I have a cronjob that exports my TrueNAS config and uploads it to my own Nextcloud (encrypted).
This job has now run for quite a long time (a few months at last) but two nights ago it started producing this warning:
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:1048: InsecureRequestWarning: Unverified HTTPS request is being made to host '127.0.0.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
The command that causes it is this: cli -c 'system config save configsave={"secretseed":true,"root_authorized_keys":true} > /path/t/file'
It also occures if I use the system config save command in the TrueNAS interactive CLI.
I have no idea why the warning started to appear now. I have not changed the script in the last few weeks (it runs daily), my selfsigned https certificate is still valid (and it was always a selfsigned one) and I am sure, that the warning didn’t occur before a few nights ago.
By the way, if it’s of any interest for this case or for someone else who might want to save their TrueNAS config with a uselessly complicated encryption:
#!/bin/bash
set -e
# create a truenas config backup in the local path named $HOSTNAME_config_$TIME.tar
# get script path
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
# get time and hostname
HOSTNAME=$(hostname)
TIME=$(date '+%Y%m%d-%H%M%S')
# set filename format
FILENAME="${HOSTNAME}_config_${TIME}.tar"
# nextcloud parameters
NC_USER="<<<USERNAME>>>"
NC_PASS="<<<PASSWORD>>>"
NC_URL="<<<URL>>>"
# build truenas CLI command
COMMAND='system config save configsave={"secretseed":true,"root_authorized_keys":true} > '
COMMAND+=${FILENAME}
DECRYPT_SCRIPT_NAME="decrypt.sh"
cd ${SCRIPT_DIR}
# create, zip and chmod backup
cli -c "${COMMAND}"
chmod 600 ${FILENAME}
gzip ${FILENAME}
FILENAME+='.gz'
#
# encrypt backup for available public keys
# for encrypting a large message such as the config, a dedicated encryption key is needed
# this symmetric key is then actually encrypted with the public keys (which have to be converted)
# for decryption, first the symmetric key has to be decrypted, this can then decrypt the backup
# one single encrypted backup is generated, with N encrypted symmetric keys
#
echo "generating symmetric key"
SYMMETRIC_KEY_NAME="symmetric.key"
openssl rand -out ${SYMMETRIC_KEY_NAME} 32
echo "encrypting backup with symmetric key"
openssl aes-256-cbc -pbkdf2 -in ${FILENAME} -out ${FILENAME}.enc -pass file:${SYMMETRIC_KEY_NAME}
echo "encrypting the symmetric key with each pubkey"
for KEY in $(ls -1 *.pub); do
ENCRYPTED_KEY_NAME="${SYMMETRIC_KEY_NAME}_${KEY%.*}.enc"
openssl pkeyutl -encrypt -pubin -inkey <(ssh-keygen -e -f ${KEY} -m PKCS8) -in ${SYMMETRIC_KEY_NAME} -out ${ENCRYPTED_KEY_NAME}
done
echo "packing archive"
INPUT_NAME="${SYMMETRIC_KEY_NAME}_"
INPUT_NAME+='$(whoami)@$(hostname).enc'
REMOVE_SELF='rm -- "$0"'
cat << EOF > ${DECRYPT_SCRIPT_NAME}
#!/bin/bash
# decryption script for truenas config backups on linux systems
set -e
echo "decrypting symmetric key"
if [[ -f ~/.ssh/id_rsa ]]; then
openssl pkeyutl -decrypt -inkey ~/.ssh/id_rsa -in ${INPUT_NAME} -out ${SYMMETRIC_KEY_NAME}
elif [[ -f ~/.ssh/id_ed25519 ]]; then
openssl pkeyutl -decrypt -inkey ~/.ssh/id_ed25519 -in ${INPUT_NAME} -out ${SYMMETRIC_KEY_NAME}
else
echo 'ERROR: could not find a private key in ~/.ssh'
exit 1
fi
echo "decrypting backup file"
openssl aes-256-cbc -d -pbkdf2 -in "${FILENAME}.enc" -out ${FILENAME} -pass file:${SYMMETRIC_KEY_NAME}
echo "unzipping backup file"
gunzip ${FILENAME}
#cleanup
rm -f ${SYMMETRIC_KEY_NAME} *.enc truenas*_encrypted.tar
${REMOVE_SELF}
EOF
chmod 700 ${DECRYPT_SCRIPT_NAME}
echo "archiving encrypted files and decrypt script in a single file"
tar -cf ${FILENAME%%.*}_encrypted.tar *.enc ${DECRYPT_SCRIPT_NAME}
echo "cleanup"
rm -f ${SYMMETRIC_KEY_NAME}
rm -f ${FILENAME}
rm -f *.enc ${DECRYPT_SCRIPT_NAME}
echo "uploading to Nextcloud"
curl -s -u ${NC_USER}:${NC_PASS} -T ${FILENAME%%.*}_encrypted.tar "${NC_URL}/${FILENAME%%.*}_encrypted.tar"
rm -f ${FILENAME%%.*}_encrypted.tar
I just wanted to see how to implement PPK encryption and automatic decryption for files in bash when I wrote this. When I extract the resulting tar file I get a decrypt.sh which uses SSH private keys at their default location to decrypt the symmetric key which was generated to encrypt the config.
25.04 has had some changes, so I’d make sure this works there as well. You aren’t going to be able to save config this way due to strict origin matching.
root@truenas:~# cli -c 'system config save {"secretseed":true,"root_authorized_keys":true} > /root/backup.tar'
[0%] ...
Error downloading 'http://127.0.0.1:81/_download/30834?auth_token=kZstM9ipoxcAwWHM1Ou2DqEXVqjEMY6zXgr2HqRK3TSnH7qLtQl1Ibaiy0DRNnqv' to '/root/backup.tar': HTTPError('401 Client Error: Unauthorized for url: http://127.0.0.1:81/_download/30834?auth_token=kZstM9ipoxcAwWHM1Ou2DqEXVqjEMY6zXgr2HqRK3TSnH7qLtQl1Ibaiy0DRNnqv')
I’m not 100% certain on the exact change, though found this on a quick look.
I raised a ticket for this back when the RC released - NAS-134813.
From awalkerix: “This is most likely related to recent security changes for strict origin matching when download links are accessed. The core.download call is originating via unix domain socket.”
