SSL and Intermediate Certificates

[pwnzicles]

Hopefully this saves some one some where some time.

Proper SSL configuration requires three things: 1) a private key; 2) a server certificate; 3) an intermediate certificate. You'll generate the key yourself (there are tutorials about this all over the place), and you'll get the other two files from your SSL provider.

The QNAP admin GUI allows you to upload your private key and your server certificate, but there is no way to include the intermediate certificate -- http://en.wikipedia.org/wiki/Intermedia ... uthorities -- that tells browsers that your server is well and truly secure. Without this intermediate certificate installed, most browsers will show a warning when connecting to your QNAP that "the certificate publisher cannot be verified," or something to that effect.

To fix this, you'll need to manually edit the PEM file that the QNAP GUI writes your keys to. Here we go...

1. Log into your server. I suggest using Putty -- http://www.chiark.greenend.org.uk/~sgta ... nload.html.
2. Enter the following code exactly:

   Code: Select all

   vi /etc/stunnel/stunnel.pem

3. You should see wall of characters, mostly jibberish, looking something like this:

   Code: Select all

   -----BEGIN RSA PRIVATE KEY-----
   [characters]
   -----END RSA PRIVATE KEY-----
   -----BEGIN CERTIFICATE-----
   [characters]
   -----END CERTIFICATE-----

   The top half is, of course, your private key. The bottom half is your server certificate. QNAP pushes these together to make stunnel.pem when you use the GUI to upload your SSL information.
4. Type "a" in Putty, which will allow you to edit this file. Navigate to the bottom, just under ----END CERTIFICATE-----.
5. Copy the entire contents of your intermediate certificate (you'll need to open it in Notepad or some other text editor to do this), and paste them into your Putty window.
6. You should now have a file that looks like this:

   Code: Select all

   -----BEGIN RSA PRIVATE KEY-----
   [characters]
   -----END RSA PRIVATE KEY-----
   -----BEGIN CERTIFICATE-----
   [characters]
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   [characters]
   -----END CERTIFICATE-----

7. To save the file, press Esc (which exits edit mode), then type ":wq!", which saves and quits.
8. Restart stunnel with this command:

   Code: Select all

   /etc/init.d/stunnel.sh restart

That should be it. You can test by using any browser to navigate to your site, or just use any online certificate checker, such as http://www.digicert.com/help.

[ilkevinli]

I don't get any warnings when just using the Private and Server keys from my purchased certificate..

[uploader789]

not working on my qnap ts 119 p2

[alvoryx]

you're the man, you saved my evening man.

without the intermediate, chrome and ie where working but not firefox.


for info, gandi.net offers for 12$ some SSL cert for 1 year

and there http://wiki.gandi.net/fr/ssl/intermediate you go for the intermediate key

[ninio]

Hello I'm trying to add the intermediate certificate but following the procedure continues to give me problems, it seems that it is not still sent
Does not pass the test of http://www.digicert.com/help. "The server is not sending the required intermediate certificate"
Is there a solution?
thanks

[schumaku]

Everybody saying this does not work should be aware this is changing the NAS Admin Web server, not the NAS Web server.

Keep searching - there are hacks provided in the forum to make Apache providing the intermediate certificate, too.

[stemplar]

Pleas continue reading at

http://forum.qnap.com/viewtopic.php?f=11&t=77658

stunnel.conf does not seem to be used anymore with QTS 4.0. But stunnel.sh and /etc/stunnel are used partially.