freenas-pre-certui was generated with an expired date
Description
Problem/Justification
Impact
duplicates
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Jaimie Vandenbergh April 18, 2020 at 3:51 AM
No cleanup? Fine.
Jaimie Vandenbergh April 16, 2020 at 8:15 PMEdited
I was wrong - datestamp was no help at all. Not sure why, but they're dated like 9 days ago - same as system uptime, which I bet isn't a coincidence. Is there another location I can check?
Jaimie Vandenbergh April 16, 2020 at 8:09 PMEdited
Hi ,
I'm not sure about when it was created, but I'd guess at around 11.2-u3. Best evidence would be the datestamp on the cert file itself, but I haven't been able to find it. Does it live in the filesystem? I'll look it up to check.
Given that 11.3-u2 generates the freenas_default cert correctly now, there's probably nothing to fix in the creation process - that bug is clearly already sorted.
But going by the small chorus of other folk in my forum post who have the older cert with the bad dates, and there being no info as to what freenas_pre_certui ever was, there might be call for some sort of cleanup/fixup script at update time to cover those people?
There's perhaps also a need for a bit more documentation about the use of System/General/GUI SSL Certificate, a paragraph on replacing the UI cert would be useful. Or a "generate me another self-signed cert" button
Waqar Ahmed April 16, 2020 at 6:10 PM
so this certificate was not generated when you upgraded to 11.3, is that correct ?
I'll move with the assumption it wasn't, it was created earlier at some point - however we introduced alerts for expired certs in 11.3 which is why it has been brought to your attention right now.
Currently we generate a cert named "freenas_default" to enable https support by default for FN.
So the alert has been fixed to correctly reflect the scenario.
Jaimie Vandenbergh April 16, 2020 at 3:52 PM
The entry in the WebGUI under System/General/GUI SSL Certificate matches the generated cert on each box: Old has freenas_pre_certui, new (11.3-U1) has freenas_default.
Details
Details
Assignee
Triage TeamReporter
Jaimie VandenberghComponents
Fix versions
Affects versions
Priority
LowMore fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
The only cert I have in my Certificates panel is freenas-pre-certui. It was generated with a date older than the hardware its on, which has never had a bad clock set in the time I've owned it, and older than the time I've been using FreeNAS:
Valid dates: Wed Sep 7 01:02:33 2011 to Fri Oct 7 01:02:33 2011
/O=iXsystems, Inc./OU=Systems/emailAddress=root@localhost/L=San Jose/ST=California/C=US/CN=localhost
"Certificate 'freenas-pre-certui' is expiring within -3112 days.
Tue, 25 Feb 2020 07:19:34 PM (Europe/London)"
It's not clear to me whether the badly-dated cert was generated then, or whether FreeNAS first decided to start alerting on it then. As above, either way the date is long before any possible sane date so the generation script needs fixing.
I update to new releases pretty much as soon as they go live, which may help with version timelines.
A recent bug on this https://jira.ixsystems.com/browse/NAS-105669 was I think erroneously closed as dupe of https://jira.ixsystems.com/browse/NAS-105664 . This is not a cert that's been replaced, it was created by the system/installation/migration (no idea which) with a bad date range and there's no info on whether it's important or not.
Others are also seeing it, https://www.ixsystems.com/community/threads/how-to-renew-freenas-pre-certui-bad-cert-was-generated-expired-9-years-ago.83602