SSL: self signed/ cloudflare/ other options?

So after a two days of tearing hair out of your head i’m coming for a help from u guys. In near future i’ll setup 2-nd server and i’ll need run True Command (as an app in 1-st system). When i was messing with TC i find out i can’t add system when i don’t have added SSL to my Scale.
Q: What do you advice for a simple management SSLs?

I already have my private domain added to cloudflare, API Token with Zone:Read, DNS:Edit permission and SSL from Let’s Encrypt (don’t need and want to reveal my system for internet), but every time when i try to manage cert to work with Scale in my LAN i see this:

Ofc i will try to deliver any informations you need to solve this problem, but now i really don’t know what info should i give.
I’ll be grateful for advices . Peace :v:

Instruction for SCALE are here.

1 Like

Thanks for input @victor but unfortunately afer following this guide step by step i still can’t manage to get this cert for work with web gui :frowning:.
I’v tried three times.
1’st. After creating CSR like this:

  • Common Name:
  • Subject Alternatives Name: *
    Cert apears in “Certificates” tab. I changed cert in “General”, clear my browser cach and…

2’nd. After creating CSR like this:

  • Common Name:
  • Subject Alternatives Name:
    Cert apears in “Certificates” tab. I changed cert in “General”, clear my browser cach and still NET::ERR_CERT_COMMON_NAME_INVALID

3’rd row.
This time i start to think “hmmm… common name invalid, maybe a should change it for, because in Cloudflare i have cert for and * Let’s try”

  • Common Name:
  • Subject Alternatives Name:
    This time i hit the limit with ACME Server so i switch to the Staging from Production.
    And again “General” etc.
    This time browser hit me with: NET::ERR_CERT_AUTHORITY_INVALID

I know i’m doing something wrong or missing some config but i don’t know what is this.
Worth to mention I have proper e-mail (same domain as certs) added for root, Cloudflare and CSR.

Of course it does. Your cert is for, not for your IP address, so when you try to access your server by your IP address, the names don’t match and you get that error.

That’s entirely to be expected with a staging cert.

1 Like

Thanks for your input @dan. What do you propose?

If you want to avoid cert errors, the name/identifier you use to access the system needs to match what’s on the cert. Since Let’s Encrypt certs don’t cover IP addresses (and will never cover private IP addresses), that means you need to access your NAS using a name that’s covered by your cert. In the case of the original cert, that’d be, e.g.,

For that to work, needs to resolve to on your LAN. You’d do that ordinarily by adjusting DNS records on your LAN. If your router isn’t brain-damaged, you can do it there. If your router is brain-damaged, as many off-the-shelf residential routers are, you can either replace it with something like OPNsense or pfSense, or run local DNS somewhere else which would allow you to make such edits (like Pi-Hole). Failing all of that, you can set this in the hosts file on any client machines you want to be able to access your NAS’s web UI from.

Thank you @dan for noob friendly explanation. I manage it to work via add Cloudflare DNS A record (without proxing) and API Token. Your input was very valuable to change my thinking about this. I’m glad you dedicated time for me :smiling_face:

Dans way is working if you already have a certificate and can adjust the local DNS.

there are 2 more options.
1: in case you have something like pfSense, you can create there a cert authority and create a certificate signing request in truenas, then sign it by pfSense and load it into truenas.
→ This way you can use the ip address and have TLS but you need to manually renew the cert (pfSense server cert valid for 1 year)

2: self hosted ACME server
this is very handy for a bouch of servers/ services. Basic principle is like lets encrypt, just local. 1 cert auth. issuing certificates to the VMs/servers/ services several times per day with a rather short lifetime.

1 Like

Thanks for your input. As I mentioned above I’ve manage this to work with Cloudflare and API which is my ACME. Ofc I’m aware this not ideal because every time server can’t access internet this metod will fall apart, but to be honest it’s happens really rarely so I’m good with it.

It should retry continuously until it gets a renewal once the old cert runs out.

1 Like

I came up with a solution for myself that combines the use of self-signed certificates with tailscale VPN software.

Tailscale, when connected provides DNS name resolution for your devices that you have added to your tailscale Network so you can use those DNS resolvable names when you create your self signed certificate.

So far it seems like a perfect way for those who have no access to a real domain for their storage server at home to have an easy self-signed certificate that your browser will be happy with.

I will do a write-up and post that information so that people can see it. For those of you who like me only have a home network and don’t have a real fully qualified domain name to specify when creating the certificate can be aided with the use of the VPN software because it creates a hostname and a fully qualified domain name and it can be resolved using their DNS so essentially what you get is a certificate that is a valid certificate while you are connected to tailscale.

Tailscale can be installed on your desktop computer and on your phone and whenever you need to access your storage server you use the tail scale fully qualified name for your server and your browser will be happy with your certificate.

1 Like