Import intermediate CA cert to Certificate Authorities in web GUI

Question

Import intermediate CA cert to Certificate Authorities in web GUI

danb35 opened this issue 7 years ago · 8 comments

The script imports the CA cert as part of the server cert (it uses the fullchain.cer file, which includes both), but it doesn't separately import it into the Certificate Authorities in the FreeNAS middleware. This shouldn't be necessary for web GUI purposes, but might be helpful for other uses. Would want to check if the same CA is already present before importing a new one, though.

Answer 1 · 2020-01-09T12:44:33.000Z

Hey !
I have the same problem here, I know a bit about IT and networking but I don't want to mess with the script at this point, any fixes ?

Answer 2 · 2020-01-09T14:33:59.000Z

There is no "fix" because this isn't a problem; it's a potential future enhancement that IMO is of pretty low value. I haven't done any work in this direction and don't expect to, but I'd be happy to consider a PR if it worked cleanly.

…

On Thu, Jan 9, 2020 at 7:44 AM yugohug0 ***@***.***> wrote: Hey ! I have the same problem here, I know a bit about IT and networking but I don't want to mess with the script at this point, any fixes ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4?email_source=notifications&email_token=AC4PNH5CGETFSJQR6LOHICTQ44L3DA5CNFSM4E2BA4UKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIQFUBY#issuecomment-572545543>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC4PNH7CVH3M67WFQHXG3J3Q44L3DANCNFSM4E2BA4UA> .

Answer 3 · 2020-01-13T10:01:20.000Z

Hey !
Thanks for the fast answer, can you tell me what's an "IMO" and how I can manage this to work basically ?

Thanks again for your project :)

Answer 4 · 2020-01-13T11:04:07.000Z

"IMO" = "in my opinion". I'm not quite sure what you mean by your last question--to manage the script, download it, prepare a configuration file, and in the most common use case (or at least the use case I had in mind when I wrote it), call it from your ACME client (certbot, acme.sh, or whatever else you like). That client will handle obtaining/renewing your cert from Let's Encrypt, and then it will call this script to deploy the cert to your FreeNAS server. I think this is pretty well discussed in the README--were there parts that were unclear or incomplete?

Answer 5 · 2020-01-21T14:11:29.000Z

Thanks for the translation !
I mean everything seems to work fine, certificates are created and stored, I can see them in my freenas structure. But when I connect to my web GUI I can't select any SSL certificate, so do I need to move them in a very special place ?

That's the only thing I can't figure out at the moment

In one question : Where the certificates/keys need to be placed in order to allow their selection through the freenas web GUI

Answer 6 · 2020-01-21T14:49:24.000Z

I can see them in my freenas structure.

Where do you "see them in [your] freenas structure"? You should see them listed in the "certificates" page: https://www.ixsystems.com/documentation/freenas/11.2-U7/system.html#certificates

Where the certificates/keys need to be placed in order to allow their

selection through the freenas web GUI This is what the script is supposed to do--import and select the cert/key. You shouldn't need to do anything manually. But none of this has anything to do with importing the CA certificate into the CAs section of the FreeNAS configuration.

…

On Tue, Jan 21, 2020 at 9:11 AM yugohug0 ***@***.***> wrote: Thanks for the translation ! I mean everything seems to work fine, certificates are created and stored, I can see them in my freenas structure. But when I connect to my web GUI I can't select any SSL certificate, so do I need to move them in a very special place ? That's the only thing I can't figure out at the moment In one question : Where the certificates/keys need to be placed in order to allow their selection through the freenas web GUI [image: Capture d’écran 2020-01-21 à 15 06 21] <https://user-images.githubusercontent.com/49484832/72811329-b259a300-3c5f-11ea-92ab-59282c1b3a23.png> [image: Capture d’écran 2020-01-21 à 15 06 28] <https://user-images.githubusercontent.com/49484832/72811330-b259a300-3c5f-11ea-9a23-6867eb8b0ccb.png> — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4?email_source=notifications&email_token=AC4PNH3O5OQET4NJIJFEKIDQ637BDA5CNFSM4E2BA4UKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJP3T7Y#issuecomment-576698879>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC4PNH5PZQJ4QNUI54VE4I3Q637BDANCNFSM4E2BA4UA> .

Answer 7 · 2020-01-21T15:46:11.000Z

I can see the CERT/KEY by following this path "/root/.acme.sh/mydomainname.com" and i have 0 error by executing your script, maybe i've done something wrong ? I'm gonna try again and delete every stuff under this path beforehand, that's really strange because your script looks nice and it's seem pretty straightforward.

Thanks for your understanding

Answer 8 · 2020-01-21T23:47:49.000Z

Please open a new issue--once again, the problems you're seeing have nothing to do with importing the intermediate CA certificate. And when you open that new issue, post the complete output of running the deploy_freenas.py script.