Create CA cert for unraid

CloudNode · Aug 10, 2021, 5:32 AM

Hello; i am trying to create a cert for unraid ssl and was wondering if anyone has been able to do this?

stephenw10 · Aug 10, 2021, 12:26 PM

In the pfSense cert manager? Export it from there and then import it into Unraid?

That seems like a convoluted way to do it but it should work.

Steve

johnpoz · Aug 10, 2021, 12:31 PM

I use certs signed by a CA in pfsense cert manager for multiple devices on my network. Switches, Nas, unifi controller, printer, etc.

stephenw10 · Aug 10, 2021, 12:39 PM

I expect something like Unraid to have that built in, though I've never used it.

If you want to use a shared CA though it seems reasonable to export certs from pfSense.

Except the thread title is 'create CA cert'.....

CloudNode · Aug 11, 2021, 5:56 AM

Seemed to have got this working; I had first created my own internal CA and then made a wildcard cert from there. This did not work so i ended up just using my wildcard cert from my haProxy setup.

Not sure if this is the best way or if I still should have been able to use y own internal CA..

johnpoz · Aug 11, 2021, 7:19 AM

You should always be able to use cert from your own CA, as long as the devices/browser trusts this CA.

As I stated I use multiple certs from CA created in pfsense cert manager on multiple devices.

Without details of what you actually did or didn't do not sure why you were having issue. Did you install the CA as trusted in the browser you were using to access whatever you installed this cert on? I take it you used an acme cert that you had installed in haproxy?

Advantage of using your own certs, is you can use rfc1918 in them as san, you can use whatever domain you want.. I use local.lan for example.. Verse some public domain.

Advantage of acme certs is they are default trusted by browsers.

CloudNode · Aug 11, 2021, 7:20 AM

@johnpoz I had installed it for my one PC and it was working there but as soon as I went on the other PC, it was not secure. I was looking for a way where i would not need to install the cert on every PC that i use at home. So i went with haProxy via acme cert and this allowed me to go on any PC on my LAN without having to install the cert.

johnpoz · Aug 11, 2021, 7:25 AM

@iptvcld but now you have to update that cert every 90 days. And you can not use whatever you local domain is. Its normally not good practice to use public domain internally. It can make resolution difficulties.

But if your goal is to have this cert trusted by every browser out of the box, then yes you have to use a cert your browser would natively trust, like something from acme.

Internal services that use https are normally admin sort of web interface - these rarely need to be trusted by every browser out of the box. Since they are normally only accessed by "admins" ;)

Nobody is accessing my switches except me for example. no one is using the nas admin site, nor unifi controller other than myself. My internal CA is trusted by all browsers on all machines I might used to access these resources. Its a 1 time thing, that now all future certs I create would be automatically trusted by my browser..

CloudNode · Aug 11, 2021, 7:27 AM

@johnpoz My haprox cert is a wildcard cert *test.ca and in pfsense i created a Host Override as unraid.test.ca which points to the unraid server ip.

By doing this, unraid.test.ca is only available via LAN as it is not registered on my domain dns. Also for my acme i have it set to auto renew that cert before it expires.

Great suggestions, appreciate the tips :)