Help Need a SSL Certificate

RavenLunatic · 10 Mar 2025 at 13:45

I have embarked on a mission to move all my stuff onto a VPN out of curiosity.

I have set up my computer network, phones, and tablets with Tailscale which was very straight forward. Next task was to setup Vaultwarden but here is the problem. I don’t have a verifiable SSL Certificate on my TrueNAS Scale server so the phone, and desktop app refuse to connect. It appears the built in TrueNAS Scale Certificate isn’t good enough.

How do I get a proper SSL Certificate? Looking around it seems very complicated and most of the places i have looked say that people get them from their domain provider. I do not have a domain, but I do have a static IP address.

What are my options?

randal · 10 Mar 2025 at 14:00

You can pickup xyz domains for peanuts, I'd do that and use LetsEncypt. If you used CloudFlare, you'd get all the benefits of that too.

RavenLunatic · 10 Mar 2025 at 14:30

Do you mean just a random numbers and letters?

Who is the cheapest registrar there seems to be a lot of them?

#Chri5# · 10 Mar 2025 at 14:34

RavenLunatic said:
Do you mean just a random numbers and letters?

Who is the cheapest registrar there seems to be a lot of them?

I'd get a domain with Cloudflare. Possibly not the cheapest but reliable. Just under 5/usd for a .uk domain.

RavenLunatic · 10 Mar 2025 at 15:20

Bagged a good .uk name for $4.82 a year.

Now to find out how to get the certificate...

RavenLunatic · 10 Mar 2025 at 16:57

Got the cert installed but I am getting this message:

This server could not prove that it is 192.168.1.233; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

any ideas?

Robert T. · 10 Mar 2025 at 17:12

SSL cert may be missing SAN (Subject Alternative Name) attribuite required by all modern Chromium-based browsers.
It's been pain for quite a while now...

RavenLunatic · 10 Mar 2025 at 17:24

Firefox detected a potential security threat and did not continue to 192.168.1.233. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Robert T. · 10 Mar 2025 at 18:00

If you are sure this is correct, just go to lower part of message where you may get something like 'advanced' or 'not recommended' button that will allow you to 'accept risk and get to page'
Also - did you inserted that certificate to your certificate store as Trusted Root Authority? This may help - thou not overly convinced it would in this scenario..

VersionMonkey · 10 Mar 2025 at 19:37

It's not clear to me what your configuration is. You mention getting a domain, then getting a certificate; but you are still attempting to access the URL using an IP address?

The name in the certificate (CN and SAN) must match what you type into the address bar. What certificate did you get?

RavenLunatic · 10 Mar 2025 at 20:00

I followed this video

I am now getting error messages saying the cert belongs to my domain and not my local ip address.

I can access Vaultwarden if I click ignore warning and go to page anyway through Chrom and firefox

I need a work around . Subject Alternative Name is the problem as it won't let me use a local ip address.

VersionMonkey · 10 Mar 2025 at 20:48

RavenLunatic said:
I followed this video

I am now getting error messages saying the cert belongs to my domain and not my local ip address.

I can access Vaultwarden if I click ignore warning and go to page anyway through Chrom and firefox

I need a work around . Subject Alternative Name is the problem as it won't let me use a local ip address.

So, yes, if you followed that video you created a wildcard certificate for any host in your domain.

Let's Encrypt appear to be working on being able to support IP addresses in certificates, but it's not there yet by the looks of it (and might be a while and probably won't support private IP addresses anyway).

Ideally you would now get some sort of name resolution working, so you can enter a hostname rather than the IP address.

RavenLunatic · 11 Mar 2025 at 16:44

I think it would have been cheaper just to buy Bitwarden Premium lol.

I cannot find a work around Vaultwarden will not communicate without a signed SSL cert which is probably a good thing considering how important the data is.

I did however discoverer 18 of my passwords had been compromised using the free tool built into Vaultwarden. I was shocked to say the least. And it was not just websites that had been hacked it was my actual passwords. Thank god for 2FA!

I hope one day someone finds a solution as it is a common problem with vaultwarden by the looks of it.

RavenLunatic · 11 Mar 2025 at 19:36

Eureka, I have solved the problem! :-)

I use OPNsense firewall as my router. One of the services is Unbound DNS which is installed as default.

All I needed to do was to map my Vaultwarden server IP address to my host and domain as specified on my SSL certificate using the overrides configuration screen.

So to access Voltwarden I just need to type myhost.mydomain.uk:30032 and it resolves to the Vaultwarden Web GUI.

This also works with the phone and desktop app as well :-)

As my network is also connected via Tailscale I am hoping the phone app will work outside my WiFi network.

One point of concern is I am not sure how long my SSL cert is valid for as I can't remember how I got it setup since is was just bashing the keyboard for 2 days until something worked lol

VersionMonkey · 11 Mar 2025 at 21:51

RavenLunatic said:
One point of concern is I am not sure how long my SSL cert is valid for as I can't remember how I got it setup since is was just bashing the keyboard for 2 days until something worked lol

That will depend on the Acme implementation on your NAS, but it ought to automatically renew (that's one of the reasons to use Let's Encrypt/Acme).

RavenLunatic · 12 Mar 2025 at 07:50

Now with me having secured a domain am I obligated to set up a website, or can I just sit on it, since all I wanted was the certificate?

IanAG · 12 Mar 2025 at 08:16

RavenLunatic said:
Now with me having secured a domain am I obligated to set up a website, or can I just sit on it, since all I wanted was the certificate?

Yes, no need to have a website at all.

RavenLunatic · 2 Jun 2025 at 17:49

I am getting e-mails from lets encrypt and Red Sift that my certificate for myservice.my-domain.uk is expiring in 6 days (myservice. is the actual host name and the domain is just made up)

Problem is the certificate that I am using common name is *.my-domain.uk which appears to have automatically updated on the 30th May for 90 more days 10 days before its originally was going to end. I have confirmed that from within TrueNAS looking at the Credentials>> Certificates menu and the certificates details on the relevant web apps. All of them refer to *.my-domain.uk certificate is valid from 2025-05-30 12:06:46 until: 2025-08-28 12:06:45

I have searched all over Cloudflare admin portal and I cannot see any reference to myservice.my-domain.uk anywhere.

Does anyone know where I should be looking?

It would seem my only solution at the moment is to wait until expiry and see if something breaks!

img · 2 Jun 2025 at 23:16

Did you create a wildcard and a specific certificate for myservice when testing as youbmight just not be using the non wildcard so it doesn't matter. You can search letsencrupt for ypur domain

RavenLunatic · 3 Jun 2025 at 02:44

img said:
Did you create a wildcard and a specific certificate for myservice when testing as youbmight just not be using the non wildcard so it doesn't matter. You can search letsencrupt for ypur domain

I think you are right. Searching lets encrypt is showing 3 certificates the original wildcard, the new wildcard, and most importantly a myservice.my-domain.uk with the expiry date in 6 days. I guess I must have created the myservice host name during my many attempts of obtaining a certificate before landing on the wildcard version which ultimatley registerd correctly in TrueNAS Scale.