Unable to update TrueNAS Scale using DPI-SSL cert

Description

Hello,

I am currently testing out TrueNAS Scale as I like the prospect of being on Debian.

My system is behind a Sonicwall that is using DPI. It needs a specific cert to be able to work and all other connections are blocked.

After installing TrueNAS Scale, I added the DPI-SSL cert with the following procedure and testing.

Converted CER cert to crt
openssl x509 -inform DER -in path/to/dell.cer -out dell.crt

added to this location
/etc/ssl/certs

ran this to update ssl bundles
update-ca-certificates --fresh

I then tested with apt update command and checking app list (instalable) in the UI and both were working (weren't before)
Then when I check for updates updates and I get that error:

Cannot connect to host update.freenas.org:443 ssl:default [Network is unreachable]: Automatic update check failed. Please check system network settings.

I have tried restarting middlewared and the system multiple times while testing this to see if I can get it working.

I get this error when I check for updates in the CLI

I am currently using version TrueNAS-SCALE-22.02-RC.2

As per my communication on the forum, I was advised to open this ticket.

https://www.truenas.com/community/threads/how-does-scale-update-ssl-errors.98283/#post-678131

Please feel free to let me know if there is anything you would like me to try or need any more information.

Problem/Justification

None

Impact

None

Linked issues

duplicates

NAS-115226

Expose "add_to_trusted_store" attribute in the UI for CAs

Activity

Show:

Waqar Ahmed March 14, 2022 at 11:29 AM

@Bill Dolan we will expose this option in the UI so that no command needs to be run in the related ticket.

Bill Dolan March 12, 2022 at 7:14 PM

Hello @Waqar Ahmed,

From the status change on the issue, I assume the mtdctl but you were referring to is tied to a different issue and is slated to be fixed. Is that a correct assumption?

Bill Dolan March 12, 2022 at 5:38 PM

Hello @Waqar Ahmed,

I can confirm that I have only the one cert that is included with the system and then the CA that I added for a total of 2.

The chain is correct as well as the contents of the file.

The file got put in that location. When importing I gave it a name of Dell so my path was

"/usr/local/share/ca-certificates/Dell.crt"

But yes, if we leave out the curl changes (specific to my cert use case), I only needed to do the import and then the midctl command to get it working. The midctl command was required to get it to work. No modification to the cert file or anything else (again, excluding the curl change).

Waqar Ahmed March 12, 2022 at 6:06 AM

@Bill Dolan please do let me know about the above when you have some time.

If the above is true, then it means that you did not need to modify the file anyways as it would have the correct contents. Or if you can check if it has the correct certificate chain, that would be another nice test as well please ( for reference, we are talking about "/usr/local/share/ca-certificates/CANAMEHERE.crt" ).

Waqar Ahmed March 11, 2022 at 4:21 AM

I think the curl configuration bit is specific to the cert you are using.

Also can you confirm please if you only have 1 certificate ( the default one which comes with the fresh system ) and 1 CA only totaling to 2 certs including certs + CAs ?

Duplicate

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Triage Team

Reporter

Bill Dolan

Labels

CertificatesSSLerrorready_for_reviewupdate

Impact

Medium

Time remaining

Fix versions

N/A

Affects versions

SCALE-22.02-RC.2

Priority

Low

Katalon Platform

Created January 18, 2022 at 7:17 PM

Updated July 6, 2022 at 9:01 PM

Resolved March 12, 2022 at 6:37 PM

Configure