Looking for some help with SSL Certificate from StartSSL

[ampapa]

I've read a few of the posts on the forum but I'm not having much success with getting SSL setup on my Qnap 219.

I have a private_key (PK) from StartSSL that I have decrypted since I understand the qnap can't use the password encoded.

After which, I've tried using the decoded PK and ca.pem from StartSSL and got locked out of the QNAP.

Do I also need the intermediate key? What am I missing here...???

I'm a bit green to getting this working so hopefully someone can shed some light on the subject.

ampapa,

[ampapa]

No one has any suggestions on how to get this to work?

[forkless]

In most instances you will need the Class 1 Intermediate Server CA, it depends a bit on the type of SSL certificate you got from them.

[schumaku]

After which, I've tried using the decoded PK and ca.pem from StartSSL and got locked out of the QNAP.

In this case, something went definitively wrong. No access by http on 8080/TCP (by default)?

Do I also need the intermediate key?

Some browsers can be picky - but would not prohibit the access typically, so this would not lock you off the NAS. Of course, for best results, import all chain certificates, too. Your certificate vendor must be able to communicate transparently which certificate chain is used for your certificate.

[ampapa]

Thanks for the reply's, I think I finally got it working by getting a sub.class1.server cert since my URL for my QNAP is 'subdomain.domain.com'... whereas I originally was using the 'domain.com' cert and trying to get it going that way.

If my URL had been 'domain.com' would I only have needed to populate the Private Key and the Certificate and I could have left the Intermediate Certificate blank? I'm trying to understand the Intermediate Certificate requirement...

Also, if my websites on the QNAP are of the format 'subdomain.domain.com/website1', 'subdomain.domain.com/website2', 'subdomain.domain.com/website3', etc. since the QNAP is SSL will all of the sites need an individual cert or will they use the cert for 'subdomain.domain.com'? I hope that makes sense...

ampapa,

[pwilson]

Thanks for the reply's, I think I finally got it working by getting a sub.class1.server cert since my URL for my QNAP is 'subdomain.domain.com'... whereas I originally was using the 'domain.com' cert and trying to get it going that way.

If my URL had been 'domain.com' would I only have needed to populate the Private Key and the Certificate and I could have left the Intermediate Certificate blank? I'm trying to understand the Intermediate Certificate requirement...

Also, if my websites on the QNAP are of the format 'subdomain.domain.com/website1', 'subdomain.domain.com/website2', 'subdomain.domain.com/website3', etc. since the QNAP is SSL will all of the sites need an individual cert or will they use the cert for 'subdomain.domain.com'? I hope that makes sense...

ampapa,

That depends on whether or not you coughed up the extra cash for a "wildcard" certificate or not. They are quite expensive with most (if not all) CA's, so you probably did not purchase one.

[pwilson]

What you see in the URL between https:// and the next / has to be on the certificate exactly, unless the certificate is a wildcard certificate (as pwilson notes).

@Idlewizard: Please feel free to call me "Patrick". (My username is "pwilson", but I am more than happy to answer to "Patrick"; even my Rabbi calls me "Patrick").

Patrick.

[ampapa]

Thanks for the great info.

I wrote a bit on setting up the QNAP on my blog that is now SSL enabled...

https://qnap.hostingky.com/WordPress/

ampapa,

[howardjnl]

Beating a nearly dead horse, but I'm having trouble with getting SSL to work on my TS-231 with version 4.2. I'm a new QNAP user.
I've followed the procedure described in https://qnap.hostingky.com/WordPress/?p=114 and have successfully uploaded the key and certificates. I'm using Zonedit for DDNS, port 8080 for http and port 8081 for https to access the system admin page. My router is set up will port forwarding rules to point these ports at my TS-231 using NAS1.mydomain.us . I've made sure Norton Security has the ports open both works on my Windows 10 work station. I've enabled SSL connectivity to the admin page and left regular http "on" as well. I've not manually imported any keys into my workstation browser (Chrome), but StartSSL did install one to authenticate my account and permit access to their site. I have a Windows IIS server already set up and working on the same network here at my home using SSL.
I can connect to http://NAS1.mydomain.us:8080 just fine, but connection to https://NAS1.mydomain.us:8081 fails with error connection refused. I've run through the set up process multiple times and have referred to many postings about SSL setup upon this site and others and cannot shake the this error type.
I've resisted posting anything on this site until after I've reviewed everything I could find here about possible issues and solutions, but I've finally reached the point where I'm puling out my last few hairs. I could use some advice/help in making sure I've done things correctly (evidently I haven't). I'm Linux illiterate,unfortunately.
John

[schumaku]

I can connect to http://NAS1.mydomain.us:8080 just fine, but connection to https://NAS1.mydomain.us:8081 fails with error connection refused.

Connection refused might have other reasons - like the https server not working, or not listening on port 8081 for example.

On the LAN, can you reach the NAS using the LAN IP address, and these two ports - like http://192.168.12.34:8080/ and https://192.168.12.34:8081/ ? If this works, and you will see the expected certificate warning (not matching URL et all), and the Start SSL certificate is shown when checking the https details - things are fine on the NAS side.

Double checked the port 8081/TCP is (manually or by UPnP IGD) forwarded to the NAS LAN IP address - and not another system on the LAN?

I've made sure Norton Security has the ports open both works on my Windows 10 work station.

Really have configures firewall limitations for outgoing connections, from the Windows system to the outside world? Mind you - you are connecting from the Windows system to the IP address resolved by NAS1.mydomain.us on the relevant port.

I've not manually imported any keys into my workstation browser (Chrome), ...

That's not required at all.

...but StartSSL did install one to authenticate my account and permit access to their site.

This is an automatically installed client auth certificate - the QNAP NAS does not have the feature set required to automatically authenticate cert auth sessions.

Regards,
-Kurt.

[howardjnl]

Kurt, Thnks very much for sharing your time and brain cells to respond to me on this.
1. When I use the internal LAN network address http://192.168.1.50:8081 I do indeed get an error because I did not use the full domain name. So,as you said, sounds like the NAS1 SSL stuff is basically working. And yes, I've checked and re-checked the port 8081 forwarding rule and port forward assignment to the static internal address of the QNAP box.
2. Norton has a selection of allowing a port in, out, or both ways from/to certain or computers. I've set the Norton workstation firewall to permit both ways to/from any.
Note that the details of Chrome's https connection error begins with:
"Google Chrome's connection attempt to nas1.xxxxxxxx.us was rejected. The website may be down, or your network may not be properly configured.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using."
This is why I keep rechecking the router settings.
John

[schumaku]

Ok John, let's continue. I've missed to ask this before: Are you trying to access https://NAS1.mydomain.us:8081/ from the LAN? Majority of home/SOHO routers don't allow to connect from the LAN subnet to the router public IP address, with a port forwarded to the LAN IP subnet again.

Check if your router does allow what is typically named NAT loopback (and this can be enabled) - alternate, please try https://NAS1.mydomain.us:8081/ from your mobile phone (not using the local WLAN) or from another Internet connection.

2. Norton has a selection of allowing a port in, out, or both ways from/to certain or computers. I've set the Norton workstation firewall to permit both ways to/from any.

...off topic here: One of these overkill firewall software in my opinion - on your own.

[howardjnl]

Okay! Set up local host name on my router to nas1.mydomain.us and connected to https://nas1.mydomain.us:8081. Excellent! I'd forgotten all about this since setting up my other web server. Thanks for jogging the old memory cells.
I've not been able to verify the works properly from outside yet, my cell phone connection from my house is really poor. I'll have to try it when I next go to a better location.
Thank you very much, Kurt! I really appreciate it.
John