#564 closed defect (fixed)
Cannot update SSL certificate via GUI
| Reported by: | montjoy1 | Owned by: | william |
|---|---|---|---|
| Priority: | major | Milestone: | 8.3.1-RELEASE |
| Component: | GUI | Version: | 8.2.0-RELEASE-p1 |
| Keywords: | https ssl cert certificate | Cc: | dcroper@… |
Description
When I update the SSL certificate via the web gui and click OK, it reverts back to the stock certificate and key. I've found a workaround by exporting the database, editing, and uploading again - but this is not ideal. I've seen this both in 8.0 and 8.0.1 rc4.
Change History (19)
comment:1 Changed 22 months ago by montjoy1
- Component changed from Backend to GUI
comment:2 Changed 22 months ago by montjoy1
- Milestone changed from 8.0-RELEASE to 8.0.1-RELEASE
comment:3 Changed 22 months ago by jpaetzel
- Owner set to jhixson
- Status changed from new to assigned
comment:4 in reply to: ↑ description Changed 22 months ago by jhixson
comment:5 Changed 21 months ago by jhixson
- Resolution set to worksforme
- Status changed from assigned to closed
I'm not able to reproduce this and there has been no response to my question, so I'm closing this out.
comment:6 Changed 21 months ago by montjoy1
- Resolution worksforme deleted
- Status changed from closed to reopened
Sorry for the late response-
This happens when I replace both the private key and certificate at the same time.
Yes, I'm concatenating both together.
I'm using Chrome in Linux for my browser, if that matters.
comment:7 Changed 21 months ago by marcusmarcus
I tried replacing the auto generated stock SSL as well. It looks like it accepts it but when I go out and back into the SSL area in FreeNAS, it is back to the auto generated stock SSL certificate. I am copying and replacing them just how the stock ones are in the field.
comment:8 Changed 20 months ago by backerman
Confirmed in a fresh install of 8.0.1-RC1.
Log messages:
Sep 14 22:28:48 freenas freenas[1633]: Executing: /usr/sbin/service ix-ssl start Sep 14 22:28:49 freenas freenas: rm: /tmp/.cert: No such file or directory
comment:9 Changed 20 months ago by gcooper
- Owner changed from jhixson to gcooper
- Status changed from reopened to accepted
The noise shown above has been fixed as of r8134, but SSL cert replacement still doesn't work 100% (it always uses the self-signed cert).
comment:10 Changed 20 months ago by yaberauneya
In [8137/freenas]:
comment:11 Changed 20 months ago by gcooper
- Resolution set to fixed
- Status changed from accepted to closed
comment:12 Changed 18 months ago by marcusmarcus
- Milestone changed from 8.0.1-RELEASE to 8.1-RELEASE
- Resolution fixed deleted
- Status changed from closed to reopened
- Version changed from 8.0.1-BETA4 to 8.0.2-RELEASE
Certificate is still getting replaced by auto generated certificates when I try to put in my certificates in through the GUI. I'm on 8.0.2 RELEASE. I seen the fix for this by doing a hack but that is not really a fix, it's more of a workaround. GUI certificate is still broken.
comment:13 Changed 18 months ago by gcooper
- Resolution set to fixed
- Status changed from reopened to closed
It's been fixed on trunk, not an official release, as noted in part in comment # 10.
We need to spin another build for minor fixes and enhancements like this I think.
comment:14 Changed 8 months ago by derelict
This is broken in 8.2.0. When I concatenate my pem certificate and private key and submit via the GUI the /etc/ssl/freenas/nginx/nginx.crt file is updated but the nginx.key file is zero bytes. If I reboot it is reverted to the default self-signed pair. If I manually update the crt and key files and reload nginx, it works but when I reboot it is again reverted back to the default self-signed pair.
comment:15 Changed 8 months ago by dcroper
- Cc dcroper@… added
- Resolution fixed deleted
- Status changed from closed to reopened
- Version changed from 8.0.2-RELEASE to 8.2.0-RELEASE-p1
I also can reproduce this problem in version FreeNAS-8.2.0-RELEASE-p1-x64 (r11950). When I submit my concatenated certificate and private key via the GUI I can see that value is updated in the freenas-v1.db; however, /etc/ssl/freenas/nginx/nginx.key is a zero byte file. Rebooting causes the value in the database to be overwritten with the default self-signed pair and both nginx.crt and nginx.key are restored to the default self-signed pair.
comment:16 Changed 8 months ago by dcroper
The problem appears to be that /etc/rc.d/ix-ssl is looking for -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- but "openssl genpkey --algorithm RSA" (which is what I used to create my key) produces a file with -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----. Using the command "openssl genrsa" produces a key file with expected RSA header and footer. I am unclear as to what the difference is between using openssl genpkey and openssl genrsa. Changing ix-ssl to look for both types of headers/footers appears to fix the problem.
comment:17 Changed 7 months ago by william
- Milestone changed from 8.2.0-RELEASE to 9.1.0-RELEASE
- Owner changed from gcooper to william
- Status changed from reopened to accepted
comment:18 Changed 3 months ago by william
- Milestone changed from 9.1.0-RELEASE to 8.3.1-RELEASE
- Resolution set to fixed
- Status changed from accepted to closed
Should have been fixed in r13273
comment:19 Changed 3 weeks ago by realdreams
I think the web GUI ssl certificate update is broken in FreeNAS-8.3.1-RELEASE-x64 (r13452)
It always throws "RSA or DSA private key not found" no matter what I enter
I put this in
key
cert
I tried -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- but still "RSA or DSA private key not found"
Even worse, configuration file for 8.3.0 release uses BEGIN RSA PRIVATE KEY and it won't be recognized by 8.3.1 release. ix-nginx fails to start which leaves nginx unconfigured(lock out). Have to manually configure the key and restart ix-nginx and nginx every time the host reboots. The automatic fall back does not work.
Replying to montjoy1:
Are you concatenating the private key with the certificate?