Core GUI Certificates, one machine happy, partner no joy

Im caught in the GUI Certificate tar pit.

I have two machines, both running core and up to date (13.0 U6). Both need the GUI certificate refreshed. One machine, a MiniXL performed as advertised once I realized what profile did and how to deal with common name and alternate name.

These are home systems so dot-local domain is used eg peabody and peabody.local for the MiniX and sherman and sherman.local for the homebrew.

And RSA certificate profile. Submit becomes operable, click it, and Peabody runs to completion in about a second but sherman (the homebrew) task status is waiting (for cows to come home). The task never launches so no error code in Task Status window.

I’ve tried ARC and Safari browsers and private windows to no joy on Sherman.

There is some uncertainty about the importance of the GUI certificate. Some say no harm, no foul. One poster has said that updates may fail without it.

This thing seems to be a continuing source of pain. Sadly, I’m not a sysadmin, just a dumb recovering modeling and simulation user (retired puke) who did his own admin for too many years.

The Guide tutorial is excellent almost. I think it needs some words about how to deal with common name and alternate name in a .local MDNS environment. UniFi networking here and UI controller is handing out the IPs with these two pegged based on port connection. The addresses resolve and I can browse to them by their names peabody.local and sherman.local.

When a form is validating fields, the validation criteria should be mentioned. Virginia is not the expected VA. Oh, and how would this work in say, Germany?

Common name and alternate name seem poorly chosen and these fields are not well explained. Is there validation? Must they be resolvable? Is MDNS enabled as a resolver source? What do you do if there is no registered domain? I have one but it belongs to WordPress. I can’t finagle DNS records there.

I really think you need to add some mechanism to regenerate the installation certificates since that process works and has a correct and consistent set of fake data. If somebody really wants bespoke certificates they can deal with the pain but home/soho users and Geek Squad shouldn’t have to wrestle this bear.

Count me among these.

That doesn’t make any sense. The certificate of the remote server (i.e., the one from which the update is downloaded) has to be valid, but your server’s certificate isn’t used at all in the update process.

Those are standard fields in a certificate/CSR, not terms that iX has chosen.

Agreed.

If you’re creating and signing the certificate locally, you can put pretty much whatever you want in those fields–TrueNAS doesn’t attempt to resolve them. But if you’re using the cert for your GUI, whatever address you’re using to access it must be either in the CN or the SAN fields, or you’ll get a certificate error.

They shouldn’t be mandatory at all. Certs are issued all the time (literally millions of certs each day from Let’s Encrypt alone) in which all these fields are blank; there’s no reason at all that TrueNAS should enforce them in the CSR.

Ahoy, all. Sometimes things make no frigging sense. That usually means I’m looking in the wrong place.

Looking further, I discovered the tasks queue stalled. The certificate task was not starting. There were about a zillion pending tasks that were snapshot related. The reboot task would not run. I resorted to the customary emergency restart technique.

On restart, I found the alert for the bad disk in the pool being snapshotted, I missed that when I logged in. Anyway, I built this puppy in FreeNAS 9.0 days. I have a spare in hand and will replace the disk. This is the second disk replacement.

I expect life will be good once the disk is replaced. I have a spare in hand.

The frustration on my part was that my young system worked after puzzling through the fields. My old home-brew wouldn’t and there was no output to review and puzzle through.

I have 30+ years of scraped knuckles from this stuff, all irrelevant to the problem at hand. Computing is so big now that we are all the blind man feeling up an elephant. Everybody is a newbie about something!