September 5, 20178 yr Author 38 minutes ago, GroxyPod said: Installed v6.4 RC8: Only thing encountered was being able to provision while the array was still started. Not sure if this is intended but it caused services to stop/start and then left unassigned devices plugin in a bad state (drive was showing as mounted but dockers and smb couldn't see it) so I had to stop and start the array to get it to correct. Clearly my fault for not stopping the array before clicking the provision button. Other than that, no issues. This is corrected in next release. Provisioning a LE cert or changing scheme/ports executes a simple ngnix reload instead of full services restart.
September 5, 20178 yr 2 minutes ago, limetech said: This is corrected in next release. Provisioning a LE cert or changing scheme/ports executes a simple ngnix reload instead of full services restart. Awesome! Thank you!
September 5, 20178 yr I still cannot provision SSL I have the binding on my Unifi USG set as seen in my first screenshot using cat /config/config.boot my USG has not rebooted or been force provisioned while i work on the config.gateway.json The array is stopped, the Use SSL/TLS is set to auto I still get the error that my DNS is not allowing binding. (I have unraid set to use Automatic DNS and the USG is using Googles: 8.8.8.8, 8.8.4.4 not sure what else i can do any suggestions?
September 5, 20178 yr Author 5 minutes ago, Can0nfan said: not sure what else i can do any suggestions? We have found there is quite a bit of "quirkiness" in switching between HTTP and HTTPS. This is because there is all kinds of caching going on between the browser, your PC operating system, and nginx in the server. If you think DNS rebinding protection is definitely disabled, you might try this. First make sure 'Use SSL/TLS' is set to No and make sure there is no file on your flash called 'config/ssl/certs/certificiate_bundle.pem' (you should see a 'config/tower_unraid_bundle.pem' [replace tower with your server name] - that is ok, that is the self-signed cert.) Then make sure you can access the webGui using plain HTTP protocol. Next, change 'Use SSL/TLS' to 'Auto' and then click Refresh. Then click Provision. If that fails first time, click Refresh again, then Provision again. If that fails, probably DNS rebinding protection is still enabled. The next release has some changes in this area.
September 5, 20178 yr 11 minutes ago, limetech said: make sure there is no file on your flash called 'config/ssl/certs/certificiate_bundle.pem' (you should see a 'config/tower_unraid_bundle.pem' [replace tower with your server name] - that is ok, that is the self-signed cert.) I have a few files there.. server_unraid_bundle.pem* server_unraid_cert.pem* server_unraid_key.pem*
September 5, 20178 yr Author 14 minutes ago, Can0nfan said: server_unraid_bundle.pem* server_unraid_cert.pem* server_unraid_key.pem* The *_cert.pem and *_key.pem are leftovers from -rc7 release and you can delete them. Those were the self-signed cert and private key files. They are now combined into *_unraid_bundle.pem file.
September 5, 20178 yr 6 minutes ago, limetech said: The *_cert.pem and *_key.pem are leftovers from -rc7 release and you can delete them. Those were the self-signed cert and private key files. They are now combined into *_unraid_bundle.pem file. Thanks i have removed those two. I will keep looking into my USG and why the binding is not working
September 5, 20178 yr Author 3 minutes ago, Can0nfan said: why the binding is not working You want "DNS rebinding protection" disabled. It's the "protection" that is either turn on or off. Yes it's a bit confusing.
September 5, 20178 yr yeah looks like no matter how valid the config.gateway.json value is i cannot get my USG to bind unraid.net i go into boot loop with valid json file (verified at jsonlint.com) my config.gatway.json looks like this in full (not including all the lines) ------------------------------------------------------------------------------------------------------------------ { "dns": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } ------------------------------------------------------------------------------------------------------------------- my controller (a docker in inraid) reports this Configuration commit error. Error message: { "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "1674bc4a090de16838a5f358b7" , "SET" : { "error" : { "dns options rebind-domain-ok=/unraid.net/" : "The specified configuration node is not valid\n"} , "failure" : "1" , "success" : "1"}}
September 5, 20178 yr On 9/2/2017 at 3:18 PM, limetech said: This means that following system reboot you must log into the webGui, go to Tools/Encryption and enter your passphrase (or upload your keyfile). Yes this is a nuisance and we have a few ideas for automating this Not looking to know the specifics, only curious to know the idea of using a TPM key has been ruled out as an idea for automating this or is a TPM key still on the table? I was going to purchase one for another reason, just wasn't high on my list, this would move it higher if it could be of assistance should that idea move forward. If it's a dead end, then my priority list will remain unchanged.
September 5, 20178 yr Author 46 minutes ago, Lev said: Not looking to know the specifics, only curious to know the idea of using a TPM key has been ruled out as an idea for automating this or is a TPM key still on the table? I was going to purchase one for another reason, just wasn't high on my list, this would move it higher if it could be of assistance should that idea move forward. If it's a dead end, then my priority list will remain unchanged. Definitely open to that, except we have no idea how it works and how to integrate at present
September 6, 20178 yr 1 hour ago, limetech said: Definitely open to that, except we have no idea how it works and how to integrate at present In addition to that, too many of the search results for Linux TPM deals with setting up Trusted Boot. The closest thing I've seen of TPM and Linux LUKS is very brief mentions but no actual guides on how to do it. For instance this search result only every briefly mentions it despite having a lengthy focus on setting up TPM Grub Booting, and I have no idea if its even recent and still applies or if things have changed since then. However the second result shows a lot of steps to do. It seems like an entire weekend project for a very dedicated person to attempt. Result A: http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/ 3. Conclusion TPM provides a hardware support that holds the keys, which can be used to prove that the platform is trusted and the operating system can be booted securely. We can use TPM with LUKS in Linux, where the LUKS key can be written into TPM and then set-up a TrustedGRUB, which would unlock the sealed key. The /etc/crypttab in initrd should retrieve the key from TPM and boot the system securely, which is why we need to include tpm-tools into the initrd. Result B: https://github.com/fox-it/linux-luks-tpm-boot
September 6, 20178 yr 7 hours ago, Can0nfan said: yeah looks like no matter how valid the config.gateway.json value is i cannot get my USG to bind unraid.net i go into boot loop with valid json file (verified at jsonlint.com) my config.gatway.json looks like this in full (not including all the lines) ------------------------------------------------------------------------------------------------------------------ { "dns": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } ------------------------------------------------------------------------------------------------------------------- my controller (a docker in inraid) reports this Configuration commit error. Error message: { "DELETE" : { "failure" : "0" , "success" : "1"} , "SESSION_ID" : "1674bc4a090de16838a5f358b7" , "SET" : { "error" : { "dns options rebind-domain-ok=/unraid.net/" : "The specified configuration node is not valid\n"} , "failure" : "1" , "success" : "1"}} Your json file should look like this: { "service": { "dns": { "forwarding": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } } }
September 6, 20178 yr 2 hours ago, bonienl said: Your json file should look like this: { "service": { "dns": { "forwarding": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } } } I believe that was the first way i tried it. trying it again to see.
September 6, 20178 yr 2 hours ago, bonienl said: Your json file should look like this: { "service": { "dns": { "forwarding": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } } } Well Well it seemed to work i must have had something different thank you @bonienl ! very much thanks. now to test SSL!
September 6, 20178 yr 10 hours ago, bonienl said: Your json file should look like this: { "service": { "dns": { "forwarding": { "options": [ "rebind-domain-ok=/unraid.net/" ] } } } } alas I still get the issues i posted earlier about...an immediate "Opps there was an error" message telling my its cannot rebind
September 6, 20178 yr 7 minutes ago, Can0nfan said: alas I still get the issues i posted earlier about...an immediate "Opps there was an error" message telling my its cannot rebind I use a USG router too and with the DNS setting included, there are no problems in connecting. What external DNS servers are you using? Edited September 6, 20178 yr by bonienl
September 6, 20178 yr 2 minutes ago, bonienl said: I use a USG router too and with the DNS setting included, there are no problems in connecting. What external DNS servers are you using? I am using Google's 8.8.8.8 and 8.8.4.4. yourself?
September 6, 20178 yr 4 minutes ago, bonienl said: openDNS (but it shouldn't make a difference with google) I will try my ISP's DNS and actually reboot the USG so far i just put the config.gateway.json in the /mnt/cache/appdata/unifi/data/sites/default/ folder (i use the default site.) and i force provisioned it from the gui
September 6, 20178 yr Author 5 hours ago, zin105 said: Anyone with OPNsense got any luck generating a certificate? Don't like the idea of turning off DNS rebind protection all together. Also a question about encryption. How likely is the implementation to change before the full release? I kind of wanna move over to encryption now. Is there a chance if I do it, that I wasted my time? And yes, I understand the data loss risk. DNS rebind protection being enabled will prevent use of LE certificates in this manner. We are working on a workaround for this. The encryption on-disk layout is highly unlikely to change. We are using LUKS to define encrypted volumes. We are using the cryptsetup default values for cipher, etc.
September 6, 20178 yr Had to shutdown my server for a planned power outage this morning and used the Power Down button which indicates it would cleanly shutdown the system. I verified the system was shutdown prior to turning off the battery backup connected to it; however when I powered the system back on after the power outage was over, I am presented with an unclean shutdown message and a parity check upon starting the array. Not sure if there is something amiss or not, just putting it out there just in case. Edited September 6, 20178 yr by GroxyPod
September 6, 20178 yr Cool release, nice job. Are we now saying that unraid is secure enough to expose to the interweb?
Archived
This topic is now archived and is closed to further replies.