SSL Certificate

Post your questions about myQNAPcloud service here.
djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

SSL Certificate

Postby djkprojects » Sat Aug 05, 2017 10:04 pm

Hello,

I want to start using SSL cert to secure my QNAP server so I could only access the QTS via https, SFTP instead of FTP etc. but I'm a bit confused as to what certificate I need for what. When I go to Control Panel --> Security --> Certificate & private Key it states that I already have a cert (not sure if that came as part of the bundle when buying my server):

Screen Shot 2017-08-05 at 14.55.24.png


Then there is some mention of SSL for myQNapCloud. it's very confusing for me.

Can someone please advise ? Thanks
You do not have the required permissions to view the files attached to this post.

djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

Re: SSL Certificate

Postby djkprojects » Tue Aug 08, 2017 3:37 am

nobody knows?

User avatar
schumaku
Guru
Posts: 42528
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: SSL Certificate

Postby schumaku » Tue Aug 08, 2017 4:01 am

There is nothing that stops you from using https, ftpes (this is the secured ftp ... sftp is ssh...) - regardless of using the factory default certificate (with a public key probably shared by many similar NAS), with a self-signed certificate, ...

Beyond, it depends what you have (ie, an own domain, own or SAS based DNS), a well known DDNS name of a DDNS service you need to retain, ...

brucepham
First post
Posts: 1
Joined: Tue Aug 08, 2017 11:21 am

Re: SSL Certificate

Postby brucepham » Tue Aug 08, 2017 11:39 am

I got the same problem next year, I called to Qnap provider in town, they come and left without any solution.
Finally I managed to tweak and made it work. But Frankly, hard to remember what I have done, too many tweaks! :(
Good luck bro.
Run a web application development company in Vietnam, see more: https://www.saigontechnology.vn/services/web-application-development-services, Bruce strives to deliver successful projects to customers on all over the world.

djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

Re: SSL Certificate

Postby djkprojects » Fri Aug 11, 2017 9:22 pm

schumaku wrote:There is nothing that stops you from using https, ftpes (this is the secured ftp ... sftp is ssh...) - regardless of using the factory default certificate (with a public key probably shared by many similar NAS), with a self-signed certificate, ...

Beyond, it depends what you have (ie, an own domain, own or SAS based DNS), a well known DDNS name of a DDNS service you need to retain, ...


Hi schumaku,

Yes, I'm aware of the self cigned certificate option however my question is more around which cert I need for what e.g. what is the certificate I have on the screen in my first post for ?

How will self signed cert work with CloudLink/DDNS when connecting to my NAS remotely ? Won't the handshake fail ?

Thanks

User avatar
schumaku
Guru
Posts: 42528
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: SSL Certificate

Postby schumaku » Sat Aug 12, 2017 3:18 pm

There is only once user installable certificate. On a new installed system, there is a factory default certificate in place. The certificate is used for https, ssh/sftp, ftpes, ... for both QTS and the Web Server Service.

djkprojects wrote:How will self signed cert work with CloudLink/DDNS when connecting to my NAS remotely ?
CloudLink is using a complete different technology, the user installable certificate is not involved. The very same certificate is used regardless from where the NAS is accessed directly.

djkprojects wrote:Won't the handshake fail ?
The handshake won't fail, the session can be established. Of course, ie. a browser won't show an "light" green indication when the name does not match, when a elf-signed certificate is used (except when imported to and forced "trusted" the browser of course).

djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

Re: SSL Certificate

Postby djkprojects » Sat Aug 12, 2017 5:14 pm

Hi schumaku,

Thanks for your reply.

Do I understand correctly then that the cert that came with the NAS (the one on the screen I shared) is for accessing NAS SFTP, SSH and the Web server directly (if enabled) and the Cert QNap are selling is for accessing NAS via CloudLink ?

Thanks

djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

Re: SSL Certificate

Postby djkprojects » Mon Aug 14, 2017 6:10 am

Hello,

Could someone please advise if my understanding of the Certs is correct? Just want to make sure that I'm not making a mistake when purchasing one from QNap :)

Thanks

User avatar
schumaku
Guru
Posts: 42528
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: SSL Certificate

Postby schumaku » Mon Aug 14, 2017 7:40 pm

Then buying a certificate, it depends on what name or URL you want to access the NAS:

The QNAP Certificate is signed for using [yournasname].myqnapcloud.com (this is unrelated to CloudLink at all).

Other generic certificate providers allow providing whatever.domain.name ... this requires you have you own domain name, a DNS server in the Internet serving the name to IP address (A records for IPv4 address and AAAA records for IPv6 address) and in case the Internet connection does provide a dynamic, not fix assigned IPv4 (and/or IPV6 prefix) the update mechanism must be in place, too.

Let's Encrypt does allow "any" names registered, no need to proof the domain ownership, just that the server is owned/managed by you and holding the Let's Encrypt code to validate. As this was and is massively abused, many bigger businesses to no longer trusting in this provider - they force any validation to failed.

Last but not least - only one certificate can be installed, its used for all services.

Unless you need to show a higher trust to the users accessing your NAS, you can still keep operating it on a self-signed certificate.

djkprojects
Starting out
Posts: 25
Joined: Thu Jun 09, 2016 2:54 pm

Re: SSL Certificate

Postby djkprojects » Tue Aug 15, 2017 5:42 am

schumaku wrote:Then buying a certificate, it depends on what name or URL you want to access the NAS:

The QNAP Certificate is signed for using [yournasname].myqnapcloud.com (this is unrelated to CloudLink at all).

Other generic certificate providers allow providing whatever.domain.name ... this requires you have you own domain name, a DNS server in the Internet serving the name to IP address (A records for IPv4 address and AAAA records for IPv6 address) and in case the Internet connection does provide a dynamic, not fix assigned IPv4 (and/or IPV6 prefix) the update mechanism must be in place, too.

Let's Encrypt does allow "any" names registered, no need to proof the domain ownership, just that the server is owned/managed by you and holding the Let's Encrypt code to validate. As this was and is massively abused, many bigger businesses to no longer trusting in this provider - they force any validation to failed.

Last but not least - only one certificate can be installed, its used for all services.

Unless you need to show a higher trust to the users accessing your NAS, you can still keep operating it on a self-signed certificate.


I'm not sure I follow. If [username].myqnapcloud.com has nothing to do with Cloudlink then how does this subdomain get resolved to my home network public IP. Is it not what CloudLink + DDNS are for?

I'm not looking for my own domain that would be pointing to my public IP, this I could do with any domain provider, in fact I own a few domains already.

I'm going to explore Let's Encrypt which is now available directly from QTS.

Thanks


Sent from my iPhone using Tapatalk

User avatar
schumaku
Guru
Posts: 42528
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: SSL Certificate

Postby schumaku » Wed Aug 23, 2017 4:23 am

djkprojects wrote:I'm not sure I follow. If [username].myqnapcloud.com has nothing to do with Cloudlink then how does this subdomain get resolved to my home network public IP. Is it not what CloudLink + DDNS are for?
No, nothing ... completely unrelated: CloudLink does not need any DDNS, any port forwarding, .... CloudLink is a connection initialised by the NAS to a QNAP cloud infrastructure. And you access it via the http://www.myqnapcloud.com Web server on the QNAP cloud infrastructure, the CloudLink enabled Apps do the very same. And for the QNAP http://www.myqnapcloud.com infrastructure there are valid certificates in place.

When establishing a direct connection to the DDNS name like [whatever].myqnapcloud.com over a pot forwarding if a NAT router is in place it's a different story - now you need a certificate signed for [whatever].myqnapcloud.com - issued by the QNAP offering, or by a CA not requiring the same trust levels, for example Let's Encrypt.

Start with some reading on myQNAPcloud and CloudLinkk -> https://support.myqnapcloud.com/features?lang=en

User avatar
jameshenderson
Starting out
Posts: 14
Joined: Sat Jul 09, 2011 9:48 am

Re: SSL Certificate

Postby jameshenderson » Tue Sep 12, 2017 11:23 pm

djkprojects wrote:
schumaku wrote:I'm going to explore Let's Encrypt which is now available directly from QTS.


How did it go? ...I didn't want to download a Lets Encrypt certificate without knowing that the NAS can auto-renew it every 90 days.
    TS-453Bmini + 4x 4TB Western Digital Reds (RAID5) - Plex Media Server
    TS-410 + 4x 2TB Seagate Barracuda (RAID 5) - RTRR server


Return to “myQNAPcloud service”

Who is online

Users browsing this forum: No registered users and 3 guests