Custom SSL Certificate in UNRAID 6.9.2
I recently (like a year ago lol) moved from FreeNAS to UNRAID. The system runs so much better, has way more options and in my opinion…well worth the license cost. I recently decided to add an SSL Cert to the WebUI so I could snag port 80 for my Caddy container.
I have my own PKI using Active Directory Certificate Services in my own internal home AD Domain. My server is not exposed to the internet so I’m only concerned with my internal machines trusting the server.
Generate CSR on UNRAID
The first step to any SSL Certificate is generating a Certificate Signing Request (CSR for short). The CSR contains the identity information for the server. In my environment I have left my servers name as ‘tower.mydomain.com’
- Create
/boot/config/ssl_gen
folder - Create the ‘sslcert.cnf’ file
- Navigate to the
/boot/config/ssl_gen
folder - Run
nano sslcert.cnf
- Paste the contents of the below code block to the file
- Look for the line DNS.1 and change the value to the FQDN of your server
- [CTRL]+X to save this file
- Navigate to the
|
|
-
Generate the CSR
- Still in
/boot/config/ssl_gen
- Run
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config sslcert.cnf
- This command will output two files
Name Purpose server.csr Contains the Base64 Encoded CSR data your SSL Provider requires server.key Contains the private key of the server, do not loose this!!! - Still in
-
Copy the server.csr to your local machine
- This can be opened with notepad or provided to Provider as is.
Issue Certificate from CSR
The next step is to provide the CSR information to your SSL Provider. In my case the provider is my internal PKI using my subordinate CA server. My Root CA is offline at all times and only comes online to renew my subordinate CA certificate. All my internal domain machines trust my Root CA.
I won’t go in to full details on how to request the Certificate from your chosen provider, follow the Providers instructions to request the Certificate.
Once the request is complete your provider will provide you with two files normally. In my case these are the files
Name | Purpose |
---|---|
*.cer | This is the actual certificate |
*.p7b | This is the certificate chain from ADCS, other providers may provide a different format |
- Copy the *.cer file to the
/boot/config/ssl_gen
directory - Seperate chains
- The following instructions may only be relevant on Windows using ADCS
- Double-click the *.p7b, this is a collection of chain(s), we need to export each one to Base64 encoded format to their own file
- In the image you can see the three chains plus the cert listed.
- The chain order is:
- RCA01-CA (Root CA)
- mydomain-CA01-CA (Subordinate CA)
- tower.mydomain.com (Server)
- The goal is to export these in an order we can use to build a certificate bundle that looks like
- Server Certificate
- First Chain
- Second Chain
- Third Chain
- …
- Root Chain
- Server Key
- Right click on each chain cert in order starting from Server Cert down to Root Chain
- Click ‘All Tasks’ -> ‘Export’
- Next at first wizard page
- Select ‘Base-64 encoded X.509 (.CER) -> Click Next
- Save as something sensible, like chain1.cer and chain2.cer and so forth
- Copy the chains to
/boot/config/ssl_gen
directory
Generate the SSL Certificate Bundle
You should now have the following files in the /boot/config/ssl_gen
directory
Name | Purpose |
---|---|
server.key | Private Key file |
server.cer | Server Certificate |
chain###.cer | Chain Certificates |
server.csr | Certificate Signing Request file |
sslcert.cnf | OpenSSL CSR Config File |
/boot/config/ssl/certs
directory. Back this file up in case you misconfigure your new certificate bundle.- SSH to UNRAID
- Navigate to
/boot/config/ssl_gen
- Run
cat server.cer chain1.cer chain###.cer server.key > /boot/config/ssl/certs/certificate_bundle.pem
, be sure to add ALL chain###.cer files to the line.- If you have five for instance it will look like
cat server.cer chain1.cer chain2.cer chain3.cer chain4.cer chain5.cer server.key > ....
- If you have five for instance it will look like
- You can reload nginx to see if there are any issues
nginx -s reload
will read the config file and output errors, you may get a WARN about OSCP Stappling and that is fine.
- Reboot your UNRAID box and you should be good to go!