Update Your Legacy SSL Certificate Now!


SpencerJ

Recommended Posts

1/18/23 UPDATE:

As previously announced, we stopped renewing certificates for the unraid.net domain at the beginning of the year.

We had initially expected a grace period of a few months where the certificates would continue to work, but due to some necessary infrastructure improvements, the old unraid.net domain certificates are now invalid and will not work.

If you still need to migrate from the unraid.net certificate to a myunraid.net certificate, you may have difficulty accessing your server's webgui.

Actions for Unraid 6.10 or Newer:

  1. If you can't access the server's webgui, use a local keyboard/monitor or SSH into the server and run 'use_ssl no'.  (Note: if the system responds "command not found" then jump down to the section for Unraid 6.9 and earlier.)

  2. Then, you can access the server via http://ipaddress (or http://ipaddress:port if you have defined a custom http port). Note: these are http URLs, not https URLs.

  3. Navigate to the Settings → Management Access page in the Unraid webgui and click the "Upgrade Cert" button.

  4. Click on the Certificate URL and verify you can access the server via the ipaddress.hash.myunraid.net certificate. You can change the "Use SSL/TLS" setting back to Yes or Strict if all is well.

  5. Note: if you have a high-end router and previously added an exception to allow DNS Rebinding on the unraid.net domain, you will need to add an exception for myunraid.net. This feature is on/off on most consumer routers, so no additional changes are required to support the myunraid.net domain if the unraid.net domain works fine.

  6. Be sure to update your bookmarks! The My Servers dashboard will automatically use the appropriate URL if you use the My Servers plugin.

Action needed for Unraid 6.9 and earlier:

Older versions of Unraid do not support the newer myunraid.net certificates.

  1. You should be able to access the webgui using https://ipaddress (or https://ipaddress:port if you have defined a custom https port). Note that these are https URLs, not http URLs, so you'll need to ignore any browser warnings about invalid certificates.

  2. Navigate to Settings → Management Access and set "Use SSL/TLS" to No.

  3. Then, open a web terminal (>_) and type:

  4. rm /boot/config/ssl/certs/certificate_bundle.pem
  5. If you plan to stay on an older version of Unraid, uninstall the My Servers plugin, as it will be dropping support for older versions of Unraid. Warning: these older versions of Unraid are outdated concerning security updates and features, so we recommend taking advantage of our free upgrade policy and upgrading your system to the latest version of Unraid.

 

 

On Jan 1, 2023, we will stop renewing Let’s Encrypt SSL certificates on the unraid.net domain.
If you are still using a hash.unraid.net domain to access your server, please switch to the newer myunraid.net certificates that we provide for free.
The URLs used with these new certificates will provide increased privacy, particularly for remote access.
 
Upgrade actions for Unraid 6.10 or higher:
  • Navigate to the Settings → Management Access page in the Unraid webgui.
  • If there is an “Upgrade Cert” button, press it.
This will update the certificate and change your URL from hash.unraid.net to ipaddress.hash.myunraid.net.
You will need to sign back into the webgui with your root password afterward.
 
  • Note: if you have a high-end router and previously added an exception to allow DNS Rebinding on the unraid.net domain, you will now need to add an exception for myunraid.net. On most consumer routers this feature is simply on/off so no additional changes are required to support the myunraid.net domain if the unraid.net domain worked fine.
  • Be sure to update your bookmarks! If you are using My Servers, the My Servers dashboard will automatically use the appropriate URL.
 
Action needed for Unraid 6.9 and earlier:
Older versions of Unraid do not support the newer myunraid.net certificates, so if you don’t wish to upgrade Unraid you’ll need to navigate to Settings → Management Access and set "Use SSL/TLS" to No. Then open a web terminal and type:
rm /boot/config/ssl/certs/certificate_bundle.pem
 
If you plan to stay on an older version you should also uninstall the My Servers plugin as it will be dropping support for older versions of Unraid as well.
 
Warning: these older versions of Unraid are out of date with regard to security updates and features, so our recommendation is to take advantage of our free upgrade policy and upgrade your system to the latest version of Unraid. Then, switch to the myunraid.net certificate as described above.
 
Note: If you are unable to upgrade your certificate by Jan 1, 2023, the unraid.net certificate will continue to work for another 90 days, although at some point during that time it will expire and your browser will warn that it is insecure.
On Apr 1 we will shut down DNS for these certificates and the URLs associated with them will no longer work to access your server.
We highly recommend that you avoid this by migrating to the new certificate before Jan 1, 2023.

 

If you have any questions on this or need additional help, comment here or  contact support!

  • Like 3
  • Thanks 2
Link to comment
2 hours ago, kellekellner said:

chrome says: 

 

DNS_PROBE_FINISHED_NXDOMAIN

 

I agree with @dada051, your client is either having issues with DNS Rebinding or with DNS propagation.  

 

If you were previously running with an unraid.net certificate, then DNS Rebinding should not be an issue.  Although depending on your network you may have taken steps to allow DNS Rebinding specifically for the unraid.net domain, in which case you'll need to do the same for the myunraid.net domain.

 

On the client computer, open a command prompt and run these commands, pasting the results back here:

nslookup rebindtest.unraid.net
nslookup rebindtest.unraid.net 8.8.8.8
nslookup rebindtest.myunraid.net
nslookup rebindtest.myunraid.net 8.8.8.8

 

Link to comment
17 minutes ago, kellekellner said:

I had the Port in the Domain. This was the fault.

 

The best way to get the new url is to go to the Settings -> Management Access page. On newer versions of Unraid there is a section titled "Local URLs" that lists out your options, otherwise you can click on the "Certificate URL" for the myunraid.net certificate.

Link to comment

It looks like after clicking Upgrade Cert that my machine can connect to the console via the new URL, but it does not display all information.  I can access the shares, users, settings, plugins and dockers, but many other menus are not accessible.  Furthermore, the Dashboard loads but returns no information, and when I click on Main I get a constant loading screen.  I can access the console via a local unsecure link.  All I did was click Upgrade Cert as per the blog post.  Am I missing a step somewhere?

Link to comment
11 minutes ago, jackfalveyiv said:

It looks like after clicking Upgrade Cert that my machine can connect to the console via the new URL, but it does not display all information.  I can access the shares, users, settings, plugins and dockers, but many other menus are not accessible.  Furthermore, the Dashboard loads but returns no information, and when I click on Main I get a constant loading screen.  I can access the console via a local unsecure link.  All I did was click Upgrade Cert as per the blog post.  Am I missing a step somewhere?

 

Clear your browser's cache, and disable any popup blockers / ad blockers for the new url

Link to comment

Got it working.  It took about an hour.  Had to fix the DNS rebinding on my Ubiquity router.  Longest part of the whole process was getting the Bitwarden password manager set up to properly fill in the password as that was a real headache as I have two servers and the most password managers want to use the base URL ( myunraid.net in this case) by default. 

  • Like 1
Link to comment

Hi I've got the same DNS_PROBE_FINISHED_NXDOMAIN error.

When i do the DNS probe for 

nslookup 192-168-178-85.***.myunraid.net
Server:  fritz.box
Address:  fd0***2e

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA)-Entrys for 192-168-178-85.d4***.myunraid.net available.

 

so the ipv4 entry seems to be missing how can I fix this? having no access to the web interface is pretty annoying

Link to comment
2 hours ago, Blobbonator said:

Server:  fritz.box

I think this is the clue that you need.  Now read this paragraph from this original post:

On 12/8/2022 at 3:29 PM, SpencerJ said:

Note: if you have a high-end router and previously added an exception to allow DNS Rebinding on the unraid.net domain, you will now need to add an exception for myunraid.net. On most consumer routers this feature is simply on/off so no additional changes are required to support the myunraid.net domain if the unraid.net domain worked fine.

Your Fritz router/modem(?) probably is one of those "high-end router" that require an exception to allow DNS rebinding for the myunraid,net domain.  Try googling    fritzbox dns rebinding    and look for a solution.  

 

EDIT:  When you find the solution, post it up here as Wikipedia indicates that this 'Fritzbox' is a widely used device throughout Europe..

Edited by Frank1940
  • Like 1
  • Thanks 1
Link to comment
31 minutes ago, Frank1940 said:

I think this is the clue that you need.  Now read this paragraph from this original post:

Your Fritz router/modem(?) probably is one of those "high-end router" that require an exception to allow DNS rebinding for the myunraid,net domain.  Try googling    fritzbox dns rebinding    and look for a solution.  

 

EDIT:  When you find the solution, post it up here as Wikipedia indicates that this 'Fritzbox' is a widely used device throughout Europe..

Thank you it worked.

 

Just googled it and found

https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590-AX/3565_FRITZ-Box-reports-Your-FRITZ-Box-s-DNS-rebind-protection-rejected-your-query-for-reasons-of-security/

Didn't remember that I had to do it before but my router had the old unraid url already entered :) And I just updated it because of the notice in unraid and didn't read the forum post beforehand.

 

Btw. I could workaround my way to the web interface with a vpn client - just for information if someone has the same issue.

  • Like 2
Link to comment
8 hours ago, Frank1940 said:

@SpencerJ, can we remove the DNS rebinding on   unraid.net   now after updating the SSL certificate or does Unraid still require DNS access to it for some other propose? 

 

Once you have migrated your Unraid system(s) to use the myunraid.net certificate, then DNS Rebinding on the unraid.net domain is no longer a concern. You can remove any special handling of DNS Rebinding for the unraid.net domain from your router.

  • Like 2
  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.