Cannot provision SSL certificate (error 403) with Ubiquiti Edgerouter 4 & ATT Fiber


lman30

Recommended Posts

I've spent several hours over several days trying to fix this, and I've found other posts on these forums about the problem but none of them have fixed my problem.

 

When I try to click the provision button under 'Management Access' for an SSL certificate I get the following error.

image.png.07e18287ffd21d9bfc685f85cf9db1e7.png

 

This resolves to 192.168.1.91 in a ping

image.png.8faa62e484050ba1efe7a1eda5b7926c.png

 

I've tried to follow the suggestion in the help section of unraid, and also from the forums by specifying 'rebind-domain-ok=/unraid.net/' to allow dns rebinding on that address.

image.png.ade3ddf85475779f97408f58c077e52f.png

 

You can see I also specify the google DNS servers, which I've confirmed are being used

image.png.805605d89193e4524829d7667ad032e8.png

 

I'm completely stumped...  anybody have additional resources/suggestions I can follow?

Edited by lman30
Link to comment

Hmm... OK, the fact that this resolves for you:
 ping 7064337de712ccf69be1c7f7762091b345f6cf66.unraid.net
means that rebind protection is not an issue.

 

But for some reason it resolves to 192.168.1.91 instead of the server's IP of 192.168.2.42. I was thinking perhaps you had two network cards in your system but that doesn't seem to be the case.

 

Any chance you are in a double-nat situation, behind two routers?

Link to comment

My current path for the server is (Unraid Server) -> (Dumb switch - Eth1) -> (EdgeRouter 4) -> (ONT)

 

I have hairpin/loopback NAT disabled

image.png.d10a834a5f6224dbf43d59387f32d1e1.png

 

 

I do have a masquerade for outbound traffic to VLAN eth0.0, not sure if that qualifies as a double NAT.

image.thumb.png.de0917d68cc53b65604576069d1deacd.png

 

Edit: I got my set up working without the masquerade, still no luck...

Edited by lman30
Link to comment
12 hours ago, lman30 said:

So I've tried resorting to the last recommendation under help to just make an entry for unraid.net in the hosts file, and it STILL gives me an error when trying to provision.

Changing the hosts file on the Unraid machine won't do anything... you would need to change the hosts file on the machine you're using to browse the Unraid UI.  Also, I would completely close your web browser after that to clear any dns caching it might store.

Link to comment

Oh okay, guess I don't understand the provisioning process too well.

 

I tried creating an entry at C:\Windows\System32\drivers\etc\hosts on the PC I'm using to access unraid

Quote

192.168.2.1 7064337de712ccf69be1c7f7762091b345f6cf66.unraid.net

 

It doesn't take ~30 seconds to fail like before; it responds in less than a second but I still get the same error.  I've verified my machine resolves the address properly.

image.png.21b62dcf891c27cd54543882a9ee8ed3.png

 

So frustrating!!! 

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.