timthedevguy
Posts Tags Categories About
timthedevguy

Contents

Custom SSL Certificate in UNRAID 6.9.2

Tim Davis included in Cyber Security
   881 words   5 minutes 

I recently (like a year ago lol) moved from FreeNAS to UNRAID. The system runs so much better, has way more options and in my opinion…well worth the license cost. I recently decided to add an SSL Cert to the WebUI so I could snag port 80 for my Caddy container.

I have my own PKI using Active Directory Certificate Services in my own internal home AD Domain. My server is not exposed to the internet so I’m only concerned with my internal machines trusting the server.

Public SSL Warning
It is not recommended to expose UNRAID to the internet, but if you have decided to ignore the risk then the instructions will work for you as well. Simply ignore the Windows Cert server section and use your provider to generate the Certificate.

Generate CSR on UNRAID

The first step to any SSL Certificate is generating a Certificate Signing Request (CSR for short). The CSR contains the identity information for the server. In my environment I have left my servers name as ‘tower.mydomain.com’

Note
For the purpose of this article I will assume that you have the knowledge required to SSH to your server and are comfortable with the *nix commandline. If you are not then I suggest researching some tutorials on interacting with *nix in that manner.
Why /boot/config?
I put my files on the /boot/config as it is persistant between reboots and is a location that URAID Documentation says to backup frequently. The config path contains your configuration as well as license information for UNRAID, keep this safe!!!
  1. Create /boot/config/ssl_gen folder
  2. Create the ‘sslcert.cnf’ file
    • Navigate to the /boot/config/ssl_gen folder
    • Run nano sslcert.cnf
    • Paste the contents of the below code block to the file
    • Look for the line DNS.1 and change the value to the FQDN of your server
    • [CTRL]+X to save this file
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = tower.yourdomain.com

  1. Generate the CSR

    • Still in /boot/config/ssl_gen
    • Run openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config sslcert.cnf
    • This command will output two files
    Name Purpose
    server.csr Contains the Base64 Encoded CSR data your SSL Provider requires
    server.key Contains the private key of the server, do not loose this!!!

  2. Copy the server.csr to your local machine

    • This can be opened with notepad or provided to Provider as is.

Issue Certificate from CSR

The next step is to provide the CSR information to your SSL Provider. In my case the provider is my internal PKI using my subordinate CA server. My Root CA is offline at all times and only comes online to renew my subordinate CA certificate. All my internal domain machines trust my Root CA.

I won’t go in to full details on how to request the Certificate from your chosen provider, follow the Providers instructions to request the Certificate.

Once the request is complete your provider will provide you with two files normally. In my case these are the files

Name Purpose
*.cer This is the actual certificate
*.p7b This is the certificate chain from ADCS, other providers may provide a different format
  1. Copy the *.cer file to the /boot/config/ssl_gen directory
  2. Seperate chains
    • The following instructions may only be relevant on Windows using ADCS
    • Double-click the *.p7b, this is a collection of chain(s), we need to export each one to Base64 encoded format to their own file
    • In the image you can see the three chains plus the cert listed. /images/cert_chain.png
    • The chain order is:
      • RCA01-CA (Root CA)
      • mydomain-CA01-CA (Subordinate CA)
      • tower.mydomain.com (Server)
    • The goal is to export these in an order we can use to build a certificate bundle that looks like
      • Server Certificate
      • First Chain
      • Second Chain
      • Third Chain
      • Root Chain
      • Server Key
    • Right click on each chain cert in order starting from Server Cert down to Root Chain
      • Click ‘All Tasks’ -> ‘Export’
      • Next at first wizard page
      • Select ‘Base-64 encoded X.509 (.CER) -> Click Next
      • Save as something sensible, like chain1.cer and chain2.cer and so forth
  3. Copy the chains to /boot/config/ssl_gen directory

Generate the SSL Certificate Bundle

You should now have the following files in the /boot/config/ssl_gen directory

Name Purpose
server.key Private Key file
server.cer Server Certificate
chain###.cer Chain Certificates
server.csr Certificate Signing Request file
sslcert.cnf OpenSSL CSR Config File
Backup first!
We will be replacing the ‘certificate_bundle.pem’ file in /boot/config/ssl/certs directory. Back this file up in case you misconfigure your new certificate bundle.
  1. SSH to UNRAID
  2. Navigate to /boot/config/ssl_gen
  3. Run cat server.cer chain1.cer chain###.cer server.key > /boot/config/ssl/certs/certificate_bundle.pem, be sure to add ALL chain###.cer files to the line.
    • If you have five for instance it will look like cat server.cer chain1.cer chain2.cer chain3.cer chain4.cer chain5.cer server.key > ....
  4. You can reload nginx to see if there are any issues
    • nginx -s reload will read the config file and output errors, you may get a WARN about OSCP Stappling and that is fine.
  5. Reboot your UNRAID box and you should be good to go!
Updated on 2022-03-21
Read Markdown
 UNRAIDPKIOpenSSL
Back | Home