Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DNS rebinding issue for provisioning SSL cert

Featured Replies

Hello all,

I have been trying to encrypt my existing array by following spaceinvaderone's video. However I have been stuck trying to provision a SSL certificate for my server for weeks now (Settings>Identification>Provision).

 

I have to the best of my knowledge configured my router (Ubiquiti USG) correctly using a .json file (see below) for the command unraid gives you in the help section for the provisioning. I have confirmed this by checking the configuration through SSH into the router (see attached picture).

{  
   "service":{  
      "dns":{  
         "forwarding":{  
            "options":[  
               "rebind-domain-ok=/unraid.net/"
            ]
         }
      }
   }
}

I have also tried just using the command line method with the same result.

configure

set service dns forwarding options rebind-domain-ok=/unraid.net/

commit;save;exit

 

My set up for context: FiOS Gigabit internet, USG, Unifi controller running on my Windows 10 laptop, Unraid server hard wired through unmanaged switch to USG

 

From running tests I believe there is an issue with the IP address of the provisioning SSL cert. I had recently switched my networking set up and the cert seems to be trying to go to the IP address of my server from before switching the network setup. The local IP on my UnRaid server was 192.168.2.70 but with the new set up is 192.168.1.207 however as you can see in the attached picture the SSL cert is trying to go to 192.168.2.70.

 

Does anyone have any ideas on how to get this working?

 

Thanks!

Ping test safe.jpg

json confirm.jpg

anton-diagnostics-20181105-2243.zip

FYI: you don't have to use SSL (https) for device encryption.  It's recommended because, without it, http traffic on your LAN can be snooped and a listener can see what you typed for the encryption passphrase.  If this is something you're concerned about and can't get past DNS Rebinding protection, you can use the self-signed certificate which means you will see a browser warning every time you try to connect.  But this can be eliminated by configuring your browser to trust the self-signed cert.

12 hours ago, buccadebeppo said:

From running tests I believe there is an issue with the IP address of the provisioning SSL cert. I had recently switched my networking set up and the cert seems to be trying to go to the IP address of my server from before switching the network setup. The local IP on my UnRaid server was 192.168.2.70 but with the new set up is 192.168.1.207 however as you can see in the attached picture the SSL cert is trying to go to 192.168.2.70.

 

An IP address is not stored in a SSL cert.  Could be a DNS issue - click the button that says 'Update DNS'.  Or maybe you put an entry in your hosts file and forgot about it?

 
An IP address is not stored in a SSL cert.  Could be a DNS issue - click the button that says 'Update DNS'.  Or maybe you put an entry in your hosts file and forgot about it?


Is the host file on the flash or you talking about windows host file?


Sent from my iPhone using Tapatalk Pro
  • Author
3 hours ago, limetech said:

 

An IP address is not stored in a SSL cert.  Could be a DNS issue - click the button that says 'Update DNS'.  Or maybe you put an entry in your hosts file and forgot about it?

First off, thank you for your reply! Per your first comment I do realize it is not directly needed but I would prefer the added level of security. 

 

Per the comment I quoted here, the "Update DNS" button is grayed out and cannot be clicked, is this an indication of it not being needed or do I need to change a setting to use this? I use Cloudflare (1.1.1.1) and Google (8.8.8.8) as the DNS servers on my WAN setting on my USG. Could they have a retention of the IP associated with the SSL Cert?

 

I'm not following what you mean with the host file, could you elaborate a bit? My apologies if this is something that is obvious but I'm fairly new to this level of technical knowledge.

 

Also wanted to mention H2O_King89 (who has also commented here) helped me an absolute ton to get to this point. So he is also very knowledgeable with the issue I am having. 

 

Thanks!

5 hours ago, H2O_King89 said:

Is the host file on the flash or you talking about windows host file?

The windows hosts file.  Usually no one touches that but for testing I have put entries in there and then forgot about doing so and it causes quite a bit of head scratching later.

 

You could delete the ssl cert from the flash and start over.  config/ssl/certs/certificate_bundle.pem

  • Author
1 hour ago, limetech said:

The windows hosts file.  Usually no one touches that but for testing I have put entries in there and then forgot about doing so and it causes quite a bit of head scratching later.

 

You could delete the ssl cert from the flash and start over.  config/ssl/certs/<server-name>_unraid_bundle.pem

Just tried deleting the ssl cert from my flash drive and rebooting the server and am still getting the same error.

 

Error: "Sorry, an error (403) occurred provisioning your SSL certificate. The error is: Your router or DNS server has DNS rebinding protection enabled, preventing #########.unraid.net 192.168.1.207 resolution. See Help for more details and workarounds."

37 minutes ago, buccadebeppo said:

Just tried deleting the ssl cert from my flash drive and rebooting the server and am still getting the same error.

 

Error: "Sorry, an error (403) occurred provisioning your SSL certificate. The error is: Your router or DNS server has DNS rebinding protection enabled, preventing #########.unraid.net 192.168.1.207 resolution. See Help for more details and workarounds."

Right with current code you will not be able to provision a SSL cert unless you can disable DNS rebinding protection in your router.

 

We have changes coming in Unraid 6.7 release to workaround that.  But note: this is really revealing a fundamental limitation (some would say feature, some would say flaw) of SSL: that it's not designed for use on a LAN (that is, to facilitate machine-to-machine communications on a private LAN).  Self-signed certs are the easiest way around this, which is ok for a home LAN, but, for say a business where you have taught your people to not click-through security warnings, it can be a bigger nuisance.

So switching from auto to yes will give those self assigned certs.

Is there going to be a way to upload your own certs? It would be awesome if I could use my domain for unraid.domain.com


Sent from my iPhone using Tapatalk Pro

12 minutes ago, H2O_King89 said:

It would be awesome if I could use my domain for unraid.domain.com

Yes it has been designed with this in mind.  You need to create a 'pem' file which is concatenation of the ssl cert along with the private key.

If you want OCSP stapling enabled, name this file

config/ssl/certs/certificate_bundle.pem

If you don't want OCSP stapling, name it

config/ssl/certs/<hostname>_unraid_bundle.pem

Of course use your actual Unraid server hostname for <hostname>.

 

Refer also to the Help text on Settings/Identification page and you can look at code in /etc/rc.d/rc.nginx to see how this is set up.

 

I guess one of these days we should add a GUI control: "Upload SSL Cert".

 

 

  • Community Expert
20 hours ago, buccadebeppo said:

Hello all,

I have been trying to encrypt my existing array by following spaceinvaderone's video. However I have been stuck trying to provision a SSL certificate for my server for weeks now (Settings>Identification>Provision).

 

I have to the best of my knowledge configured my router (Ubiquiti USG) correctly using a .json file (see below) for the command unraid gives you in the help section for the provisioning. I have confirmed this by checking the configuration through SSH into the router (see attached picture).


{  
   "service":{  
      "dns":{  
         "forwarding":{  
            "options":[  
               "rebind-domain-ok=/unraid.net/"
            ]
         }
      }
   }
}

I have also tried just using the command line method with the same result.


configure

set service dns forwarding options rebind-domain-ok=/unraid.net/

commit;save;exit

 

My set up for context: FiOS Gigabit internet, USG, Unifi controller running on my Windows 10 laptop, Unraid server hard wired through unmanaged switch to USG

 

From running tests I believe there is an issue with the IP address of the provisioning SSL cert. I had recently switched my networking set up and the cert seems to be trying to go to the IP address of my server from before switching the network setup. The local IP on my UnRaid server was 192.168.2.70 but with the new set up is 192.168.1.207 however as you can see in the attached picture the SSL cert is trying to go to 192.168.2.70.

 

Does anyone have any ideas on how to get this working?

 

Thanks!

Ping test safe.jpg

json confirm.jpg

anton-diagnostics-20181105-2243.zip

A comment or two.  I think that some DNS services provided by some ISP also prevent redirection.  So while your ubitquiti router may be cleaned up it is possible that you are getting hit by the next beast up the chain.  

 

Read this post about setting up DNS servers on ubiquiti routers.  Look using the 'Configure Tree' path to see that you actually have things set properly.  (This is a long thread on the Ubiquiti Users Forum about the problem of the router not using the DNS servers that folks thought were being specified!) 

 

https://community.ubnt.com/t5/EdgeRouter/Change-WAN-DNS-Server/m-p/2367189#M209907

 

Note the command at cli command (  dns forwarding nameservers    )  that you can run to make sure that you are actually using those servers and not the ones provided by your ISP.  Make sure that your ISP names servers are NOT configured to be used! 

  • Author
20 hours ago, limetech said:

Right with current code you will not be able to provision a SSL cert unless you can disable DNS rebinding protection in your router.

 

We have changes coming in Unraid 6.7 release to workaround that.  But note: this is really revealing a fundamental limitation (some would say feature, some would say flaw) of SSL: that it's not designed for use on a LAN (that is, to facilitate machine-to-machine communications on a private LAN).  Self-signed certs are the easiest way around this, which is ok for a home LAN, but, for say a business where you have taught your people to not click-through security warnings, it can be a bigger nuisance.

To the best of my knowledge I have disabled DNS rebinding on my router.

 

I appreciate you sharing this information with me. I don't mind using self signed for the time being since it sounds like a workaround is coming soon. Do you mind me asking, how far away 6.7 would be? As in are we talking weeks or months?

 

Also the next step for me is to encrypt my existing array which will most like take many hours. Are there any plans to make this a feature in the near future?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.