jabajames Posted October 1, 2019 Share Posted October 1, 2019 Afternoon all, I've done a quick search of the forums but have been unable to sort my problem. I have provisioned the ssl cert for the server but now wish to use my own domain which has its own certificate. moved the certificate_bundle.pem from the /config/ssl/certs folder and replaced it with the bundle for my domain renamed to certificate_bundle.pem however when I rebooted the server I was unable to access the web interface at all. Once i replaced the original file everything worked as expected again. So in essence the question is, how do I use the certificate for my domain in Unraid? Thanks Jay Quote Link to comment
jabajames Posted October 1, 2019 Author Share Posted October 1, 2019 Fixed it, For those that are interested, the zip file i received from my domain registrar for the ssl certificate came with the ssl cert in a .pem file and the key chain (all the higher level certificates that have signed and thus assured my certificate) in another .pem file. Unraid's web server requires all of these certificates in a single file. To that end your certificate has to be the first one with the unaltered chain immediately after (in effect you have to cat the key chain onto your certificate). Once that is done you have to include the private key you received when you generated the CSR for your domain onto the end of the file also. So the end result should be a .pem file containing: - your certificate - the chain of certificates that assures yours - your private key once you have that you need to upload it to the flash drive (boot drive) and name it server-name_unraid_bundle.pem obviously replacing the server-name with the name of your server as set in the settings - identification - server name of your Unraid server. reboot and you should be able to access your server via https:// using your own SSL certificate. I'm now using this with Cloudflare acting as my DNS (blocking all connection attempts from certain countries) and the Cloudflare-DDNS container by oznu running to automatically update my dns when needed. So far this works perfectly. If anyone has any questions or needs some help please let me know Night all 1 Quote Link to comment
H2O_King89 Posted October 5, 2019 Share Posted October 5, 2019 Can you use the certs from the LE docker? Has anyone made a script that can copy them over? I have mine set up as a wildcard. Sent from my iPhone using Tapatalk Pro Quote Link to comment
H2O_King89 Posted October 6, 2019 Share Posted October 6, 2019 it looks like the priv-fullchain-bundle.pem has the key in it. so you said I need to rename this to sub.domain.com_unraid_bundle.pem and settings > identification > server name needs to be the same sub.domain.com? Quote Link to comment
J-J Posted April 7, 2020 Share Posted April 7, 2020 On 10/2/2019 at 12:10 AM, jabajames said: If anyone has any questions or needs some help please let me know Hi all, I can't get this to work with my self created Gandy SSL certificates. Just to make sure, I need to put these keys in the pem file: your certificate > the certificate.crt file (from Gandy) the chain of certificates that assures yours > intermediate_key.pem (from Gandy) your private key > get the private key (out of the pem file which was created by the unraid server) Name it "my-server-name_unraid_bundle.pem" When I do this and go to https://mynas.myddns.com:1234 I don't have access to my server anymore... Quote Link to comment
jabajames Posted April 28, 2020 Author Share Posted April 28, 2020 Sorry all I've been away for awhile, Because I did not buy a wildcard cert I reverted to using the LE docker and the wildcard cert from that. @J-J It sounds like the cert bundle generated by your authority differers from mine as all of mine came in .pem files. Assuming that they are in the correct format and you placed them in the same file then yes you should be able to access your server @ https://*YourDomain* if this is not the case then I can only think that your certs are in a different format or that you failed to stack them exactly as described. @H2O_King89 I believe so? Did you ever get the LE docker cert to work via copy / simlink? Quote Link to comment
H2O_King89 Posted May 3, 2020 Share Posted May 3, 2020 On 4/28/2020 at 10:59 AM, jabajames said: Sorry all I've been away for awhile, Because I did not buy a wildcard cert I reverted to using the LE docker and the wildcard cert from that. @J-J It sounds like the cert bundle generated by your authority differers from mine as all of mine came in .pem files. Assuming that they are in the correct format and you placed them in the same file then yes you should be able to access your server @ https://*YourDomain* if this is not the case then I can only think that your certs are in a different format or that you failed to stack them exactly as described. @H2O_King89 I believe so? Did you ever get the LE docker cert to work via copy / simlink? Yes I did but ran into the issue of going from http>https issue that it went to a wildcard domain. So I ended up having PFsense make a unraid.domain.com cert and have it imported to unraid Quote Link to comment
ljm42 Posted May 5, 2020 Share Posted May 5, 2020 On 5/3/2020 at 3:44 PM, H2O_King89 said: ran into the issue of going from http>https issue that it went to a wildcard domain FYI, as of 6.8.2 Unraid should work with wildcard certs. See: 1 Quote Link to comment
BBriner Posted June 5, 2020 Share Posted June 5, 2020 On 5/4/2020 at 12:44 AM, H2O_King89 said: Yes I did but ran into the issue of going from http>https issue that it went to a wildcard domain. So I ended up having PFsense make a unraid.domain.com cert and have it imported to unraid Same here. Copying the LE docker cert "priv-fullchain-bundle.pem" to "/boot/config/ssl/certs/server-name_unraid_bundle.pem" works when typing https://server-name.domain.tld, however unRAID wrongly redirects the http://server-name.domain.tld to https://domain.tld. Did you automate the import from pfSense to unRAID? If so, would you mind sharing your script? Quote Link to comment
BBriner Posted June 5, 2020 Share Posted June 5, 2020 On 5/5/2020 at 5:19 AM, ljm42 said: FYI, as of 6.8.2 Unraid should work with wildcard certs. See: In fact it is exactly the opposite. It does not work because unRAID redirects to a wildcard domain without adding the server name. Quote Link to comment
BBriner Posted June 5, 2020 Share Posted June 5, 2020 4 hours ago, BBriner said: Same here. Copying the LE docker cert "priv-fullchain-bundle.pem" to "/boot/config/ssl/certs/server-name_unraid_bundle.pem" works when typing https://server-name.domain.tld, however unRAID wrongly redirects the http://server-name.domain.tld to https://domain.tld. Did you automate the import from pfSense to unRAID? If so, would you mind sharing your script? I've managed to find a workaround. The workaround is to set the LE Docker variable "Only Subdomains:" to "True" and in the list of "Subdomain(s):" to make sure your unRAID server-name is the first one. With this workaround the generated LE Certificate will be issued to "server-name.domain.tld" and unRAID internal NGINX won't redirect to "https://domain.tld" Quote Link to comment
ljm42 Posted June 5, 2020 Share Posted June 5, 2020 15 hours ago, BBriner said: In fact it is exactly the opposite. It does not work because unRAID redirects to a wildcard domain without adding the server name. It sounds like the structure of your certificate isn't setup quite right for Unraid. Unraid uses the "CN" (common name) portion of the certificate. If the CN contains a *, the * is replaced with the hostname, otherwise it is assumed the CN is correct as-is. If you SSH to your server and run this command, it will show you the CN for your certificate: openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p' If the result of that command is something like this: *.mydomain.com then Unraid will change the * to your hostname, and redirect to that: tower.mydomain.com If the result of that command does not include a *, it is used as-is. Quote Link to comment
BBriner Posted June 6, 2020 Share Posted June 6, 2020 (edited) 14 hours ago, ljm42 said: It sounds like the structure of your certificate isn't setup quite right for Unraid. Unraid uses the "CN" (common name) portion of the certificate. If the CN contains a *, the * is replaced with the hostname, otherwise it is assumed the CN is correct as-is. If you SSH to your server and run this command, it will show you the CN for your certificate: openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p' If the result of that command is something like this: *.mydomain.com then Unraid will change the * to your hostname, and redirect to that: tower.mydomain.com If the result of that command does not include a *, it is used as-is. That's the reason the workaround works. Unfortunately the LE Docker cannot generate a certificate with the "*". The LE Docker can only generate the certificate with the CN as "mydomain.com" or "hostname.mydomain.com" if setup as I mentioned. Edited June 6, 2020 by BBriner Quote Link to comment
srfnmnk Posted July 6, 2020 Share Posted July 6, 2020 Hello, I've just switched from letsEncrypt to using my own certs, signed by my own CA. Everything is working with the public domains, but the local IP still appears to be registered with unraid and is pulling the let's encrypt cert from unraid.net. How can one deprovision their private ip and clean up the link with unraid's letsencrypt? Thanks Quote Link to comment
dahlenu Posted January 17, 2021 Share Posted January 17, 2021 On 10/2/2019 at 12:10 AM, jabajames said: Once that is done you have to include the private key you received when you generated the CSR for your domain onto the end of the file also. So the end result should be a .pem file containing: - your certificate - the chain of certificates that assures yours - your private key Thanks, this worked fine with my setup (currently running 6.9.0-rc2). Just using the cert didn't work, but the cert + chain + key worked beautifully. I should perhaps add that I created my own CA for local systems (my home LAN), and have then created certs for local boxes using this special CA. Load the CA-cert and all local boxes work fine with HTTPS. Quote Link to comment
RoryIsNotACabbage Posted July 7, 2021 Share Posted July 7, 2021 (edited) Has anyone been able to get this working with a cloudflare cert? I can use either the unraid.net one or a tower.local one and it will work fine but if I use the cloudflare one it just doesn't load teh webgui. there's no error it's just unavailible. Of not is that if I run: On 6/6/2020 at 12:53 AM, ljm42 said: openssl x509 -noout -subject -nameopt multiline -in /path/to/cert/bundle.pem |sed -n 's/ *commonName *= //p' then the output is "CloudFlare Origin Certificate" not unraid.mydomain.com There's also no intermediate certs, just the main one and the key Edited July 8, 2021 by RoryIsNotACabbage Quote Link to comment
H2O_King89 Posted August 23, 2021 Share Posted August 23, 2021 this is broken with Version: 6.10.0-rc1 I think when I reload Nginx it's replacing the cert A self-signed SSL certificate Select Yes to enable HTTPS and redirect HTTP to HTTPS. A self-signed SSL certificate will be generated automatically. Quote Link to comment
Kopernikus Posted August 23, 2021 Share Posted August 23, 2021 6 hours ago, H2O_King89 said: this is broken with Version: 6.10.0-rc1 I think when I reload Nginx it's replacing the cert A self-signed SSL certificate Select Yes to enable HTTPS and redirect HTTP to HTTPS. A self-signed SSL certificate will be generated automatically. Yes, same here, when starting nginx or rebooting server a self-signed SSL is generated overwriting my custom ssl. It seem a bug in 6.10.0-rc1, however to suggested workaround does not work for me: See: DId you fix it? Quote Link to comment
H2O_King89 Posted November 3, 2021 Share Posted November 3, 2021 Does RC2 work with this? Sent from my iPhone using Tapatalk Pro Quote Link to comment
ljm42 Posted November 3, 2021 Share Posted November 3, 2021 3 hours ago, H2O_King89 said: Does RC2 work with this? Yes the issue with wildcard certs in 6.10.0-rc1 should be resolved in rc2. Please see the docs for details on setting up a custom certificate: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 Quote Link to comment
H2O_King89 Posted March 12, 2022 Share Posted March 12, 2022 6.10 RC3 still broken and being replace by self-signed Quote Link to comment
lagunapata Posted March 13, 2022 Share Posted March 13, 2022 On 11/4/2021 at 4:31 AM, ljm42 said: Yes the issue with wildcard certs in 6.10.0-rc1 should be resolved in rc2. Please see the docs for details on setting up a custom certificate: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 RC3 del my own self-signed cert pem always rollback to the default pem what can i do…… Quote Link to comment
ljm42 Posted March 13, 2022 Share Posted March 13, 2022 On 3/11/2022 at 7:34 PM, H2O_King89 said: 6.10 RC3 still broken and being replace by self-signed 7 hours ago, lagunapata said: RC3 del my own self-signed cert pem What is your servername, what is your LocalTLD, and what is the Subject of your certificate? As mentioned here: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]" Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release. Quote Link to comment
lagunapata Posted March 14, 2022 Share Posted March 14, 2022 What is your servername, what is your LocalTLD, and what is the Subject of your certificate? As mentioned here: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]" Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release.my cert is not match the localtldmy CN is mydomain.space,localtld is “local”the localtld is for “local”why they will be match?and i change localtld to “space”it’s jump to “mydomain.spacespace” Quote Link to comment
lagunapata Posted March 14, 2022 Share Posted March 14, 2022 6 hours ago, ljm42 said: What is your servername, what is your LocalTLD, and what is the Subject of your certificate? As mentioned here: https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 The Subject of the certificate must exactly match "[servername].[LocalTLD]", otherwise it will get replaced. If you want to use a wildcard cert, the subject of the certificate must exactly match "*.[LocaltLD]" Check capitalization too. The current version is strict about capitalization, we should be able to relax that for the next release. one more thing when i change localtld to some not actually localtld can't open the webgui example: my actually localtld is "local" ,servername is "NAS", NAS.local have IP distribute ,https://NAS.local will open webgui when change localtld to "temp" NAS.temp actually no IP distribute, so https://NAS.temp can't open webgui AND ~ always jump NAS.temp even use IP BUT NAS.temp actually no IP distribute so you can't open the webgui must mod the hosts direction Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.