Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Custom HTTPS on LAN hostname keeps reverting (loopback bind / key mismatch after reboot)

Featured Replies

Hi all,

I’m trying to run the Unraid WebGUI over HTTPS with a custom certificate for a LAN hostname. It worked briefly, but after a reboot the GUI was unreachable over HTTPS and nginx reported a key mismatch. SSH is fine.

I’d like to know the supported, persistent way to do this and how to cleanly revert my ad-hoc changes.

Environment

  • Hardware: AOOSTAR WTR-MAX (Ryzen 7 Pro 8845HS)

  • Unraid: current stable (7.1.x)

  • DNS: UniFi local record → unraid.example.lan192.168.1.240

  • Goal: Serve GUI at https://unraid.example.lan:443 with a locally-trusted cert (mkcert)

What I did

  • Generated a local CA + leaf cert with mkcert on another machine.

  • Copied certs to Unraid and built:

    • Bundle: /boot/config/ssl/certs/Tower_unraid_bundle.pem (leaf + mkcert root)

    • Key: /boot/config/ssl/certs/Tower_unraid.key

  • Switched to Custom:

    • /boot/config/ident.cfg: USE_SSL="custom"

When it worked, servers.conf looked like:

server {

listen 192.168.1.240:443 ssl default_server;

server_name unraid.example.lan;

ssl_certificate /boot/config/ssl/certs/Tower_unraid_bundle.pem;

ssl_certificate_key /boot/config/ssl/certs/Tower_unraid.key;

}

What happens now

After a reboot I’ve repeatedly hit two states:

  1. Key mismatch:

nginx -tnginx: [emerg] SSL_CTX_use_PrivateKey("/boot/config/ssl/certs/Tower_unraid.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)
  1. Loopback-only bind (LAN unreachable):
    /etc/nginx/conf.d/servers.conf sometimes contains only:

listen 127.0.0.1:443; # lo

Checks I ran (single-step commands)

Files exist

ls -l /boot/config/ssl/certs/Tower_unraid_bundle.pem
ls -l /boot/config/ssl/certs/Tower_unraid.key

Key cert match

openssl x509 -noout -modulus -in /boot/config/ssl/certs/Tower_unraid_bundle.pem | md5sum
openssl rsa  -noout -modulus -in /boot/config/ssl/certs/Tower_unraid.key        | md5sum# digests match when it works; mismatch triggers the nginx error above

Mode is still custom

grep '^USE_SSL=' /boot/config/ident.cfg
# USE_SSL="custom"

Active server config

sed -n '1,200p' /etc/nginx/conf.d/servers.conf

DNS sanity (UniFi → LAN IP)

getent hosts unraid.example.lan
resolvectl query unraid.example.lan

Extra logs the forum often requests

tail -n 120 /var/log/nginx/error.log
tail -n 120 /var/log/syslog | egrep -i 'emhttp|nginx|ssl|cert|error'

Questions

  1. Persistent method: What’s the supported way to use a custom certificate so the WebGUI survives reboots? Which files are user-managed vs auto-generated by Unraid (e.g., does emhttp always rewrite /etc/nginx/conf.d/servers.conf)?

  2. Bundle format: Under /boot/config/ssl/certs/, should *_bundle.pem be full chain (leaf + CA) and the private key be in a separate *.key file (as above)? Or should the bundle include the key as well?

  3. Do not edit? Is directly editing /etc/nginx/conf.d/servers.conf to bind 192.168.1.240:443 unsupported (i.e., will be overwritten by emhttp), and if so, what’s the right toggle to make emhttp generate the LAN bindings?

  4. Clean revert path: Is setting USE_SSL="no" (or "auto") in ident.cfg and rebooting sufficient to return to HTTP? Anything else under /boot/config/ssl/ that should be removed to force a clean regeneration?

  5. mkcert caveats: Any known quirks using mkcert-issued certs for the WebGUI (e.g., re-provisioning actions that overwrite *_bundle.pem, or requirements about SANs / CN)?

  6. Loopback only: Under what conditions does Unraid intentionally generate loopback-only listeners for the WebGUI? I’ve seen listen 127.0.0.1:443; appear unexpectedly after toggling SSL modes.

FYI: I’m aware of DNS rebinding protection on routers; UniFi is configured so unraid.example.lan resolves to 192.168.1.240 on the LAN.

Thanks! I’m happy to re-test the “by the book” steps—just want to make it persistent and avoid servers.conf getting reset to loopback after reboots.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.