefox but it work from Edge. The error I get is certificate revoked, so it seems Edge doesn't do CRL check. I know the problem, I did renew my certificate with SWAG. I'm might not do that the right way, if there's another please tell me. I'm using SWAG for reverse proxy, but I don't have unraid in the reverse proxy for security reason. Unraid isn't accessible from the outside. But I do use a FAQDN for my server that is on my subdomain. So what I do is to generate the certificate with swag and then I copy the ssl file to my flash drive. This work well, but it require a full server reboot just because there's no button to restart the webgui. Now, I was wondering if there's command I can run to restart the webgui? I would add them in my script that sync the certificate or simply run it by hand. Thank you Quote Link to comment
Solution ljm42 Posted May 19, 2022 Solution Share Posted May 19, 2022 This should do it: /etc/rc.d/rc.nginx reload FYI - Unraid 6.10 is a bit more strict with making sure your certificate matches your settings. I'd recommend running the Fix Common Problems plugin, it will warn you if your certificate is actually valid or not before you upgrade. 2 Quote Link to comment
Nodiaque Posted May 19, 2022 Author Share Posted May 19, 2022 Ah, that worked, thanks! As for the certificate, I don't really remember why I did that. I do have set my servername and local tld so in the end, it does something like myserver.duckdns.org (tld = duckdns.org). I just ran fix commong problem and no error. Is the certificate generated by unraid would cover both ip and name? Because I think that was my issue, the server was signed for my ip, with a self signed instead of a trusted CA. thanks again! Quote Link to comment
ljm42 Posted May 19, 2022 Share Posted May 19, 2022 1 minute ago, Nodiaque said: Ah, that worked, thanks! woot! 2 minutes ago, Nodiaque said: As for the certificate, I don't really remember why I did that. I do have set my servername and local tld so in the end, it does something like myserver.duckdns.org (tld = duckdns.org). I just ran fix commong problem and no error. Unraid 6.9.2 isn't as picky, but in 6.10.0 the Subject of the cert has to exactly match servername.localTLD. FCP would warn about this so you should be good. 3 minutes ago, Nodiaque said: Is the certificate generated by unraid would cover both ip and name? Because I think that was my issue, the server was signed for my ip, with a self signed instead of a trusted CA. Unraid will generate a self-signed cert for servername.localTLD. It does not include the IP in the cert because of complications with IP addresses changing. Plus, it is self-signed so you would have to ignore a browser whether the IP was in the cert or not. 1 Quote Link to comment
Nodiaque Posted May 19, 2022 Author Share Posted May 19, 2022 Ah ok, that's why I'm using a script to copy the certificate from swag, since it's generating a servername.localtld certificate for that server. This way, no browser warning except for ip (while my server have fixed ip). Thanks! Quote Link to comment
ljm42 Posted May 19, 2022 Share Posted May 19, 2022 That makes sense, a real cert is better than self-signed. Just to mention for anyone else following along... If you don't have your own domain and/or don't want to setup something like SWAG, Unraid does provide an unraid.net cert (6.9.2) or myunraid.net cert (6.10.0). See https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 Quote Link to comment
Nodiaque Posted May 19, 2022 Author Share Posted May 19, 2022 if I add the nginx reload command in a user script (from the plugin), would the plugin be interrupted when the nginx is rebooted? Quote Link to comment
ljm42 Posted May 19, 2022 Share Posted May 19, 2022 As long as you do 'reload' and not 'restart' you should be fine 1 Quote Link to comment
Earendur Posted February 4, 2023 Share Posted February 4, 2023 (edited) I've successfully done the exact same thing here except I'm using a traefik docker container for my automatic certificate provisioning for my services and not SWAG. I created a User Script that extracts the certs using jq, concats the cert and key into a .pem bundle, then it uses openssl verify to check that the cert is valid before issuing the command to reload the web ui. Here's the script: #!/bin/bash traefik_path=/mnt/user/appdata/traefik acme_json=$traefik_path/acme.json domain=mydomain.com domain_cert=$traefik_path/certs/$domain.crt domain_key=$traefik_path/certs/$domain.key unraid_cert=/boot/config/ssl/certs/tower_unraid_bundle.pem # Use jq to extract the cert and the key - decode them from base64 - store them in files for later use jq -r '.[].Certificates[] | select(.domain.main=="'${domain}'") | .certificate' $acme_json | base64 -d > $domain_cert jq -r '.[].Certificates[] | select(.domain.main=="'${domain}'") | .key' $acme_json | base64 -d > $domain_key # concatenate the certs and the key into a .pem file at the correct location for unraid to utilize cat $domain_cert $domain_key > $unraid_cert # if openssl can verify the cert as valid, recycle the webui openssl verify -untrusted $domain_cert $unraid_cert 2>/tmp/err if [ -s /tmp/err ] then echo Certificate Failed to verify. else echo Certificate verified Successfully - recycling Unraid Web UI... # reload the web UI to accept the new cert /etc/rc.d/rc.nginx reload fi I believe jq comes with the NerdPack plugin, so you'll need to install that first. I haven't found a lot of info for people who use Traefik proxy, so hopefully this helps others who do. A possible enhancement to this might be to check that the acme.json has been updated, or check if the specific domain cert has been updated before running the script. A watch might be able to be used on the acme.json file to do this, or inotify, but this version works for me and the reload of the web UI doesn't seem to cause any issues. I don't have to re-log in for my logged in session, I can run this via the User Scripts UI and it doesn't cause issues, etc. To be honest, I'm not entirely sure that the way I used OpenSSL to verify is the correct way to do it. Edited February 4, 2023 by Earendur Quote Link to comment
RealActorRob Posted March 12 Share Posted March 12 On 5/19/2022 at 1:17 PM, ljm42 said: This should do it: /etc/rc.d/rc.nginx reload FYI - Unraid 6.10 is a bit more strict with making sure your certificate matches your settings. I'd recommend running the Fix Common Problems plugin, it will warn you if your certificate is actually valid or not before you upgrade. Also worked for me, boom. What things should I look for to stop from crashing tho? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.