When I get this working, I intend to be a resource for helping others like me.
I just installed truenas core on my home computer and need help creating a certificate that my other computers will accept for use on a home network so I only need self-signed.
Is there a document written already that talks about this? It’s something that pretty much everybody needs to go through that’s setting up a home storage server. If I get this working I would be more than happy to assist creating a general how to for others.
I downloaded a program to create a self-signed certificate only I’m not 100% certain how to use it in this environment.
The truenas_default is not sufficient. I need to create a certificate that references the IP address that I’m using on my machine is that correct?
Additional information:
I did my best to create a self signed certificate. I loaded in the server and updated the gui settings to use it. Now, by client browser is using it, and it says its valid, only I’m still not using ssl for some reason.
I suggest you look into the resources that @dan has already provided re: SSL certificates, both from external providers as well as from a local CA. I’d also refer to this post of his. I use @dan’s excellent tools to not only secure my trueNAS’ but to also deploy SSLs to various network equipment, see his GitHub repo.
“Not at all” is how to use it–TrueNAS itself is perfectly capable of handling this. Here’s a walkthrough of how to do it on CORE; the UI in SCALE (you haven’t said which version of TrueNAS you’re using) is likely a little different. When you get to the cert itself, you’d want to include the IP address in “Subject Alternative Names”:
I’d say pretty much nobody needs to go through this for a home storage server. TrueNAS creates a default cert on installation, and that’s adequate to secure communications. Sure, your browser will give a cert warning, but you can bypass those. And if you want a cert that will work without warnings, the way to go is to get one from a trusted CA, not to mess around with self-signed certs. But if you nonetheless want to use a different self-signed cert, the link above gives instructions for making one.
Thanks for the quick reply. I will read though it. There is so much info out there it gets confusing quickly. The docs are nice but not for someone so new. I was hoping to find ssl for dummies on truenas.
My process is two steps.
The first step is to set up a demo server on my home network that only has access to my home network and if I am pleased with the results I intend to buy dedicated hardware and set up a production system which I will want accessible to the internet.
My router supports Dynamic DNS and I have a fully qualified domain name that can be globally resolved by my router provider Asus. Something like myhouse.assuscomm.com. This is what I am intending to use with my production certificate and Hardware should it get that far.
The server is only for me so even the application servers that I’ll be running are only to be used by me so I’m not concerned about providing security for a business.
I guess it depends on how you intend to get a certificate? I use the DNS approach, which in turn means I have to control a domain. I assigned DNS control of a domain I own to Cloudflare, which in turn helps me issue valid, internal-use-only certificates with a fully-qualified domain name (FQDN).
Where life can get interesting is renewal, which is where my certificates have stumbled in the past.
I actually do own my own domain name. My email is hosted publicly at my registrar. I have control of the DNS server and if need be can assign a name there that points to my home router IP address. I can use truenas@my_real_domain.com or whatever I need to.
For example, I’m in the process of installing my own Vault Warden AKA bit Warden server that I would ultimately like to use from the internet.
Right now the most important thing is for me to understand what I’m doing in this first stage which is just a client and a server talking to each other securely over my local network.
I installed Vault Warden about an hour ago and it has been sitting in the deploying state the whole time and I can see that the ports that the server are supposed to use are not being used yet. I’m curious how long I have to wait for a server to deploy and change to “Running”.
I will try openssl next. I have an app called mkcert downloaded from github.
I do have a valid self-selling certificate installed only my browser still says I am not secure. Chrome does say that it sees a valid cert. That doesn’t mean that everything I put into the cert is correct and that is where I need help.
Self-signed certificates will make your browser scream no matter what; you can suppress it with a few clicks (usually adding an exception to the involved website).
Never managed to learn how to use CORE’s WebUI for certificates.
Probably. But the real question is why your browser is reporting that the site is not secure. And if you click the “Learn more” link, it will probably tell you.
@LeoW
The issue is only a web browser bug. Just cleaning the cache, and cookies, and it would good enough. Specially on Chromium based browsers
For your homelab, you can configure TrueNAS as a CA. Or use a little soft called XCA. You don’t need a CA Server. Just create the Root CA and Intermediate CA. Export them and install on each client. Then, create your SSL Certs for your purposes.
