Help Need a SSL Certificate

Associate
Joined
18 Dec 2008
Posts
496
I have embarked on a mission to move all my stuff onto a VPN out of curiosity.

I have set up my computer network, phones, and tablets with Tailscale which was very straight forward. Next task was to setup Vaultwarden but here is the problem. I don’t have a verifiable SSL Certificate on my TrueNAS Scale server so the phone, and desktop app refuse to connect. It appears the built in TrueNAS Scale Certificate isn’t good enough.

How do I get a proper SSL Certificate? Looking around it seems very complicated and most of the places i have looked say that people get them from their domain provider. I do not have a domain, but I do have a static IP address.

What are my options?
 
Got the cert installed but I am getting this message:

This server could not prove that it is 192.168.1.233; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

any ideas?
 
Firefox detected a potential security threat and did not continue to 192.168.1.233. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
 
If you are sure this is correct, just go to lower part of message where you may get something like 'advanced' or 'not recommended' button that will allow you to 'accept risk and get to page'
Also - did you inserted that certificate to your certificate store as Trusted Root Authority? This may help - thou not overly convinced it would in this scenario..
 
It's not clear to me what your configuration is. You mention getting a domain, then getting a certificate; but you are still attempting to access the URL using an IP address?

The name in the certificate (CN and SAN) must match what you type into the address bar. What certificate did you get?
 
I followed this video


I am now getting error messages saying the cert belongs to my domain and not my local ip address.

I can access Vaultwarden if I click ignore warning and go to page anyway through Chrom and firefox

I need a work around . Subject Alternative Name is the problem as it won't let me use a local ip address.
 
I followed this video


I am now getting error messages saying the cert belongs to my domain and not my local ip address.

I can access Vaultwarden if I click ignore warning and go to page anyway through Chrom and firefox

I need a work around . Subject Alternative Name is the problem as it won't let me use a local ip address.
So, yes, if you followed that video you created a wildcard certificate for any host in your domain.

Let's Encrypt appear to be working on being able to support IP addresses in certificates, but it's not there yet by the looks of it (and might be a while and probably won't support private IP addresses anyway).

Ideally you would now get some sort of name resolution working, so you can enter a hostname rather than the IP address.
 
I think it would have been cheaper just to buy Bitwarden Premium lol.

I cannot find a work around Vaultwarden will not communicate without a signed SSL cert which is probably a good thing considering how important the data is.

I did however discoverer 18 of my passwords had been compromised using the free tool built into Vaultwarden. I was shocked to say the least. And it was not just websites that had been hacked it was my actual passwords. Thank god for 2FA!

I hope one day someone finds a solution as it is a common problem with vaultwarden by the looks of it.
 
Eureka, I have solved the problem! :-)

I use OPNsense firewall as my router. One of the services is Unbound DNS which is installed as default.

All I needed to do was to map my Vaultwarden server IP address to my host and domain as specified on my SSL certificate using the overrides configuration screen.

So to access Voltwarden I just need to type myhost.mydomain.uk:30032 and it resolves to the Vaultwarden Web GUI.

This also works with the phone and desktop app as well :-)

As my network is also connected via Tailscale I am hoping the phone app will work outside my WiFi network.

One point of concern is I am not sure how long my SSL cert is valid for as I can't remember how I got it setup since is was just bashing the keyboard for 2 days until something worked lol
 
Last edited:
One point of concern is I am not sure how long my SSL cert is valid for as I can't remember how I got it setup since is was just bashing the keyboard for 2 days until something worked lol
That will depend on the Acme implementation on your NAS, but it ought to automatically renew (that's one of the reasons to use Let's Encrypt/Acme).
 
I am getting e-mails from lets encrypt and Red Sift that my certificate for myservice.my-domain.uk is expiring in 6 days (myservice. is the actual host name and the domain is just made up)

Problem is the certificate that I am using common name is *.my-domain.uk which appears to have automatically updated on the 30th May for 90 more days 10 days before its originally was going to end. I have confirmed that from within TrueNAS looking at the Credentials>> Certificates menu and the certificates details on the relevant web apps. All of them refer to *.my-domain.uk certificate is valid from 2025-05-30 12:06:46 until: 2025-08-28 12:06:45

I have searched all over Cloudflare admin portal and I cannot see any reference to myservice.my-domain.uk anywhere.

Does anyone know where I should be looking?

It would seem my only solution at the moment is to wait until expiry and see if something breaks!
 
Last edited:
Did you create a wildcard and a specific certificate for myservice when testing as youbmight just not be using the non wildcard so it doesn't matter. You can search letsencrupt for ypur domain
 
Did you create a wildcard and a specific certificate for myservice when testing as youbmight just not be using the non wildcard so it doesn't matter. You can search letsencrupt for ypur domain
I think you are right. Searching lets encrypt is showing 3 certificates the original wildcard, the new wildcard, and most importantly a myservice.my-domain.uk with the expiry date in 6 days. I guess I must have created the myservice host name during my many attempts of obtaining a certificate before landing on the wildcard version which ultimatley registerd correctly in TrueNAS Scale.
 
Back
Top Bottom