Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Migrating SSL Certificates

Featured Replies

Hello,

 

I've just switched from letsEncrypt to using my own certs, signed by my own CA. Everything is working with the public domains, but the local IP still appears to be registered with unraid and is pulling the let's encrypt cert from unraid.net. How can one deprovision their private ip and clean up the link with unraid's letsencrypt?

 

Thanks

Annotation 2020-07-06 005129.png

This may help but not 100% sure as I've never used my own.

 

nginx certificate handling details

The nginx startup script looks for a SSL certificate on the USB boot flash in this order:
config/ssl/certs/certificate_bundle.pem
config/ssl/certs/<server-name>_unraid_bundle.pem

If neither file exists, a self-signed SSL certificate is automatically created and stored in
config/ssl/certs/<server-name>_unraid_bundle.pem

Provisioning a Let's Encrypt certificate writes the certificate to
config/ssl/certs/certificate_bundle.pem

nginx stapling support

Whether nginx enables OCSP Staping is determined by which certificate is in use:
config/ssl/certs/certificate_bundle.pem => Yes
config/ssl/certs/<server-name>_unraid_bundle.pem => No

 

  • Author

Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert.

 

So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert.

 

 

Untitled.png

13 minutes ago, srfnmnk said:

Thanks, yeah I read that and got my own certs to work...it's just that now the private IP is still provisioned with unraid.net's let'sEncrypt cert.

 

So unraid.mydomain.com cert is correct but the 10.10.80.175 local ip still uses the unraid cert...trying to figure out how to deprovision my local IP from the unraid cert.

 

 

Untitled.png

Oh sorry for misunderstanding. Searching for the fix.

 

Edited by Jerky_san
Sorry it was fixed so trying to find the fix

@srfnmnk Just to ask did you restart your server or the nginx process after you added your certs?

  • Author

Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid?

/etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

43 minutes ago, srfnmnk said:

Ha, you know what, I didn't. I tried to restart the nginx process but it says my nginx.conf file is invalid. What's the right way to restart/reload nginx for unraid?


/etc/nginx# /etc/rc.d/rc.nginx restart ./nginx.conf
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

I believe you just say /etc/rc.d/rc.nginx restart without the ./nginx.conf. At least scripts I've seen that automatically import ssl certs for unraid don't ever have the ./nginx.conf on it.

  • Author

Yeah that's what I started with and had the same error.

/etc/rc.d# ./rc.nginx restart
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

24 minutes ago, srfnmnk said:

Yeah that's what I started with and had the same error.


/etc/rc.d# ./rc.nginx restart
Checking configuration for correct syntax and
then trying to open files referenced in configuration...
nginx: [emerg] invalid number of arguments in "return" directive in /etc/nginx/conf.d/emhttp-servers.conf:39
nginx: configuration file /etc/nginx/nginx.conf test failed
Invalid configuration, Nginx not restarted

 

Hmm I assume you could probably go to the file and try to fix whatever is wrong on line 39 of emhttp-servers.conf but might just try restarting. I'm unsure on how to proceed on that one as I assume it won't save whatever you change on reboot.

Edited by Jerky_san

  • Author

ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy.

 

So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue.

 

Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

 

I have 2 pem bundles in the /boot/config/ssl/certs/ dir:

certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs)

<server>_unraid_bundle.pem 

 

These two bundles were create as such

certificate_bundle.pem

root_ca private key file

root_ca cert

intermediate_ca cert

 

<server>_unraid_bundle.pem

server_cert.key

server_cert

 

Anything sticking out to you that seems wrong?

Untitled.png

4 minutes ago, srfnmnk said:

ok, so there was a signature issue and that's why it wouldn't restart. I got that fixed...now nginx has been restarted and is healthy.

 

So now there's no unraid.net let'sEncrypt cert reference and my public ACME certs are working on public domain now (via reverse proxy) -- I think this can be ignored for the purpose of this issue.

 

Local IP https cert appears to be invalid -- "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

 

I have 2 pem bundles in the /boot/config/ssl/certs/ dir:

certificate_bundle.pem (soft linked from unraid_bundle in /etc/ssl/certs)

<server>_unraid_bundle.pem 

 

These two bundles were create as such

certificate_bundle.pem

root_ca private key file

root_ca cert

intermediate_ca cert

 

<server>_unraid_bundle.pem

server_cert.key

server_cert

 

Anything sticking out to you that seems wrong?

Untitled.png

Does it do it in IE and Firefox? Also I believe maybe you have the key type wrong perhaps? Not 100% on that as I've never personally got that error but I believe it could be like you have it set as client auth instead of server or something like that.

  • Author

Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error)

 

Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them

 

 

Untitled.png

18 minutes ago, srfnmnk said:

Yes, it does the same thing in other browsers. Yeah I was thinking that too but seems right...as far as I can tell (I did also try a client cert but got same error)

 

Appreciate the help. FYI the certs/keys were created and signed in pfsense and I just downloaded them and concat'd them

 

 

Untitled.png

In the chrome address bar if it shows the lock at all click it go to view certificate, details, and look for "enhanced key usage" and see what it says if it will let you. Below is an example of what it should say.

 

image.png.e66edb8367e3d11db21bfd40d05416e8.png

  • Author

Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't.

 

The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now.

 

Thanks again for your help.

28 minutes ago, srfnmnk said:

Wow! haha -- I guess I was overcomplicating it. I was building a cert chain for my CA in the certs dir (certificates_bundle.pem) so that the CA-signed cert would be trusted. I was then ALSO creating the server cert and key bundle and adding that the certs dif (server_unraid_bundle.pem)...which seems like the right thing to do...but evidently it wasn't.

 

The final answer was to remove the certificantes_bundle.pem. Seems like everything is working now.

 

Thanks again for your help.

Welcome have fun

  • 1 year later...

@srfnmnk or anyone with information,

Could you share how to "switched from letsEncrypt to using my own certs, signed by my own CA"? I am also interested to do this since my domain name registra is also a CA but don't know where to start to find the information. 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.