Unable to open unraid by IP address since upgrade to 6.10

[Trevor Kidd]

Since updating to 6.10 I can't connect to my server via it's IP address without chrome throwing a hissy fit about it not being secure.

 

Typing 'thisisunsafe' at this prompt allows me to bypass it, but it comes back after a day or 2.

 

Tried once to just disable SSL in the config, and that led to being unable to access the GUI at all, and having to edit a file on the USB stick from another machine.  I've generated a cert, installed it on my mac, clicked the lock on the page at the top and told it to trust this cert, and it still does this.  It's driving me crazy.  I need a fix for this.

 

[ljm42]

Please upload your diagnostics.zip file (from Tools -> Diagnostics) and attach to your next message in this thread

[Trevor Kidd]

Here's the zip for ya.  Thanks for looking at it for me.

tower-diagnostics-20220615-1741.zip

[Trevor Kidd]

Anyone got any ideas as to why this is happening?

[JorgeB]

@ljm42

[ljm42]

Odd, you are getting a NET::ERR_CERT_INVALID message from Chrome whereas when I visit
  https://ipaddress
I get a NET::ERR_CERT_AUTHORITY_INVALID message. The ERR_CERT_AUTHORITY_INVALID message can be ignored but ERR_CERT_INVALID cannot.

 

The diagnostics look good, but can you confirm whether you have provided the Tower_unraid_bundle.pem certificate on your own or did you let Unraid generate it?

 

Please try accessing https://tower.local . That is the url your certificate is meant to be used at. It is still self-signed, so it should throw a NET::ERR_CERT_AUTHORITY_INVALID error which can be ignored (I'm trying to see if your Chrome will work with the self-signed cert at the proper url or if it refuses to use the cert at all)

 

Also, can you try accessing https://ipaddress from another computer? I am wondering if your Chrome has a more strict security setting somehow.

[ljm42]

Here is another user getting a NET::ERR_CERT_INVALID error from a Mac:
  https://forums.unraid.net/topic/124921-your-connection-isnt-private/#comment-1139189

 

 

Idea - please check the time on both the Mac and Unraid (Settings -> Date and Time). If it is off that could prevent SSL from working:
https://time.is/

[Trevor Kidd]

Same results if I access from https://tower.local

I did check the time on both my mac and my server, and the time was off by an hour on the server.  I changed it and still no luck.

I haven't yet tried from another computer, but will later today.  I'll have to set up a vm as this is the only non-mobile device I have right now.

[Trevor Kidd]

Forgot I had bootcamp on this computer, booted in to windows and tried from chrome, still get this warning, but at least it allows me to proceed without typing 'thisisunsafe' at the prompt.

[ljm42]

So with a fully proper cert, like the Let's Encrypt cert Unraid provides for the myunraid.net domain, the browser can guarantee that you are connected to the server you think you are connecting to.
 

But with a self-signed cert, there is no way for the browser to guarantee you are connecting to the server you think you are. Anyone can create a self-signed cert and put it anywhere. 
 

On Windows, Chrome trusts the user. It shows an error saying ERR_CERT_AUTHORITY_INVALID because it doesn't really trust the server, but it gives you the opportunity to choose "Proceed to tower.local" if you are confident you are connecting to the right place. It will remember this choice and not prompt you again until the cert changes.
 

But Macs don't give you that option. Chrome on a Mac just throws the generic ERR_CERT_INVALID message and does not let you past it without typing 'thisisunsafe'. Based on your experience, it sounds like Chrome then makes you confirm this choice every few days. It looks like there is a way for you to add the cert to the Mac so Chrome will trust it, I am not sure why that didn't work for you when you tried it. I am told these instructions are valid even though they are old, maybe it will help?

   https://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/

 

There is nothing that Unraid can do to change the behavior of Chrome on a Mac.
 

The options I see for you are:
 

1) Use the fully proper myunraid.net certificate provided by Unraid. If your network doesn't block this with DNS Rebinding Protection, this is really the best and most secure option.
 

2) Continue using a self-signed cert and typing 'thisisunsafe' when Chrome on a Mac prompts, or figure out how to get the Mac to trust the cert. Or use a difference browser / OS that is less strict and trusts you when you say "proceed to Tower".
 

3) Disable SSL and just use http. 

[Trevor Kidd]

I've been using the myunraid.net address in the meantime and it works just fine.  I just don't know why this has started all of a sudden.  I've had no problems until I updated.

[ljm42]

Aha! I see what changed.

 

If you had an unraid.net cert installed in Unraid 6.9.2, it would be used for urls that did not match the cert, such as https://ipaddress. 

 

Unraid 6.10 has a big focus on security, so it will only use the unraid.net certificate for urls that actually match the certificate. For other urls, like https://ipaddress and https://tower.local it uses a self-signed certificate.

 

So the change is that your browser is now seeing a self-signed cert for https://ipaddress and apparently Chrome on Mac thinks that is riskier than using a proper cert with the wrong url. I'd disagree, but anyway we can't control what Chrome on the Mac does. I'd suggest you have the same 3 options available to you.

[squish102]

I have the same problem and going to probably ask a dumb question, but what is my "fully proper myunraid.net" address so that I can access it on chrome and mac.