Looking for some help with SSL Certificate from StartSSL
-
- Know my way around
- Posts: 126
- Joined: Sat Dec 03, 2011 7:47 am
Looking for some help with SSL Certificate from StartSSL
I've read a few of the posts on the forum but I'm not having much success with getting SSL setup on my Qnap 219.
I have a private_key (PK) from StartSSL that I have decrypted since I understand the qnap can't use the password encoded.
After which, I've tried using the decoded PK and ca.pem from StartSSL and got locked out of the QNAP.
Do I also need the intermediate key? What am I missing here...???
I'm a bit green to getting this working so hopefully someone can shed some light on the subject.
ampapa,
I have a private_key (PK) from StartSSL that I have decrypted since I understand the qnap can't use the password encoded.
After which, I've tried using the decoded PK and ca.pem from StartSSL and got locked out of the QNAP.
Do I also need the intermediate key? What am I missing here...???
I'm a bit green to getting this working so hopefully someone can shed some light on the subject.
ampapa,
You do not have the required permissions to view the files attached to this post.
-
- Know my way around
- Posts: 126
- Joined: Sat Dec 03, 2011 7:47 am
Re: Looking for some help with SSL Certificate from StartSSL
No one has any suggestions on how to get this to work?
- forkless
- Experience counts
- Posts: 1907
- Joined: Mon Nov 23, 2009 6:52 am
- Location: The Netherlands
Re: Looking for some help with SSL Certificate from StartSSL
In most instances you will need the Class 1 Intermediate Server CA, it depends a bit on the type of SSL certificate you got from them.
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: Looking for some help with SSL Certificate from StartSSL
In this case, something went definitively wrong. No access by http on 8080/TCP (by default)?ampapa wrote:After which, I've tried using the decoded PK and ca.pem from StartSSL and got locked out of the QNAP.
Some browsers can be picky - but would not prohibit the access typically, so this would not lock you off the NAS. Of course, for best results, import all chain certificates, too. Your certificate vendor must be able to communicate transparently which certificate chain is used for your certificate.ampapa wrote:Do I also need the intermediate key?
-
- Know my way around
- Posts: 126
- Joined: Sat Dec 03, 2011 7:47 am
Re: Looking for some help with SSL Certificate from StartSSL
Thanks for the reply's, I think I finally got it working by getting a sub.class1.server cert since my URL for my QNAP is 'subdomain.domain.com'... whereas I originally was using the 'domain.com' cert and trying to get it going that way.
If my URL had been 'domain.com' would I only have needed to populate the Private Key and the Certificate and I could have left the Intermediate Certificate blank? I'm trying to understand the Intermediate Certificate requirement...
Also, if my websites on the QNAP are of the format 'subdomain.domain.com/website1', 'subdomain.domain.com/website2', 'subdomain.domain.com/website3', etc. since the QNAP is SSL will all of the sites need an individual cert or will they use the cert for 'subdomain.domain.com'? I hope that makes sense...
ampapa,
If my URL had been 'domain.com' would I only have needed to populate the Private Key and the Certificate and I could have left the Intermediate Certificate blank? I'm trying to understand the Intermediate Certificate requirement...
Also, if my websites on the QNAP are of the format 'subdomain.domain.com/website1', 'subdomain.domain.com/website2', 'subdomain.domain.com/website3', etc. since the QNAP is SSL will all of the sites need an individual cert or will they use the cert for 'subdomain.domain.com'? I hope that makes sense...
ampapa,
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: Looking for some help with SSL Certificate from StartSSL
That depends on whether or not you coughed up the extra cash for a "wildcard" certificate or not. They are quite expensive with most (if not all) CA's, so you probably did not purchase one.ampapa wrote:Thanks for the reply's, I think I finally got it working by getting a sub.class1.server cert since my URL for my QNAP is 'subdomain.domain.com'... whereas I originally was using the 'domain.com' cert and trying to get it going that way.
If my URL had been 'domain.com' would I only have needed to populate the Private Key and the Certificate and I could have left the Intermediate Certificate blank? I'm trying to understand the Intermediate Certificate requirement...
Also, if my websites on the QNAP are of the format 'subdomain.domain.com/website1', 'subdomain.domain.com/website2', 'subdomain.domain.com/website3', etc. since the QNAP is SSL will all of the sites need an individual cert or will they use the cert for 'subdomain.domain.com'? I hope that makes sense...
ampapa,
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: Looking for some help with SSL Certificate from StartSSL
@Idlewizard: Please feel free to call me "Patrick". (My username is "pwilson", but I am more than happy to answer to "Patrick"; even my Rabbi calls me "Patrick").Idlewizard wrote:What you see in the URL between https:// and the next / has to be on the certificate exactly, unless the certificate is a wildcard certificate (as pwilson notes).
Patrick.
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- Know my way around
- Posts: 126
- Joined: Sat Dec 03, 2011 7:47 am
Re: Looking for some help with SSL Certificate from StartSSL
Thanks for the great info.
I wrote a bit on setting up the QNAP on my blog that is now SSL enabled...
https://qnap.hostingky.com/WordPress/
ampapa,
I wrote a bit on setting up the QNAP on my blog that is now SSL enabled...
https://qnap.hostingky.com/WordPress/
ampapa,
-
- New here
- Posts: 8
- Joined: Fri Jun 12, 2015 6:17 am
Re: Looking for some help with SSL Certificate from StartSSL
Beating a nearly dead horse, but I'm having trouble with getting SSL to work on my TS-231 with version 4.2. I'm a new QNAP user.
I've followed the procedure described in https://qnap.hostingky.com/WordPress/?p=114 and have successfully uploaded the key and certificates. I'm using Zonedit for DDNS, port 8080 for http and port 8081 for https to access the system admin page. My router is set up will port forwarding rules to point these ports at my TS-231 using NAS1.mydomain.us . I've made sure Norton Security has the ports open both works on my Windows 10 work station. I've enabled SSL connectivity to the admin page and left regular http "on" as well. I've not manually imported any keys into my workstation browser (Chrome), but StartSSL did install one to authenticate my account and permit access to their site. I have a Windows IIS server already set up and working on the same network here at my home using SSL.
I can connect to http://NAS1.mydomain.us:8080 just fine, but connection to https://NAS1.mydomain.us:8081 fails with error connection refused. I've run through the set up process multiple times and have referred to many postings about SSL setup upon this site and others and cannot shake the this error type.
I've resisted posting anything on this site until after I've reviewed everything I could find here about possible issues and solutions, but I've finally reached the point where I'm puling out my last few hairs. I could use some advice/help in making sure I've done things correctly (evidently I haven't). I'm Linux illiterate,unfortunately.
John
I've followed the procedure described in https://qnap.hostingky.com/WordPress/?p=114 and have successfully uploaded the key and certificates. I'm using Zonedit for DDNS, port 8080 for http and port 8081 for https to access the system admin page. My router is set up will port forwarding rules to point these ports at my TS-231 using NAS1.mydomain.us . I've made sure Norton Security has the ports open both works on my Windows 10 work station. I've enabled SSL connectivity to the admin page and left regular http "on" as well. I've not manually imported any keys into my workstation browser (Chrome), but StartSSL did install one to authenticate my account and permit access to their site. I have a Windows IIS server already set up and working on the same network here at my home using SSL.
I can connect to http://NAS1.mydomain.us:8080 just fine, but connection to https://NAS1.mydomain.us:8081 fails with error connection refused. I've run through the set up process multiple times and have referred to many postings about SSL setup upon this site and others and cannot shake the this error type.
I've resisted posting anything on this site until after I've reviewed everything I could find here about possible issues and solutions, but I've finally reached the point where I'm puling out my last few hairs. I could use some advice/help in making sure I've done things correctly (evidently I haven't). I'm Linux illiterate,unfortunately.
John
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: Looking for some help with SSL Certificate from StartSSL
Connection refused might have other reasons - like the https server not working, or not listening on port 8081 for example.howardjnl wrote:I can connect to http://NAS1.mydomain.us:8080 just fine, but connection to https://NAS1.mydomain.us:8081 fails with error connection refused.
On the LAN, can you reach the NAS using the LAN IP address, and these two ports - like http://192.168.12.34:8080/ and https://192.168.12.34:8081/ ? If this works, and you will see the expected certificate warning (not matching URL et all), and the Start SSL certificate is shown when checking the https details - things are fine on the NAS side.
Double checked the port 8081/TCP is (manually or by UPnP IGD) forwarded to the NAS LAN IP address - and not another system on the LAN?
Really have configures firewall limitations for outgoing connections, from the Windows system to the outside world? Mind you - you are connecting from the Windows system to the IP address resolved by NAS1.mydomain.us on the relevant port.howardjnl wrote: I've made sure Norton Security has the ports open both works on my Windows 10 work station.
That's not required at all.howardjnl wrote: I've not manually imported any keys into my workstation browser (Chrome), ...
This is an automatically installed client auth certificate - the QNAP NAS does not have the feature set required to automatically authenticate cert auth sessions.howardjnl wrote:...but StartSSL did install one to authenticate my account and permit access to their site.
Regards,
-Kurt.
-
- New here
- Posts: 8
- Joined: Fri Jun 12, 2015 6:17 am
Re: Looking for some help with SSL Certificate from StartSSL
Kurt, Thnks very much for sharing your time and brain cells to respond to me on this.
1. When I use the internal LAN network address http://192.168.1.50:8081 I do indeed get an error because I did not use the full domain name. So,as you said, sounds like the NAS1 SSL stuff is basically working. And yes, I've checked and re-checked the port 8081 forwarding rule and port forward assignment to the static internal address of the QNAP box.
2. Norton has a selection of allowing a port in, out, or both ways from/to certain or computers. I've set the Norton workstation firewall to permit both ways to/from any.
Note that the details of Chrome's https connection error begins with:
"Google Chrome's connection attempt to nas1.xxxxxxxx.us was rejected. The website may be down, or your network may not be properly configured.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using."
This is why I keep rechecking the router settings.
John
1. When I use the internal LAN network address http://192.168.1.50:8081 I do indeed get an error because I did not use the full domain name. So,as you said, sounds like the NAS1 SSL stuff is basically working. And yes, I've checked and re-checked the port 8081 forwarding rule and port forward assignment to the static internal address of the QNAP box.
2. Norton has a selection of allowing a port in, out, or both ways from/to certain or computers. I've set the Norton workstation firewall to permit both ways to/from any.
Note that the details of Chrome's https connection error begins with:
"Google Chrome's connection attempt to nas1.xxxxxxxx.us was rejected. The website may be down, or your network may not be properly configured.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using."
This is why I keep rechecking the router settings.
John
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: Looking for some help with SSL Certificate from StartSSL
Ok John, let's continue. I've missed to ask this before: Are you trying to access https://NAS1.mydomain.us:8081/ from the LAN? Majority of home/SOHO routers don't allow to connect from the LAN subnet to the router public IP address, with a port forwarded to the LAN IP subnet again.
Check if your router does allow what is typically named NAT loopback (and this can be enabled) - alternate, please try https://NAS1.mydomain.us:8081/ from your mobile phone (not using the local WLAN) or from another Internet connection.
Check if your router does allow what is typically named NAT loopback (and this can be enabled) - alternate, please try https://NAS1.mydomain.us:8081/ from your mobile phone (not using the local WLAN) or from another Internet connection.
...off topic here: One of these overkill firewall software in my opinion - on your own.howardjnl wrote:2. Norton has a selection of allowing a port in, out, or both ways from/to certain or computers. I've set the Norton workstation firewall to permit both ways to/from any.
-
- New here
- Posts: 8
- Joined: Fri Jun 12, 2015 6:17 am
Re: Looking for some help with SSL Certificate from StartSSL
Okay! Set up local host name on my router to nas1.mydomain.us and connected to https://nas1.mydomain.us:8081. Excellent! I'd forgotten all about this since setting up my other web server. Thanks for jogging the old memory cells.
I've not been able to verify the works properly from outside yet, my cell phone connection from my house is really poor. I'll have to try it when I next go to a better location.
Thank you very much, Kurt! I really appreciate it.
John
I've not been able to verify the works properly from outside yet, my cell phone connection from my house is really poor. I'll have to try it when I next go to a better location.
Thank you very much, Kurt! I really appreciate it.
John