6.9.2 WebUI not available after enabling SSL

[ZKWolf]

Hello!
First of this isn't the first time this happened...

Every time I enable the SSL Feature of myServer it just bricks the WebUI.

It sends me to https://IP/ and that is for some reason unavailable. 

When I go to http://IP/ it brings me back to http. When i got to http://tower.local it brings me to https://tower.local/.
My first thought was going to /boot/config/ident.cfg and setting USE_SSL from auto to no but nothing changed.
After that I booted Unraid to GUI SAFE MODE but that says "Unable to connect" with http and https.
Last time I fixed it was by remaking my howl server but I don't wanna do that again...

 

Another thing is on the start screen where I select the Boot option of Unraid my curses goes zuuuuuummmmmm with ever click. 
What I mean is if I click down once it moves the cursor completely down. Same with up.
My "solution" was spamming up and down till it lands on GUI SAFE MODE.

 

Anything would help... 
Output of curl:
C:\Users\jerem>curl -l http://192.168.1.101/
curl: (7) Failed to connect to 192.168.1.101 port 80 after 2044 ms: Connection refused
C:\Users\jerem>curl -l https://192.168.1.101/
curl: (7) Failed to connect to 192.168.1.101 port 443 after 2062 ms: Connection refused

zkwolf-tower-diagnostics-20220521-1201.zip

[ZKWolf]

I read online that you can reboot the WebUI with "nginx -s reload".
If i do that i get this message: nginx: [emerg] cannot load certificate "/etc/ssl/certs/unraid_bundle.pem": PEM_read_bio_X509() failed (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)
Does this help?

I tried deleting the content of /etc/ssl/cert/ and rebooted but i get the same error.
Source: 

 

Edited May 21, 2022 by ZKWolf

[ljm42]

2 hours ago, ZKWolf said:

Every time I enable the SSL Feature of myServer

Just to be clear, SSL is a feature of the base OS. Installing/uninstalling the My Servers plugin will have no effect on SSL. Safe mode will have no effect on SSL either, as it is not related to a plugin.

 

39 minutes ago, ZKWolf said:

I read online that you can reboot the WebUI with "nginx -s reload".

 

No, don't do that. On Unraid you should do:

/etc/rc.d/rc.nginx reload

It sounds like you've been trying a bunch of things, so the diagnostics are probably not current.

 

If you deleted the certificates and ran the command above, then you should be able to access the webgui via either of these urls:
  http://ipaddress 
  http://ZKWolf-Tower.local

 

If the login screen comes up but won't let you log in, clear your browser's cache.

 

Let me know if you can get that far, and then let me know what your goals are. Also please provide current diagnostics.

[ZKWolf]

44 minutes ago, ljm42 said:

/etc/rc.d/rc.nginx reload

SSH Output: 

root@ZKWolf-Tower:~# /etc/rc.d/rc.nginx reload
Nginx is not running

After that I deleted the Certs and ran it again:
 

root@ZKWolf-Tower:~# rm /etc/ssl/certs/*
root@ZKWolf-Tower:~# ls /etc/ssl/certs/
root@ZKWolf-Tower:~# /etc/rc.d/rc.nginx reload
Nginx is not running
root@ZKWolf-Tower:~# /etc/rc.d/rc.nginx start
Starting Nginx server daemon...
nginx: [emerg] cannot load certificate key "/etc/ssl/certs/unraid_bundle.pem": PEM_read_bio_PrivateKey() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY)
root@ZKWolf-Tower:~#

I restarted the server and created a new Diagnostic.zip

Reload still says Nginx not running.

Edit:  My goals are having access to the Web-UI again.

zkwolf-tower-diagnostics-20220521-1510.zip

Edited May 21, 2022 by ZKWolf

[ljm42]

OK things are in a strange state. Let's delete the cert and reboot:

rm /boot/config/ssl/certs/certificate_bundle.pem
reboot

(that first command might give an error that the file doesn't exist, that is fine. I'm not 100% sure if you already did that)

 

After the reboot you should be able to access the webgui via either of these urls:
  http://ipaddress 
  http://ZKWolf-Tower.local

 

If the login screen comes up but won't let you log in, clear your browser's cache.

[ZKWolf]

1 minute ago, ljm42 said:

OK things are in a strange state. Let's delete the cert and reboot:

root@ZKWolf-Tower:~# rm /boot/config/ssl/certs/certificate_bundle.pem
root@ZKWolf-Tower:~# reboot

Broadcast message from root@ZKWolf-Tower (pts/0) (Sat May 21 15:23:26 2022):

The system is going down for reboot NOW!
root@ZKWolf-Tower:~#

Still get ERR_CONNECTION_REFUSED 

And I don't know how this just happened but /boot is now empty?????
 

C:\Users\jerem>ssh [email protected]
Password:
Last failed login: Sat May 21 15:27:49 PDT 2022 from 192.168.1.234 on ssh:notty
There were 7 failed login attempts since the last successful login.
Linux 5.10.28-Unraid.
root@ZKWolf-Tower:~# diagnostics
Starting diagnostics collection... mkdir: cannot create directory ‘/boot/logs’: Input/output error
done.
ZIP file '/boot/logs/zkwolf-tower-diagnostics-20220521-1529.zip' created.
root@ZKWolf-Tower:~# ls /boot/
root@ZKWolf-Tower:~# ls /boot/
root@ZKWolf-Tower:~# sudo ls /boot/
root@ZKWolf-Tower:~# diagnostics
Starting diagnostics collection... mkdir: cannot create directory ‘/boot/logs’: Input/output error
done.
ZIP file '/boot/logs/zkwolf-tower-diagnostics-20220521-1531.zip' created.
root@ZKWolf-Tower:~# reboot

Yes I know I had CapsLock enabled that's why 7 failed logins...

Another reboot and my /boot folder is back again. New diagnostics attached. But the Web-UI is back again!

So solved? Should I send anything else or change something so this doesn't happen again?

zkwolf-tower-diagnostics-20220521-1537.zip

[itimpi]

Just now, ZKWolf said:

And I don't know how this just happened but /boot is now empty?????

This implies that the flash drive has dropped offline (or was never mounted if this is just after booting).

[ljm42]

Glad you are back up and running.

 

8 minutes ago, ZKWolf said:

So solved?

 

That gets back to my question about your goal. If you are trying to get an unraid.net SSL certificate so you can setup My Servers Remote Access, then we aren't there yet.

 

I suspect that the reason you had issues is that your network has DNS Rebinding Protection enabled.  Let's check that and decide whether to continue. Open a web terminal (or SSH) and run:

ping -c 1 -w 1 rebindtest.unraid.net

then post the output here

 

 

[ZKWolf]

The Boot folder is back after another restart. 

It would be nice to have MyServer but i am running all of this behind a Unifi DreamMachine PRO and from what i read its pretty hard/impossible to set up RebindDNS on it.

I did enter everything on my router and on the UDM-Probut i am still getting 100% packet lost to "ping -c 1 -w 1 rebindtest.unraid.net" on it so i think ill let it be unless anyone knows a way to set it up behind a UDM-Pro.

 

One thing i did notice is that Port 443/https is not usable. I have noticed this in the past and only used http/Port 80 but if i reenable SSL will the error occurre again?

Should i test it?

[ljm42]

16 minutes ago, ZKWolf said:

I did enter everything on my router and on the UDM-Probut i am still getting 100% packet lost to "ping -c 1 -w 1 rebindtest.unraid.net" on it so i think ill let it be unless anyone knows a way to set it up behind a UDM-Pro.

Please paste the result? Packet loss is expected, what I need to see is did it resolve to the correct IP address.

 

16 minutes ago, ZKWolf said:

One thing i did notice is that Port 443/https is not usable.

What do you mean by this?

 

Do you have a Docker container that is already running on port 443? If so, then to setup SSL for the webgui you will need a different port, perhaps something like 2443 or 3443, as long as it is not already in use.

[ZKWolf]

4 minutes ago, ljm42 said:

I did enter everything on my router and on the UDM-Probut i am still getting 100% packet lost to "ping -c 1 -w 1 rebindtest.unraid.net" on it so i think ill let it be unless anyone knows a way to set it up behind a UDM-Pro.

Result:

C:\WINDOWS\system32>ping -c 1 -w 1 rebindtest.unraid.net

Pinging rebindtest.unraid.net [192.168.42.42] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.42.42:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\WINDOWS\system32>

I don't know why it shows 192.168.42.42.

My IP ranges are 192.168.1.X and 192.168.178.X

My DNS Servers are 1.1.1.1 and 8.8.8.8

8 minutes ago, ljm42 said:

Do you have a Docker container that is already running on port 443? If so, then to setup SSL for the webgui you will need a different port, perhaps something like 2443 or 3443, as long as it is not already in use.

No I have all of my dockers on other IPs except a few that use different Ports.

I just set SSL/TLS to Auto and I get the ERR_CONNECTION_REFUSED again on https://zkwolf-tower.local and https://192.168.1.101/.

I also changed to Port to 9443 and still Connection refused.

I made a new Diagnostics and I don't know if I should restart because a Parity-Check is in progress at the moment.

zkwolf-tower-diagnostics-20220522-0124.zip

[ljm42]

1 minute ago, ZKWolf said:

I don't know why it shows 192.168.42.42.

That is the test, if rebindtest.unraid.net resolves to that address then we know that DNS Rebinding Protection is disabled on your network, and you WILL be able to use an unraid.net SSL certificate.

 

Nothing actually exists at that address, so nothing will respond when you ping it. But Unraid 6.9.2 does not have `nslookup` so I use `ping` to test it.

 

5 minutes ago, ZKWolf said:

I just set SSL/TLS to Auto and I get the ERR_CONNECTION_REFUSED again on https://zkwolf-tower.local and https://192.168.1.101/.

 

You are jumping ahead   You should still be able to login at the http url right? 

 

Let's go back to your goal. Do you want:

1)  https://zkwolf-tower.local on a self-signed cert

2) or do you want https://yourpersonalhash.unraid.net with an official Lets Encrypt certificate and the ability to use My Servers Remote Access?

 

If you want both, then you need to upgrade to 6.10.1 before proceeding. 6.9.2 only supports one or the other.

[ZKWolf]

I'm sorry for jumping ahead. 😅

I don't want to update to a Beta OS because I really don't want to kill my Server and remake all my dockers...

So im setting my goal to MyServer.

http://zkwolf-tower.local/ is still up and I can do everything.

What do I need to do? My current config:

Just a thing I want to say is that when I paste a Screenshot from my ClipBoard to a Reply it Uploads it twice. Don't know if its a me problem. 😅

[ljm42]

FYI, Unraid 6.10 came out of beta this week. 6.10.1 is the current stable release of Unraid.

 

But that is fine, we can stick with 6.9.2.

 

Go ahead and press Provision. Because Use SSL is set to "Auto", this will replace the self-signed cert with an official Lets Encrypt certificate and change your Local Access url to https://yourpersonalhash.unraid.net:9443 

[ZKWolf]

8 minutes ago, ljm42 said:

Go ahead and press Provision. Because Use SSL is set to "Auto", this will replace the self-signed cert with an official Lets Encrypt certificate and change your Local Access url to https://yourpersonalhash.unraid.net:9443 

I did and it redirected me to https://hash.unraid.net:9443/ 

But no access.

9443 is Forwarded on my router and UDM to my unraid client.

Edit: I can still access http://192.168.1.101/login

 

Edited May 22, 2022 by ZKWolf

[ljm42]

6 minutes ago, ZKWolf said:

I did and it redirected me to https://hash.unraid.net:9443/ 

But no access.

 

Try to ping hash.unraid.net (use your actual hash through )  If should resolve to your server's ip address. if it doesn't yet then wait a bit for DNS to propagate.

[ZKWolf]

2 minutes ago, ljm42 said:

Try to ping hash.unraid.net

Pinging HashHashHash.unraid.net [192.168.1.101] with 32 bytes of data:
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64
Reply from 192.168.1.101: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS\system32>

I get a response from the Server.

I also tried a different Browser but same as in Chrome ^^

[ljm42]

OK so it resolves correctly but the server isn't responding? That is unexpected.

 

You mentioned you can still get in via http, which is odd as well. Please login and go to the Settings -> Management Access, would you mind taking a screenshot? block out your hash if you can

[ZKWolf]

I might be blind... But I don't see my hash here?
Anyway this is the Screenshot:

[ljm42]

2 minutes ago, ZKWolf said:

I don't see my hash here?

Sorry, I'm thinking of 6.10

 

Let's open a web terminal or SSH and run:

/etc/rc.d/rc.nginx reload

 

Now if you access http://ipaddress does it redirect to https://hash.unraid.net:9443 ?

[ZKWolf]

2 minutes ago, ljm42 said:

/etc/rc.d/rc.nginx reload

 

root@ZKWolf-Tower:~# /etc/rc.d/rc.nginx reload
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] cannot load certificate "/etc/ssl/certs/unraid_bundle.pem": PEM_read_bio_X509() failed (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not reloaded
root@ZKWolf-Tower:~#

And http://IP/ does not redirect. Everything is still accessible via that address. 

I tried https://HASH.unraid.net:9443/ again but still nothing on there.

If I need to I can Upgrade to 6.10.1 because as you said its released.

[ljm42]

OK there is an issue with the certificate. I'm going to need to ask for help on this, we'll need to pause for now. Please send me a DM with your full hash url so we can look it up in the database.

[ZKWolf]

I hope I did this right and sent you a DM.

This doesn't have any urgency and I will try my best to not restart my Server in the meantime.

Thanks for your help!

[ljm42]

Thanks! I'd recommend that you delete the bad cert:

rm /boot/config/ssl/certs/certificate_bundle.pem

especially if you choose to upgrade to 6.10, that will smooth the upgrade.

 

Rebooting is fine.

 

You are also welcome to try provisioning again later, just delete the cert again if it fails.

[ljm42]

Hi @ZKWolf we've resolved the issue with your cert. Please open a web terminal and run:

rm /boot/config/ssl/certs/certificate_bundle.pem

then press Provision again. Your url should change to https://hash.unraid.net:9443