Jump to content

Migrating SSL Certificates


Recommended Posts

Posted

Hello,

 

I've just switched from letsEncrypt to using my own certs, signed by my own CA. Everything is working with the public domains, but the local IP still appears to be registered with unraid and is pulling the let's encrypt cert from unraid.net. How can one deprovision their private ip and clean up the link with unraid's letsencrypt?

 

Thanks

Annotation 2020-07-06 005129.png

Posted

This may help but not 100% sure as I've never used my own.

 

nginx certificate handling details

The nginx startup script looks for a SSL certificate on the USB boot flash in this order:
config/ssl/certs/certificate_bundle.pem
config/ssl/certs/<server-name>_unraid_bundle.pem

If neither file exists, a self-signed SSL certificate is automatically created and stored in
config/ssl/certs/<server-name>_unraid_bundle.pem

Provisioning a Let's Encrypt certificate writes the certificate to
config/ssl/certs/certificate_bundle.pem

nginx stapling support

Whether nginx enables OCSP Staping is determined by which certificate is in use:
config/ssl/certs/certificate_bundle.pem => Yes
config/ssl/certs/<server-name>_unraid_bundle.pem => No

 

Posted

Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert.

 

So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert.

 

 

Untitled.png

Posted (edited)
13 minutes ago, srfnmnk said:

Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert.

 

So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert.

 

 

Untitled.png

Oh sorry for misunderstanding. Searching for the fix.

 

Edited by Jerky_san
Sorry it was fixed so trying to find the fix
Posted

Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid?

/etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

Posted
43 minutes ago, srfnmnk said:

Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid?


/etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

I believe you just say /etc/rc.d/rc.nginx restart without the ./nginx.conf. At least scripts I've seen that automatically import ssl certs for unraid don't ever have the ./nginx.conf on it.

Posted

Yeah that's what I started with and had the same error.

/etc/rc.d# ./rc.nginx restart
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

Posted (edited)
24 minutes ago, srfnmnk said:

Yeah that's what I started with and had the same error.


/etc/rc.d# ./rc.nginx restart
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

Hmm I assume you could probably go to the file and try to fix whatever is wrong on line 39 of emhttp-servers.conf but might just try restarting. I'm unsure on how to proceed on that one as I assume it won't save whatever you change on reboot.

Edited by Jerky_san
Posted

ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy.

 

So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue.

 

Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

 

I have 2 pem bundles in the /boot/config/ssl/certs/ dir:

certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs)

<server>_unraid_bundle.pem 

 

These two bundles were create as such

certificate_bundle.pem

root_ca private key file

root_ca cert

intermediate_ca cert

 

<server>_unraid_bundle.pem

server_cert.key

server_cert

 

Anything sticking out to you that seems wrong?

Untitled.png

Posted
4 minutes ago, srfnmnk said:

ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy.

 

So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue.

 

Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

 

I have 2 pem bundles in the /boot/config/ssl/certs/ dir:

certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs)

<server>_unraid_bundle.pem 

 

These two bundles were create as such

certificate_bundle.pem

root_ca private key file

root_ca cert

intermediate_ca cert

 

<server>_unraid_bundle.pem

server_cert.key

server_cert

 

Anything sticking out to you that seems wrong?

Untitled.png

Does it do it in IE and Firefox? Also I believe maybe you have the key type wrong perhaps? Not 100% on that as I've never personally got that error but I believe it could be like you have it set as client auth instead of server or something like that.

Posted

Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error)

 

Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them

 

 

Untitled.png

Posted
18 minutes ago, srfnmnk said:

Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error)

 

Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them

 

 

Untitled.png

In the chrome address bar if it shows the lock at all click it go to view certificate, details, and look for "enhanced key usage" and see what it says if it will let you. Below is an example of what it should say.

 

image.png.e66edb8367e3d11db21bfd40d05416e8.png

Posted

Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't.

 

The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now.

 

Thanks again for your help.

Posted
28 minutes ago, srfnmnk said:

Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't.

 

The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now.

 

Thanks again for your help.

Welcome have fun

  • 1 year later...
Posted

@srfnmnk or anyone with information,

Could you share how to "switched from letsEncrypt to using my own certs, signed by my own CA"? I am also interested to do this since my domain name registra is also a CA but don't know where to start to find the information. 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...