Restart only the webgui?

[Nodiaque]

Hello everyone,

 

I'm currently on unraid 6.9.2 and I ran into an issue this morning. I cannot access my webgui from firefox but it work from Edge. The error I get is certificate revoked, so it seems Edge doesn't do CRL check. I know the problem, I did renew my certificate with SWAG. I'm might not do that the right way, if there's another please tell me.

 

I'm using SWAG for reverse proxy, but I don't have unraid in the reverse proxy for security reason. Unraid isn't accessible from the outside. But I do use a FAQDN for my server that is on my subdomain. So what I do is to generate the certificate with swag and then I copy the ssl file to my flash drive. This work well, but it require a full server reboot just because there's no button to restart the webgui.

 

Now, I was wondering if there's command I can run to restart the webgui? I would add them in my script that sync the certificate or simply run it by hand.

 

Thank you

[ljm42]

This should do it:

/etc/rc.d/rc.nginx reload

 

FYI - Unraid 6.10 is a bit more strict with making sure your certificate matches your settings. I'd recommend running the Fix Common Problems plugin, it will warn you if your certificate is actually valid or not before you upgrade.

[Nodiaque]

Ah, that worked, thanks!

 

As for the certificate, I don't really remember why I did that. I do have set my servername and local tld so in the end, it does something like myserver.duckdns.org (tld = duckdns.org). I just ran fix commong problem and no error.

 

Is the certificate generated by unraid would cover both ip and name? Because I think that was my issue, the server was signed for my ip, with a self signed instead of a trusted CA.

 

thanks again!

[ljm42]

1 minute ago, Nodiaque said:

Ah, that worked, thanks!

woot!

 

2 minutes ago, Nodiaque said:

As for the certificate, I don't really remember why I did that. I do have set my servername and local tld so in the end, it does something like myserver.duckdns.org (tld = duckdns.org). I just ran fix commong problem and no error.

Unraid 6.9.2 isn't as picky, but in 6.10.0 the Subject of the cert has to exactly match servername.localTLD.  FCP would warn about this so you should be good.

 

3 minutes ago, Nodiaque said:

Is the certificate generated by unraid would cover both ip and name? Because I think that was my issue, the server was signed for my ip, with a self signed instead of a trusted CA.

Unraid will generate a self-signed cert for servername.localTLD. It does not include the IP in the cert because of complications with IP addresses changing. Plus, it is self-signed so you would have to ignore a browser whether the IP was in the cert or not.

[Nodiaque]

Ah ok, that's why I'm using a script to copy the certificate from swag, since it's generating a servername.localtld certificate for that server. This way, no browser warning except for ip (while my server have fixed ip).

 

Thanks!

[ljm42]

That makes sense, a real cert is better than self-signed.

 

Just to mention for anyone else following along... If you don't have your own domain and/or don't want to setup something like SWAG, Unraid does provide an unraid.net cert (6.9.2) or myunraid.net cert (6.10.0). See https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 

[Nodiaque]

if I add the nginx reload command in a user script (from the plugin), would the plugin be interrupted when the nginx is rebooted?

[ljm42]

As long as you do 'reload' and not 'restart' you should be fine

[Earendur]

I've successfully done the exact same thing here except I'm using a traefik docker container for my automatic certificate provisioning for my services and not SWAG. I created a User Script that extracts the certs using jq, concats the cert and key into a .pem bundle, then it uses openssl verify to check that the cert is valid before issuing the command to reload the web ui.

Here's the script:
 

#!/bin/bash
traefik_path=/mnt/user/appdata/traefik
acme_json=$traefik_path/acme.json
domain=mydomain.com
domain_cert=$traefik_path/certs/$domain.crt
domain_key=$traefik_path/certs/$domain.key
unraid_cert=/boot/config/ssl/certs/tower_unraid_bundle.pem

# Use jq to extract the cert and the key - decode them from base64 - store them in files for later use
jq -r '.[].Certificates[] | select(.domain.main=="'${domain}'") | .certificate' $acme_json | base64 -d > $domain_cert
jq -r '.[].Certificates[] | select(.domain.main=="'${domain}'") | .key' $acme_json | base64 -d > $domain_key

# concatenate the certs and the key into a .pem file at the correct location for unraid to utilize
cat $domain_cert $domain_key > $unraid_cert

# if openssl can verify the cert as valid, recycle the webui
openssl verify -untrusted $domain_cert $unraid_cert 2>/tmp/err
if [ -s /tmp/err ]
then
  echo Certificate Failed to verify.
else
  echo Certificate verified Successfully - recycling Unraid Web UI...
  # reload the web UI to accept the new cert
  /etc/rc.d/rc.nginx reload
fi

I believe jq comes with the NerdPack plugin, so you'll need to install that first. I haven't found a lot of info for people who use Traefik proxy, so hopefully this helps others who do.

A possible enhancement to this might be to check that the acme.json has been updated, or check if the specific domain cert has been updated before running the script. A watch might be able to be used on the acme.json file to do this, or inotify, but this version works for me and the reload of the web UI doesn't seem to cause any issues. I don't have to re-log in for my logged in session, I can run this via the User Scripts UI and it doesn't cause issues, etc.

To be honest, I'm not entirely sure that the way I used OpenSSL to verify is the correct way to do it.

Edited February 4, 2023 by Earendur

[RealActorRob]

On 5/19/2022 at 1:17 PM, ljm42 said:

This should do it:

/etc/rc.d/rc.nginx reload

 

FYI - Unraid 6.10 is a bit more strict with making sure your certificate matches your settings. I'd recommend running the Fix Common Problems plugin, it will warn you if your certificate is actually valid or not before you upgrade.

 

Also worked for me, boom. 

 

What things should I look for to stop from crashing tho?