geeksheikh Posted July 8, 2020 Posted July 8, 2020 Hello, I've just switched from letsEncrypt to using my own certs, signed by my own CA. Everything is working with the public domains, but the local IP still appears to be registered with unraid and is pulling the let's encrypt cert from unraid.net. How can one deprovision their private ip and clean up the link with unraid's letsencrypt? Thanks Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 This may help but not 100% sure as I've never used my own. nginx certificate handling details The nginx startup script looks for a SSL certificate on the USB boot flash in this order: config/ssl/certs/certificate_bundle.pem config/ssl/certs/<server-name>_unraid_bundle.pem If neither file exists, a self-signed SSL certificate is automatically created and stored in config/ssl/certs/<server-name>_unraid_bundle.pem Provisioning a Let's Encrypt certificate writes the certificate to config/ssl/certs/certificate_bundle.pem nginx stapling support Whether nginx enables OCSP Staping is determined by which certificate is in use: config/ssl/certs/certificate_bundle.pem => Yes config/ssl/certs/<server-name>_unraid_bundle.pem => No Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert. So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert. Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 (edited) 13 minutes ago, srfnmnk said: Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert. So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert. Oh sorry for misunderstanding. Searching for the fix. Edited July 8, 2020 by Jerky_san Sorry it was fixed so trying to find the fix Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 @srfnmnk Just to ask did you restart your server or the nginx process after you added your certs? Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid? /etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf Checking configuration for correct syntax and then trying to open files referenced in configuration... nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39 nginx: configuration file /etc/nginx/nginx.conf test failed Invalid configuration, Nginx not restarted Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 43 minutes ago, srfnmnk said: Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid? /etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf Checking configuration for correct syntax and then trying to open files referenced in configuration... nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39 nginx: configuration file /etc/nginx/nginx.conf test failed Invalid configuration, Nginx not restarted I believe you just say /etc/rc.d/rc.nginx restart without the ./nginx.conf. At least scripts I've seen that automatically import ssl certs for unraid don't ever have the ./nginx.conf on it. Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 Yeah that's what I started with and had the same error. /etc/rc.d# ./rc.nginx restart Checking configuration for correct syntax and then trying to open files referenced in configuration... nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39 nginx: configuration file /etc/nginx/nginx.conf test failed Invalid configuration, Nginx not restarted Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 (edited) 24 minutes ago, srfnmnk said: Yeah that's what I started with and had the same error. /etc/rc.d# ./rc.nginx restart Checking configuration for correct syntax and then trying to open files referenced in configuration... nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39 nginx: configuration file /etc/nginx/nginx.conf test failed Invalid configuration, Nginx not restarted Hmm I assume you could probably go to the file and try to fix whatever is wrong on line 39 of emhttp-servers.conf but might just try restarting. I'm unsure on how to proceed on that one as I assume it won't save whatever you change on reboot. Edited July 8, 2020 by Jerky_san Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy. So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue. Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE" I have 2 pem bundles in the /boot/config/ssl/certs/ dir: certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs) <server>_unraid_bundle.pem These two bundles were create as such certificate_bundle.pem root_ca private key file root_ca cert intermediate_ca cert <server>_unraid_bundle.pem server_cert.key server_cert Anything sticking out to you that seems wrong? Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 4 minutes ago, srfnmnk said: ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy. So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue. Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE" I have 2 pem bundles in the /boot/config/ssl/certs/ dir: certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs) <server>_unraid_bundle.pem These two bundles were create as such certificate_bundle.pem root_ca private key file root_ca cert intermediate_ca cert <server>_unraid_bundle.pem server_cert.key server_cert Anything sticking out to you that seems wrong? Does it do it in IE and Firefox? Also I believe maybe you have the key type wrong perhaps? Not 100% on that as I've never personally got that error but I believe it could be like you have it set as client auth instead of server or something like that. Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error) Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 18 minutes ago, srfnmnk said: Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error) Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them In the chrome address bar if it shows the lock at all click it go to view certificate, details, and look for "enhanced key usage" and see what it says if it will let you. Below is an example of what it should say. Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 Also found this guide https://www.target-bravo.com/blog/2018/7/10/blog-headline-1-6y3tj-49m5s-7tbal-56sar Quote
geeksheikh Posted July 8, 2020 Author Posted July 8, 2020 Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't. The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now. Thanks again for your help. Quote
Jerky_san Posted July 8, 2020 Posted July 8, 2020 28 minutes ago, srfnmnk said: Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't. The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now. Thanks again for your help. Welcome have fun Quote
yahsh Posted August 22, 2021 Posted August 22, 2021 @srfnmnk or anyone with information, Could you share how to "switched from letsEncrypt to using my own certs, signed by my own CA"? I am also interested to do this since my domain name registra is also a CA but don't know where to start to find the information. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.