TrueNAS CA Expiring, does it matter?

I got a message from TrueNAS UI and a notification in Discord saying that "

Certificate 'freenas_default' is expiring within 2 days.

<small>2024-11-01 12:00:01 am (America/New_York)</small>"

But I don’t understand why that matters, I don’t use CA Certs for the UI, I just use SMB shares with different users, so does this matter? Am I supposed to renew this? If so how? If it doesn’t matter, why is it screaming at me to fix the issue? I don’t need to lose access to my server as it has Mission critical data on it and I don’t need my SMB shares failing IF it affects that. If someone could please message me back and explain what my next steps should be, I’d appreciate it!

Doesn’t matter in the least.

What is the point of the default CA Cert then? Would there be any point to renewing it?

TrueNAS wants to use HTTPS by default for the web interface, and that requires a certificate. So on installation (or first boot) it creates a self-signed cert, and like any cert, that cert has an expiration date (I think it’s set too short by default, but that’s a side issue). There really isn’t any reason to renew it–you’ll get cert errors when visiting the web GUI via HTTPS, but you were anyway with a self-signed cert.

Oh, so since I am access the web UI in an internal network, or some times over my WireGuard VPN, then the error about the CA Cert is fine to ignore then? Strange, you’d think iXSystems would make it an indefinite Cert.

That isn’t possible; every cert has to have an expiration date, and browsers have been cutting back on the duration they’ll accept.

You certainly can elect to avoid the use of a valid certificate, but that also puts you at risk of a man in the middle attack / Ethernet sniffing of the password if using HTTP, etc.

Given how easy iXSystems has made it to get a certificate installed and updated regularly, I would learn how to do it and go from there. The cloudflare approach is pretty straightforward.

Iff you already own a domain, and host its DNS on Cloudflare. The former is cheap, and the latter is free, but they remain prerequisites. And then, of course, you need to set up local DNS in such a way that whatever FQDN you assign to your NAS actually resolves to your NAS. Also easy if you’re using something like OPNsense or pfSense; not so much if you’re using an off-the-shelf, consumer-grade router.

A self-signed certificate isn’t necessarily a security risk on your own network. I definitely wouldn’t advise it for anything public, though.

2 Likes

100% but I consider all of the above to be good hygiene. That is, if you cannot afford to go the cloudflare DNS / SSL route then self-sign and hopefully convince your laptop / desktop / mobile OS of choice to accept same.

I went down the cloudflare rabbit hole because I had a spare domain and the rest was easy. Especially in the context of any Apple OS being really unhappy with self-signed certificates.

There is nothing wrong with self-signed certificates on your own network. The challenge is just installing the certificate and certificate authority into your own devices. For Windows, Sonicwall has provided some good instructions on installing the certificate and certificate authority on a Windows machine. On an Android device, you can easily install the certificate authority on the phone, but the actual certificate, installed in the VPN and WiFi section, has to be converted over to a PFX format. Here is a site to do that.

What I ended up doing is just creating a certificate authority and the corresponding certificate to last 4000 days which should be fine for home use. For the uses that exposure to the wild Internet, I’m using the Nginx reverse proxy with a forced SSL connection with LetsEncrypt certificates that renew themselves on a regular basis (currently 90 days).

The bolded part is the problem–with a truly self-signed cert, there is no cert authority to trust. But yes, a local CA, trusted by your devices, can be a good way to go; I’ve been running one for a couple years based on Smallstep’s software.

Edit:

1 Like