Truenas Scale HTTPS Cloudflare

TrueNAS General
,
1

Hello everyone,

I’m trying to set up HTTPS using cloudflare on my TrueNas Scale server, but I’m running into issues.

TrueNas version: ElectricEel-24.10.1
API Token perms: All zones - Zone:Read, DNS:Edit

I followed these guides:
Creating ACME Certificates | TrueNAS Documentation Hub.

I was able to add all the certificates

image
image1553×723 32.4 KB

Changed GUI settings
image

image
image578×598 18.1 KB

And even restarted the server, but it still shows that the HTTPS cert is not secure
image

I’m not sure what I’m doing wrong, I checked forums but wasn’t able to find anything that’d help.

Any idea why I’m getting this issue?

2

None whatsoever. What is the certificate error you’re getting? And what does this question have to do with Nextcloud?

OK, I lied; I have a guess, though you’ve given absolutely none of the information necessary to answer your question. The guess is that you aren’t accessing your server using ika88.com or www.ika88.com, which are the only two names on the cert. And if that’s the case, you’re going to get errors. And somehow, the error you posted leaves out the actual error message.

3

Apologies, I meant cloudflare.

Here are the errors

image
image840×694 33.1 KB

image

4

See my edit above.

5

Sorry for the lack of knowledge, I have a broad understanding of DNS and HTTPS but no experience configuring it.

Here is the error I get when trying to access www.ika88.com

image
image968×598 18.7 KB

Could it be due to how my domain SSL/TLS is configured?

image
image1444×838 51.4 KB

image
image910×743 35.5 KB

image
image924×702 31.4 KB

Please let me know if I shoud attach any additional info.

6

…which is that there are no DNS entries for that domain.

OK, time for some background.

When a web server (including your NAS) serves a page via HTTPS, it serves a certificate along with that page. That certificate is issued by a Certificate Authority (CA), and along with encryption keys, includes one or more names that it certifies (i.e., in the normal case, names over which you’d demonstrated control in order to receive the cert).

When a client (your web browser, in this case) tries to load a page over HTTPS, it checks the certificate for a variety of potential issues. The most common ones that cause problems are:

  • It wasn’t issued by a trusted CA (perhaps it’s a self-signed cert)
  • The certificate isn’t currently valid–either it’s not yet valid (which usually means the clock on the client computer is very far off) or it’s expired
  • The cert doesn’t contain the name you’re browsing to.

The last one is your likely issue. The cert covers ika88.com and www.ika88.com, but you’re browsing, I guess, to the server’s IP address. Since that IP address isn’t listed on the cert, there’s a mismatch, and thus you get the error.

In order to address this, you need to fix your DNS.[1] Really, this should be done on whatever device is serving DNS for your LAN. Normally this would be your router, and if you’re using a reasonably featureful router like OPNsense, it’s trivial. If you’re instead using a different local DNS solution like Pi-Hole, make the change there. In either case, you’d want to point the hostname (www.yourdomain is kind of odd IMO to point to your NAS, but you do you, and there’s nothing inherently wrong with it) to the IP address of your NAS.

If you can’t control your local DNS in any, you can instead set these DNS records at Cloudflare–you’d create an A record pointing the desired hostname to the local, private IP address of your NAS. This really isn’t the way to do it–private IP addresses have no business in the public DNS–but it will still work.

In any event, if you ever expect to host anything on your domain that’s open to the public, I’d recommend you reserve a subdomain and use that for things on your LAN. So your public stuff would be on something.ika88.com, and your LAN resources would be on something.lan.ika88.com.

  1. It’s technically possible to get a cert from a public CA for an IP address, but there are few CAs who will issue them, and none of them will issue for a private IP address. ↩︎

1 Like
7

Much trial and error later I was able to make it work! Thank you for your explanation.

I followed this guide to set up (and config clients to use) Pi-hole https://www.youtube.com/watch?v=cE21YjuaB6o&t=648s

and now it’s working!

I see what you meant now by www.yourdomain being weird, I should’ve realized that I can set local DNS to whatever name I wanted to.

But all is good now, I’ll be playing around with Pi-hole a bit tomorrow as well.

Thanks again for your help!