TrueNAS no longer getting LE cert from pfSense/HAproxy

Greetings,

I use pfSense / haproxy / LetsEncrypt to provide valid SSL certs to all my Private Home Servers, (TrueNas, Unifi controller, sabnzbd, transmission, etc.) However, last week that SSL just stopped working for TrueNas; whenever I log in, TrueNas defaults to the built-in “freenas_default” self-signed cert provided by iXsystems. All other Private Home Servers check good; the SSL pad lock next to the url. Unifi and transmission each have their own dedicated raspberry pi, but I’m running sabnzbd out of a TrueNas Jail.

I tried rebooting TrueNas and pfSense, no joy.
I tried logging in to TrueNas on same machine, but with different (Edge) browser, no joy.
I tried deleting the “freenas_default” cert from within the TrueNas GUI, but popup, “Failed: [EBUSY] This object is being used by other objects”, which makes sense I guess.

I set everything up based on Tom’s videos on the topic. I can’t remember which ones exactly; it’s been at least a year.

Any suggestions on what I could try next?

-Thanks

Here is a video showing how to troubleshoot HAProxy

Tom thanks for responding. I may be messed up in a couple of places so I commented below on each section of the video. An ‘x’ means that, to my understanding, I did that part correct:

  • [ ] TCP Port and Disable webConfigurator redirect
  • [x] Backend Encrypt SSL and SSL checks
  • [x] Front End and Firewall Rules
  • [x] Front End ACL Rules
  • [ ] DNS
  • [ ] Testing certificate response

The TCP port is currently left blank and webConfigurator redirect is enabled. Last time I messed with these settings I remember getting locked out of pfSense and spending the better part of a day fixing it. So, before I change the port and the redirect, I have 2 questions:

  1. If there’s was port conflict, why can I still get to pfsense and ALL my other Private Home Servers, just not TrueNas?
  2. By changing the port to 10443, does that mean I’ll have to use pfsense.wbm4.com:10443 rather than just plain ole pfsense.wbm4.com to access pfSense?

The Backend looks good I think: In your example, you mention that XenOrchestraLab “has it’s own self-signed certificate”. Well, TrueNas also has it’s own self-signed cert so I used the same settings. But, why do we care if the server has its own self-signed cert if we’re just going to bypass it with an LE cert anyway? Isn’t that what the Encrypt(SSL) box does? i.e. UNCHECKING the Encrypt(SSL) box makes TrueNas use the self-signed cert and CHECKING the Encrypt(SSL) box forces TrueNas to use the LE Cert? I’m so confused…

When I dig pfsense, I get 192.168.3.1, when I dig each of the Private Home Servers (but not including TrueNas), I get 192.168.3.254, which is the virtual IP I use for all the Private Home Servers. But when I dig TrueNas I get 2 IP address, the VIP and the TrueNas host IP address. See below:

Screenshot from 2022-01-04 10-20-52

Not sure what to make of that…

Finally the openssl command points to iXsystems self-signed Cert, but it should point to LE:

The video only said what it SHOULD look like; not how to fix it if it doesn’t.

Thoughts?

Using:

Encrypt(SSL) YES
SSL checks NO

Tells HAProxy to use a secure connection to the back end server and tell it not to check the validity of the cert.

The DNS for the TrueNAS should point at the proxy which appears to be 192.168.3.254, per your screenshot you have a DNS issue because it is also showing 192.168.3.20.

I know it’s weird. “digging” my TrueNas has always returned those 2 IPs. I could never figure out why. But since everything seemed to be working I left it alone. You think, maybe I’ve got a dorked up TrueNas setting? Here’s the System/General tab. Checking/unchecking the http → https redirect makes no difference.

And for Network/Global Configuration:

Thoughts?

I am all out of ideas.

Tom, thanks for the help. I often find conflicting instructions when searching the internet for help with the DNS Resolver. I probably have something missconfigured. Does anything jump out?


Advanced Settings…

Do you have the domain set to wbm4.com in system / general and freenas set as hostname in your DHCP server for your FreeNAS server? This will create two IP’s for freenas.wbm4.com in your DNS. Change the hostname in your DHCP server to be something else. Or change the domain to something like local.wbm4.com.

@tuplas
You were right. I have the following DHCP Static Mapping set for FreeNAS:
IP address: 192.168.3.20
Hostname: FreeNAS
Description: FreeNAS

Not sure which ones actually got it working, but here are the steps I took:

  1. In pfSense, under Services / HAProxy / Frontend, set CS to “yes” for freenas ACL. Save. nothing…
  2. In pfSense, under DHCP Server Static Mappings, change hostname from “FreeNAS” to “TrueNAS”. Save. nothing…
  3. In TrueNAS, under Network / Global Configuration, change hostname from “freenas” to “truenas”. Save. nothing…
  4. In pfSense, under Services / DNS Resolver / General Settings, uncheck “Static DHCP”. Save. nothin…
  5. In linux terminal, run sudo systemd-resolve --flush-caches. BINGO!!!

This article helped:

While this works (for now anyway), I’m not sure I’d consider it a fix. The requirement to use different hostnames for the same server is kind of silly.

At any rate, thanks for the tip!

Willie

1 Like