I use pfSense / haproxy / LetsEncrypt to provide valid SSL certs to all my Private Home Servers, (TrueNas, Unifi controller, sabnzbd, transmission, etc.) However, last week that SSL just stopped working for TrueNas; whenever I log in, TrueNas defaults to the built-in “freenas_default” self-signed cert provided by iXsystems. All other Private Home Servers check good; the SSL pad lock next to the url. Unifi and transmission each have their own dedicated raspberry pi, but I’m running sabnzbd out of a TrueNas Jail.
I tried rebooting TrueNas and pfSense, no joy.
I tried logging in to TrueNas on same machine, but with different (Edge) browser, no joy.
I tried deleting the “freenas_default” cert from within the TrueNas GUI, but popup, “Failed: [EBUSY] This object is being used by other objects”, which makes sense I guess.
I set everything up based on Tom’s videos on the topic. I can’t remember which ones exactly; it’s been at least a year.
Tom thanks for responding. I may be messed up in a couple of places so I commented below on each section of the video. An ‘x’ means that, to my understanding, I did that part correct:
TCP Port and Disable webConfigurator redirect
Backend Encrypt SSL and SSL checks
Front End and Firewall Rules
Front End ACL Rules
DNS
Testing certificate response
The TCP port is currently left blank and webConfigurator redirect is enabled. Last time I messed with these settings I remember getting locked out of pfSense and spending the better part of a day fixing it. So, before I change the port and the redirect, I have 2 questions:
If there’s was port conflict, why can I still get to pfsense and ALL my other Private Home Servers, just not TrueNas?
The Backend looks good I think: In your example, you mention that XenOrchestraLab “has it’s own self-signed certificate”. Well, TrueNas also has it’s own self-signed cert so I used the same settings. But, why do we care if the server has its own self-signed cert if we’re just going to bypass it with an LE cert anyway? Isn’t that what the Encrypt(SSL) box does? i.e. UNCHECKING the Encrypt(SSL) box makes TrueNas use the self-signed cert and CHECKING the Encrypt(SSL) box forces TrueNas to use the LE Cert? I’m so confused…
When I dig pfsense, I get 192.168.3.1, when I dig each of the Private Home Servers (but not including TrueNas), I get 192.168.3.254, which is the virtual IP I use for all the Private Home Servers. But when I dig TrueNas I get 2 IP address, the VIP and the TrueNas host IP address. See below:
Not sure what to make of that…
Finally the openssl command points to iXsystems self-signed Cert, but it should point to LE:
Tells HAProxy to use a secure connection to the back end server and tell it not to check the validity of the cert.
The DNS for the TrueNAS should point at the proxy which appears to be 192.168.3.254, per your screenshot you have a DNS issue because it is also showing 192.168.3.20.
I know it’s weird. “digging” my TrueNas has always returned those 2 IPs. I could never figure out why. But since everything seemed to be working I left it alone. You think, maybe I’ve got a dorked up TrueNas setting? Here’s the System/General tab. Checking/unchecking the http → https redirect makes no difference.
Tom, thanks for the help. I often find conflicting instructions when searching the internet for help with the DNS Resolver. I probably have something missconfigured. Does anything jump out?
Do you have the domain set to wbm4.com in system / general and freenas set as hostname in your DHCP server for your FreeNAS server? This will create two IP’s for freenas.wbm4.com in your DNS. Change the hostname in your DHCP server to be something else. Or change the domain to something like local.wbm4.com.
@tuplas
You were right. I have the following DHCP Static Mapping set for FreeNAS:
IP address: 192.168.3.20
Hostname: FreeNAS
Description: FreeNAS
Not sure which ones actually got it working, but here are the steps I took:
In pfSense, under Services / HAProxy / Frontend, set CS to “yes” for freenas ACL. Save. nothing…
In pfSense, under DHCP Server Static Mappings, change hostname from “FreeNAS” to “TrueNAS”. Save. nothing…
In TrueNAS, under Network / Global Configuration, change hostname from “freenas” to “truenas”. Save. nothing…
In pfSense, under Services / DNS Resolver / General Settings, uncheck “Static DHCP”. Save. nothin…
In linux terminal, run sudo systemd-resolve --flush-caches. BINGO!!!
This article helped:
While this works (for now anyway), I’m not sure I’d consider it a fix. The requirement to use different hostnames for the same server is kind of silly.
Thanks you so much for this tuplas!!!
I had my HaProxy working but it was flaky…sometimes work sometimes not and sometimes on different browsers. It drove me nuts.
I knew there was a config wrong and almost gave up accepting the flaky connection until I saw your one comment over countless others. The silly thing, for my setup its really not that difficult with HaProxy and it all came down to a duplicated hostname causing all the headaches.
I would get 2 IPs with the dig command and couldn’t understand why…just accepted it as my system vs Tom’s more elaborate setups.
