Jump to content

WebUI SSL certificate getting lost

wgstarks

By wgstarks
in General Support

Recommended Posts

wgstarks Mentor

wgstarks

Posted
Posted

I don’t really understand what’s going on other than that I get a warning every few days from my browser that the website has changed and shouldn’t be trusted. I can set the browser to trust the certificate and everything is fine for a few days until it all happens again.

 

I thought it was a problem with Safari but saw a few comments recently that seem to imply that the problem is being caused by unRAID not using the self-signed certificate that I have been using for years.

 

I found a post showing what the requirements were in unRAID for self-signed certificates and issued the unRAID server a new self-signed certificate with the proper subject line. This worked for about a week and now my browser is complaining again that the website has changed.

 

A google search yields a lot of posts regarding certificate issues but I did read one that stated that if I used a LimeTech certificate this would solve the problem. Is that true? If so, is it as simple as just clicking the provision button in settings or are there other requirements?

 

Or maybe it would be easier just to not use SSL? The server is only accessible from my LAN network anyway. Not sure what the pros and cons of that would be though.

Link to comment
ljm42 Experienced

ljm42

Posted
Posted

Thanks, the system/urls.txt file in the diags confirms that your [servername].[localTLD] matches the certificate, so that is good.

 

As far as I can tell, everything is setup correctly. So if browsers are complaining about the certificate there must be an issue with the certificate.

 

I see a couple of options:

 

1) we troubleshoot what is wrong with the certificate you provided. If you tell me the exact process you used to create the cert I will try to reproduce.

 

2) you delete your self-signed cert and let Unraid generate a self-signed cert for you. I've not had any issues with browsers complaining about the self-signed certs that Unraid creates.

 

3) delete your self-signed cert and let Unraid generate a full and proper Let's Encrypt cert for you. 

 

This is generally best, but a complication is that the diags show your network has DNS Rebinding Protection enabled. The first step in getting past this is to change your DNS server to 8.8.8.8, if diags still show DNS rebinding then you would need to Google "YourRouterName disable DNS Rebinding" to figure out how to disable that in order to use a fully proper cert. 

 

4) Or yeah, maybe you don't need SSL. 


Because of your DNS Rebinding issues, my recommendation would be #2. If you don't have a strong need to generate the cert yourself, just let Unraid manage the self-signed cert for you.

Link to comment
ljm42 Experienced

ljm42

Posted
Posted

One thing to mention - your browser will make you acknowledge that it doesn't trust a self-signed cert once per url. So if you access https://server.localTLD and https://ipaddress you will have to acknowledge the self-signed cert two times. However, once you have done that I would not expect you to have to acknowledge it again until the cert changes (which would be rare)

 

OK, to implement option #2:

  • If you have multiple tabs open to the server, close all but one (browsers get confused if you change SSL settings with multiple tabs open)
  • Go to the Settings -> Management Access page and set Use SSL/TLS to No. This will change your url to http and you will have to login again. If you are unable to login it is because the browser is confused by the SSL change, use a private/incognito window.
  • Then delete the existing cert from your flash drive. One way to do that is to open a web terminal and type:
    • rm /boot/config/ssl/certs/Brunnhilde_unraid_bundle.pem
  • Then set Use SSL/TLS back to Yes. The server will generate a self-signed cert and change your url to https, the browser will make you acknowledge the self-signed cert but I wouldn't expect you do have to do that again for this url unless the cert changes.  Note: you might not have to login again since you already had an authenticated session. But if you can't login, clear your browser's cache.

 

FYI - pressing Provision is how you would implement option #3. 

Link to comment
wgstarks Mentor

wgstarks

Posted
  • Author
Posted
51 minutes ago, ljm42 said:

One thing to mention - your browser will make you acknowledge that it doesn't trust a self-signed cert once per url. So if you access https://server.localTLD and https://ipaddress you will have to acknowledge the self-signed cert two times

Just to be sure, if the certificate is for server.TLD is https://ipaddress also valid?

 

Also, will the Management Access page still show CA-signed certificate file: not present?

Link to comment
ljm42 Experienced

ljm42

Posted
Posted
5 minutes ago, wgstarks said:

Just to be sure, if the certificate is for server.TLD is https://ipaddress also valid?

 

Not currently. We've been toying with the idea of adding https://ipaddress to a SAN in the certificate, and then regenerating the cert if the ip changes. But since the browser will still complain that it is self-signed it didn't seem like it would help much. You would still have to accept the browser warning either way.

 

Link to comment
wgstarks Mentor

wgstarks

Posted
  • Author
Posted
53 minutes ago, ljm42 said:

 

Not currently. We've been toying with the idea of adding https://ipaddress to a SAN in the certificate, and then regenerating the cert if the ip changes. But since the browser will still complain that it is self-signed it didn't seem like it would help much. You would still have to accept the browser warning either way.

 

But I just need to accept the browser warning once if I use the IP and then shouldn’t get it on subsequent connections? Or should I start using DNS (server.domain.tld)?

Link to comment
ljm42 Experienced

ljm42

Posted
Posted
3 minutes ago, wgstarks said:

But I just need to accept the browser warning once if I use the IP and then shouldn’t get it on subsequent connections?

 

I can't promise how every browser will work. But I can tell you that I just visited my server via http://ipaddress in Chrome and it remembered that at some point in the past I had told it that I trusted it.

 

Chrome shows that it is "not secure" but it works fine and did not prompt me today.

 

image.png

 

 

 

7 minutes ago, wgstarks said:

Or should I start using DNS (server.domain.tld)?

 

Whatever works is fine

 

Link to comment
  • 2 weeks later...
wgstarks Mentor

wgstarks

Posted
  • Author
Posted
On 6/15/2022 at 1:16 PM, ljm42 said:

Thanks, the system/urls.txt file in the diags confirms that your [servername].[localTLD] matches the certificate, so that is good.

 

As far as I can tell, everything is setup correctly. So if browsers are complaining about the certificate there must be an issue with the certificate.

 

I see a couple of options:

 

1) we troubleshoot what is wrong with the certificate you provided. If you tell me the exact process you used to create the cert I will try to reproduce.

 

2) you delete your self-signed cert and let Unraid generate a self-signed cert for you. I've not had any issues with browsers complaining about the self-signed certs that Unraid creates.

 

3) delete your self-signed cert and let Unraid generate a full and proper Let's Encrypt cert for you. 

 

This is generally best, but a complication is that the diags show your network has DNS Rebinding Protection enabled. The first step in getting past this is to change your DNS server to 8.8.8.8, if diags still show DNS rebinding then you would need to Google "YourRouterName disable DNS Rebinding" to figure out how to disable that in order to use a fully proper cert. 

 

4) Or yeah, maybe you don't need SSL. 


Because of your DNS Rebinding issues, my recommendation would be #2. If you don't have a strong need to generate the cert yourself, just let Unraid manage the self-signed cert for you.

#2 stopped working after about 2 weeks so I've disabled dns rebind protection in my pfsense firewall and have switched to #3 and the LE certificate. We'll see how long that keeps working.

Link to comment
wgstarks Mentor

wgstarks

Posted
  • Author
Posted

Looks like the same problem with the LE certificate and the details don't look right. Still shows as a self-signed certificate for one thing.

 

1840118750_ScreenShot2022-06-26at2_27_51PM.thumb.png.f5a0d31f6deb89a9f786cc6a8a480296.png

 

Expiration should be June 26th too since I just installed it a few hours ago. Rebooted the unraid server and checked with Firefox and Chrome as well as Safari. They all show the same details for the certificate. Here's what Management Access shows (I think it's correct)-

 

1117692690_ScreenShot2022-06-26at2_35_58PM.thumb.png.6ed2b1c2e80e687f86bef84e545cac76.png

 

brunnhilde-diagnostics-20220626-1437.zip

Link to comment
ljm42 Experienced

ljm42

Posted
Posted

The LE cert is good only for the myunraid.net url specified in the LE cert. If you are accessing the server via some other url (https://[servername].[localTLD] or https://[ipaddress]) then it will use the self-signed certificate because the LE cert is not valid for those urls.

 

To find your LE url, go to Settings -> Management Access and click the link in the CA Certificate Subject area.

 

To change how redirects work, so http://[ipaddress] redirects to https://[ip].[hash].myunraid.net, see: https://wiki.unraid.net/Manual/Security#Redirects

 

My recommendation is to switch fully to the myunraid.net url.  


If you wish to continue using https://[servername].[localTLD] or https://[ipaddress] then you'll need to get your Mac to trust the self-signed certificate. This is discussed more here:

https://forums.unraid.net/topic/124874-unable-to-open-unraid-by-ip-address-since-upgrade-to-610/

 

 

Link to comment
wgstarks Mentor

wgstarks

Posted
  • Author
Posted
2 hours ago, ljm42 said:

To find your LE url, go to Settings -> Management Access and click the link in the CA Certificate Subject area.

Thanks, this worked great for the server but it looks like all dockers are now inaccessible. I either get a blank page or server stopped responding if I use the IP. If I use the drop down webUI links on the docker tab it just reloads the docker tab.

Link to comment
ljm42 Experienced

ljm42

Posted
Posted

I'm struggling to think of a reason for this. The Docker container WebUI links don't go through Unraid's webgui at all, when they link to:

  http://[ipaddress]:[port]

that completely bypasses the Unraid webgui so the certificate used to access the webui should have no effect.


Would you please test this in safe mode?

Link to comment
wgstarks Mentor

wgstarks

Posted
  • Author
Posted (edited)

It actually seems to be working today with the webUI selection from the docker icon dropdown menu (no idea why). My bookmarks for the dockers still don’t work but I think I see what’s causing the problem. The dropdown menu uses http://<IP>:<port number>. My bookmarks use SSL (https://<IP>:<port number>). Accessing the webui’s via SSL works with the self-signed certificate but apparently not with the LE certificate. This is really only a very minor issue since it’s not that hard to edit the bookmarks for the docker webui’s.

 

Edit: Also, the docker webUI access issue only happens if I have an open page to the unRAID webUI which is using the LE certificate.

Edited by wgstarks
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...