Use own SSL cert


Recommended Posts

Afternoon all,

 

     I've done a quick search of the forums but have been unable to sort my problem.  I have provisioned the ssl cert for the server but now wish to use my own domain which has its own certificate.  moved the certificate_bundle.pem from the /config/ssl/certs folder and replaced it with the bundle for my domain renamed to certificate_bundle.pem however when I rebooted the server I was unable to access the web interface at all. Once i replaced the original file everything worked as expected again.

 

So in essence the question is, how do I use the certificate for my domain in Unraid?

 

Thanks 

 

Jay

Link to comment

Fixed it,

 

     For those that are interested, the zip file i received from my domain registrar for the ssl certificate came with the ssl cert in a .pem file and the key chain (all the higher level certificates that have signed and thus assured my certificate) in another .pem file.  Unraid's web server requires all of these certificates in a single file.  To that end your certificate has to be the first one with the unaltered chain immediately after (in effect you have to cat the key chain onto your certificate). 

 

Once that is done you have to include the private key you received when you generated the CSR for your domain onto the end of the file also. So the end result should be a .pem file containing:

- your certificate

- the chain of certificates that assures yours

- your private key

 

once you have that you need to upload it to the flash drive (boot drive) and name it server-name_unraid_bundle.pem obviously replacing the server-name with the name of your server as set in the settings - identification - server name of your Unraid server.

 

reboot and you should be able to access your server via https:// using your own SSL certificate.

 

I'm now using this with Cloudflare acting as my DNS (blocking all connection attempts from certain countries) and the Cloudflare-DDNS container by oznu running to automatically update my dns when needed.

 

So far this works perfectly.

 

If anyone has any questions or needs some help please let me know

 

Night all

  • Like 1
Link to comment
  • 6 months later...
On 10/2/2019 at 12:10 AM, jabajames said:

If anyone has any questions or needs some help please let me know

Hi all,

 

I can't get this to work with my self created Gandy SSL certificates.

Just to make sure, I need to put these keys in the pem file:

  • your certificate > the certificate.crt file (from Gandy)
  • the chain of certificates that assures yours > intermediate_key.pem (from Gandy)
  • your private key > get the private key (out of the pem file which was created by the unraid server)

Name it "my-server-name_unraid_bundle.pem"

 

When I do this and go to https://mynas.myddns.com:1234 I don't have access to my server anymore...

 

Link to comment
  • 3 weeks later...

Sorry all I've been away for awhile,

 

Because I did not buy a wildcard cert I reverted to using the LE docker and the wildcard cert from that.

 

@J-J It sounds like the cert bundle generated by your authority differers from mine as all of mine came in .pem files. Assuming that they are in the correct format and you placed them in the same file then yes you should be able to access your server @ https://*YourDomain* if this is not the case then I can only think that your certs are in a different format or that you failed to stack them exactly as described.

 

@H2O_King89 I believe so? Did you ever get the LE docker cert to work via copy / simlink?

 

 

Link to comment
On 4/28/2020 at 10:59 AM, jabajames said:

Sorry all I've been away for awhile,

 

Because I did not buy a wildcard cert I reverted to using the LE docker and the wildcard cert from that.

 

@J-J It sounds like the cert bundle generated by your authority differers from mine as all of mine came in .pem files. Assuming that they are in the correct format and you placed them in the same file then yes you should be able to access your server @ https://*YourDomain* if this is not the case then I can only think that your certs are in a different format or that you failed to stack them exactly as described.

 

@H2O_King89 I believe so? Did you ever get the LE docker cert to work via copy / simlink?

 

 

Yes I did but ran into the issue of going from http>https issue that it went to a wildcard domain. So I ended up having PFsense make a unraid.domain.com cert and have it imported to unraid

Link to comment
  • 1 month later...
On 5/4/2020 at 12:44 AM, H2O_King89 said:

Yes I did but ran into the issue of going from http>https issue that it went to a wildcard domain. So I ended up having PFsense make a unraid.domain.com cert and have it imported to unraid

Same here. 

 

Copying the LE docker cert "priv-fullchain-bundle.pem" to "/boot/config/ssl/certs/server-name_unraid_bundle.pem" works when typing https://server-name.domain.tld, however unRAID wrongly redirects the http://server-name.domain.tld to https://domain.tld.

 

Did you automate the import from pfSense to unRAID? If so, would you mind sharing your script?

Link to comment
4 hours ago, BBriner said:

Same here. 

 

Copying the LE docker cert "priv-fullchain-bundle.pem" to "/boot/config/ssl/certs/server-name_unraid_bundle.pem" works when typing https://server-name.domain.tld, however unRAID wrongly redirects the http://server-name.domain.tld to https://domain.tld.

 

Did you automate the import from pfSense to unRAID? If so, would you mind sharing your script?

I've managed to find a workaround. 

 

The workaround is to set the LE Docker variable "Only Subdomains:" to "True" and in the list of "Subdomain(s):" to make sure your unRAID server-name is the first one.

 

With this workaround the generated LE Certificate will be issued to "server-name.domain.tld" and unRAID internal NGINX won't redirect to "https://domain.tld"

Link to comment
15 hours ago, BBriner said:

In fact it is exactly the opposite. It does not work because unRAID redirects to a wildcard domain without adding the server name.

 

It sounds like the structure of your certificate isn't setup quite right for Unraid.

 

Unraid uses the "CN" (common name) portion of the certificate. If the CN contains a *, the * is replaced with the hostname, otherwise it is assumed the CN is correct as-is.

 

If you SSH to your server and run this command, it will show you the CN for your certificate:

openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p'

 

If the result of that command is something like this:

*.mydomain.com

then Unraid will change the * to your hostname, and redirect to that:

tower.mydomain.com

 

If the result of that command does not include a *, it is used as-is.

Link to comment
14 hours ago, ljm42 said:

 

It sounds like the structure of your certificate isn't setup quite right for Unraid.

 

Unraid uses the "CN" (common name) portion of the certificate. If the CN contains a *, the * is replaced with the hostname, otherwise it is assumed the CN is correct as-is.

 

If you SSH to your server and run this command, it will show you the CN for your certificate:


openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p'

 

If the result of that command is something like this:


*.mydomain.com

then Unraid will change the * to your hostname, and redirect to that:


tower.mydomain.com

 

If the result of that command does not include a *, it is used as-is.

 

That's the reason the workaround works. Unfortunately the LE Docker cannot generate a certificate with the "*". The LE Docker can only generate the certificate with the CN as "mydomain.com" or "hostname.mydomain.com" if setup as I mentioned.

Edited by BBriner
Link to comment
  • 5 weeks later...

Hello,

 

I've just switched from letsEncrypt to using my own certs, signed by my own CA. Everything is working with the public domains, but the local IP still appears to be registered with unraid and is pulling the let's encrypt cert from unraid.net. How can one deprovision their private ip and clean up the link with unraid's letsencrypt?

 

Thanks

Annotation 2020-07-06 005129.png

Link to comment
  • 6 months later...
On 10/2/2019 at 12:10 AM, jabajames said:

Once that is done you have to include the private key you received when you generated the CSR for your domain onto the end of the file also. So the end result should be a .pem file containing:

- your certificate

- the chain of certificates that assures yours

- your private key

 

Thanks, this worked fine with my setup (currently running 6.9.0-rc2). Just using the cert didn't work, but the cert + chain + key worked beautifully. I should perhaps add that I created my own CA for local systems (my home LAN), and have then created certs for local boxes using this special CA. Load the CA-cert and all local boxes work fine with HTTPS.

Link to comment
  • 5 months later...

Has anyone been able to get this working with a cloudflare cert?
I can use either the unraid.net one or a tower.local one and it will work fine but if I use the cloudflare one it just doesn't load teh webgui. there's no error it's just unavailible.

Of not is that if I run:

On 6/6/2020 at 12:53 AM, ljm42 said:

openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p'

then the output is "CloudFlare Origin Certificate" not unraid.mydomain.com

There's also no intermediate certs, just the main one and the key

Edited by RoryIsNotACabbage
Link to comment
  • 1 month later...
6 hours ago, H2O_King89 said:

this is broken with Version: 6.10.0-rc1
I think when I reload Nginx it's replacing the cert A self-signed SSL certificate

Select Yes to enable HTTPS and redirect HTTP to HTTPS. A self-signed SSL certificate will be generated automatically.

 

 

Yes, same here, when starting nginx or rebooting server a self-signed SSL is generated overwriting my custom ssl.

It seem a bug in 6.10.0-rc1, however to suggested workaround does not work for me:

 

See:

DId you fix it?

Link to comment
  • 2 months later...
  • 4 months later...
On 3/11/2022 at 7:34 PM, H2O_King89 said:

6.10 RC3 still broken and being replace by self-signed

 

7 hours ago, lagunapata said:

RC3 del my own self-signed cert pem 

 

What is your servername, what is your LocalTLD, and what is the Subject of your certificate?

 

As mentioned here:

  https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29

The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]"

 

Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release.

Link to comment
 
What is your servername, what is your LocalTLD, and what is the Subject of your certificate?
 
As mentioned here:
  https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29
The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]"
 
Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release.


my cert is not match the localtld

my CN is mydomain.space,localtld is “local”

the localtld is for “local”

why they will be match?


and i change localtld to “space”

it’s jump to “mydomain.spacespace”
Link to comment
6 hours ago, ljm42 said:

 

 

What is your servername, what is your LocalTLD, and what is the Subject of your certificate?

 

As mentioned here:

  https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29

The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]"

 

Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release.

 

one more thing

 

when i change localtld to some not actually localtld

 

can't open the webgui

 

example:

 

my actually localtld is "local" ,servername is "NAS", NAS.local have IP distribute ,https://NAS.local will open webgui

 

when change localtld to "temp"

 

NAS.temp actually no IP distribute, so https://NAS.temp can't open webgui

 

AND ~ always jump NAS.temp even use IP

 

BUT NAS.temp actually no IP distribute

 

so you can't open the webgui

 

must mod the hosts direction

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.