Help Need a SSL Certificate

RavenLunatic

RavenLunatic

RavenLunatic

Associate
Joined
18 Dec 2008
Posts
517
I have embarked on a mission to move all my stuff onto a VPN out of curiosity.

I have set up my computer network, phones, and tablets with Tailscale which was very straight forward. Next task was to setup Vaultwarden but here is the problem. I don’t have a verifiable SSL Certificate on my TrueNAS Scale server so the phone, and desktop app refuse to connect. It appears the built in TrueNAS Scale Certificate isn’t good enough.

How do I get a proper SSL Certificate? Looking around it seems very complicated and most of the places i have looked say that people get them from their domain provider. I do not have a domain, but I do have a static IP address.

What are my options?
 
Got the cert installed but I am getting this message:

This server could not prove that it is 192.168.1.233; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

any ideas?
 
Firefox detected a potential security threat and did not continue to 192.168.1.233. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
 
I followed this video


I am now getting error messages saying the cert belongs to my domain and not my local ip address.

I can access Vaultwarden if I click ignore warning and go to page anyway through Chrom and firefox

I need a work around . Subject Alternative Name is the problem as it won't let me use a local ip address.
 
I think it would have been cheaper just to buy Bitwarden Premium lol.

I cannot find a work around Vaultwarden will not communicate without a signed SSL cert which is probably a good thing considering how important the data is.

I did however discoverer 18 of my passwords had been compromised using the free tool built into Vaultwarden. I was shocked to say the least. And it was not just websites that had been hacked it was my actual passwords. Thank god for 2FA!

I hope one day someone finds a solution as it is a common problem with vaultwarden by the looks of it.
 
Eureka, I have solved the problem! :-)

I use OPNsense firewall as my router. One of the services is Unbound DNS which is installed as default.

All I needed to do was to map my Vaultwarden server IP address to my host and domain as specified on my SSL certificate using the overrides configuration screen.

So to access Voltwarden I just need to type myhost.mydomain.uk:30032 and it resolves to the Vaultwarden Web GUI.

This also works with the phone and desktop app as well :-)

As my network is also connected via Tailscale I am hoping the phone app will work outside my WiFi network.

One point of concern is I am not sure how long my SSL cert is valid for as I can't remember how I got it setup since is was just bashing the keyboard for 2 days until something worked lol
 
Last edited:
I am getting e-mails from lets encrypt and Red Sift that my certificate for myservice.my-domain.uk is expiring in 6 days (myservice. is the actual host name and the domain is just made up)

Problem is the certificate that I am using common name is *.my-domain.uk which appears to have automatically updated on the 30th May for 90 more days 10 days before its originally was going to end. I have confirmed that from within TrueNAS looking at the Credentials>> Certificates menu and the certificates details on the relevant web apps. All of them refer to *.my-domain.uk certificate is valid from 2025-05-30 12:06:46 until: 2025-08-28 12:06:45

I have searched all over Cloudflare admin portal and I cannot see any reference to myservice.my-domain.uk anywhere.

Does anyone know where I should be looking?

It would seem my only solution at the moment is to wait until expiry and see if something breaks!
 
Last edited:
img said:
Did you create a wildcard and a specific certificate for myservice when testing as youbmight just not be using the non wildcard so it doesn't matter. You can search letsencrupt for ypur domain
Click to expand...
I think you are right. Searching lets encrypt is showing 3 certificates the original wildcard, the new wildcard, and most importantly a myservice.my-domain.uk with the expiry date in 6 days. I guess I must have created the myservice host name during my many attempts of obtaining a certificate before landing on the wildcard version which ultimatley registerd correctly in TrueNAS Scale.
 
Not dumb proof enough! I tried Nginx a while back but couldn't get to work, I was wanting to configure reverse proxy suggested to me in another thread, so I didn't need to add a port number to the end of the URL for each specific web app, but it broke something causing the certificate to fail when enabled. I deleted Nginx and everything worked again. I am weary about trying it again in case I brick TrueNAS. Now that I have everything working to the point of not updating TrueNAS in case the settings do not transfer properly to an updated version. Probably not the best approach, but I would struggle to set everything up from scratch again.
 
True, it did not let me break anything permanently, but I came to this problem without knowing anything about certificates and the rest of the networking security jargon from scratch. I just wanted to self host Vaultwarden and it snowballed from there :-)
 
Si MPS said:
One thing to look into that might help in future is using a reverse proxy for browsing your internal stuff. It gives you a single point of ingress into your 'hosted' stuff and you can have the proxy host the certificate with LetsEncrypt, and just do whatever you need on the back end.

Nginx proxy manager as mentioned above is one, if you're using Opnsense you should be able to use HAProxy quite easily too (have done this before).
Click to expand...
Does Nginx or HAProxy replace my use case for Unbound DNS overrides?

Can I leave the management of Lets Encrypt Certificate to TrueNAS since it works as is?

I am reluctant to add more modules to OPNsense in case I brick it (losing internet capability would be a pain, although temporary), But TrueNAS has a docker container for Nginx available that I tired to use before, and I think I could not get the Web GUI to work before abandoning it. I might give it another shot now I am running TrueNAS Fangtooth.
 
So my configuration is not optimal. Think I will leave my setup as is, or until something breaks. I run 2 Docker containers within TrueNAS and only one needs a WebGUI requiring a port number. I might revisit this if I start adding more containers in the future. Thanks for your responses. :-)
 
You must log in or register to reply here.
Back
Top Bottom