Let's Encrypt SSL Certificate Idiot's Guide

[ManOnaMower]

Thanks goliash!!
rootca.pem worked for me. Had issues after the "Let's Encrypt root cert expiring" fiasco.

Spend 2+ hours troubleshooting. Fixed in 2 min after reading this.

Edit adding more detail ---------------------------------------------------

Followed goliash's post, except used WinSCP or MobaXterm to SFTP to my QNAP. Drag/Dropped the newly downloaded rootca.pem and overwrote /etc/ssl/certs/rootca.pem

If you encounter failed to install or renew myQNAPcloud or Let's Encrypt SSL certificate on QTS 5.0.0.1785 build 20210908, this can be resolved in subsequent QTS version, or can using the steps below to fix manually:
1. download the rootca.pem file and upload it to the NAS Public folder on your NAS.
2. connect to the NAS via ssh (steps to access ssh can be found here).
3. issue the below command to overwrite the original rootca.pem file on your NAS:
cp /share/Public/rootca.pem /etc/ssl/certs/
Once this is done, you should be able to install the SSL certificate successfully.

[wizk1]

It seems the latest firmware update includes a new rootca.pem as I managed to renew my certificate through the GUI after upgrading (I couldn’t before).

[Joop1234]

Thanks, worked for me as well.
Also on QTS 4.3.4.1652

[Ecliptics]

I had a lot of problems to manage step 6 of the tutorial. Everytime the QTS told me, that I should open port 80 and 443 on the NAS and the router. But everything was done. I tested it!

The problem was the directory ".well-known" which was existent from my formerly used SSL-certificate from Zero SSL. You must delete it completely in the web server directory. It can be done with WinSCP and login with admin rights.
Don't worry if the systems throws the error "Failed to validate intermediate Certificate". Let the machine work for some minutes. I takes long but it succeeds. I had another problem after this was done. The https port of the webserver was reset to 8081. Manually set it to 443 and everthing runs fine.

Thank you very much for this. Deleting the .well-known folder solved my problem.

[gatus]

If you want a tip .. DO NOT EXPOSE YOUR QNAP QTS INTERFACE TO WAN ... SSL encryption will do nothing to prevent your NAS from getting hacked

Hummm... internet itself is a WAN. The NAS usage for some users is to be used as a "cloud" service. It will need to be accessible from "anywhere", therefore, prone to attacks.
Or by WAN do you mean the myQNAPcloud thing, or even the qlink.to? If you meant those QNAP solutions, I totally understand. If not, could you explain a little more?

[dolbyman]

Any usage where ports are forwarded from WAN (internet) directly to your NAS, is what I meant. Does not matter if QNAP DDNS is used or not, the attack vector is the same.(direct exposure) Cloudlink relay works different, so is not part of that warning.

By advertising NAS units as "private cloud" QNAP has created that issue...now many folks had a very bad time finding all their files held for ransom (malware)

[swstiffl]

Thanks for the discussion and warnings towards the exposure of QNAP to the internet. I removed my NAS from WAN after I observed an attack last year.

Now, however, I face the same issue with the SSL certificate. Chrome doesn't open the website anymore. At least in Safari I can still access it. So I'm now trying to get a somehow generated certificate added to my NAS. Does anyone have instructions, how to obtain this w/o exposing my NAS even a single minute to the WAN?

Thanks!

[dolbyman]

you can always switch to http..no need for https in your private LAN

[anjoco]

Pour ma part j'ai résolu ce problème ainsi de manière générale :

https://anjoco.ch/forum/viewtopic.php?t=1013

Et donc si le renouvellement du certificat ne fonctionne pas 10 jours avant l'échéance tous les 3 mois je fais ceci et ça marche :

https://anjoco.ch/forum/viewtopic.php?p=2508#p2508

--------------------------------------------------------------------------------------------

For my part, I solved this problem in a general way:

https://anjoco.ch/forum/viewtopic.php?t=1013

And so if the renewal of the certificate does not work 10 days before the expiry every 3 months I do this and it works:

https://anjoco.ch/forum/viewtopic.php?p=2508#p2508

[Bruce67]

FYI - Changes to Let's Encrypt now Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs
https://community.letsencrypt.org/t/rej ... =bruce5051
https://community.letsencrypt.org/t/ema ... =bruce5051

[Bruce67]

Answers to common issue seen on https://community.letsencrypt.org/

Certificates for localhost
https://letsencrypt.org/docs/certificat ... localhost/

Best Practice - Keep Port 80 Open
https://letsencrypt.org/docs/allow-port-80/

Rate Limits
https://letsencrypt.org/docs/rate-limits/

Staging Environment
https://letsencrypt.org/docs/staging-environment/

Multi-Perspective Validation Improves Domain Validation Security
https://letsencrypt.org/2020/02/19/mult ... ation.html

What IP addresses does Let’s Encrypt use to validate my web server?
https://letsencrypt.org/docs/faq/#what- ... web-server

[ukez]

Has anyone done any Youtube videos for the recommended installation method for Lets Encrypt being installed on QNAPs?

[gcstang]

Here is how I use my own LE Cert, you may want to auto-renew but I'm not sure how to do that on a QNAP (Yet!)

Use docker to retrieve your certificate, I use the wildcard one and use the DNS Challenge in order to not open any ports on my firewall directly to the NAS.

ssh into your nas as root
mkdir cert
docker run -v /root/cert:/etc/letsencrypt/archive -it certbot/certbot certonly --preferred-challenges dns --manual
(Answer prompts)
For the domain I use a wildcard i.e. *.mydomain.com

Your certs will end up in ~/cert/mydomain.com
cd cert/mydomain.com/

Now create a single pem file using cat with the stunnel.pem name
cat fullchain1.pem privkey1.pem > stunnel.pem

Copy the file into place
cp stunnel.pem /etc/stunnel/stunnel.pem

Restart the Service
/etc/init.d/stunnel.sh stop && /etc/init.d/stunnel.sh start

You can see if it took effect by logging into your QNAP
> Control Panel > Security
Click on "SSL Certificate & Private Key"

You should see your domain name under alternative name along with it's expiration

[Bruce67]

Here are some links to Let's Encrypt Community Forum https://community.letsencrypt.org/

• https://community.letsencrypt.org/t/una ... =bruce5051
  https://community.letsencrypt.org/t/sel ... =bruce5051
  https://community.letsencrypt.org/t/can ... =bruce5051
  https://community.letsencrypt.org/t/can ... =bruce5051

[koenth]

Thanks, worked for me as well.
Also on QTS 4.3.4.1652

I tried this also on my QNAP-869-Pro, QTS 4.3.4.2451

If you encounter failed to install or renew myQNAPcloud or Let's Encrypt SSL certificate on QTS 5.0.0.1785 build 20210908, this can be resolved in subsequent QTS version, or can using the steps below to fix manually:
1. download the rootca.pem file and upload it to the NAS Public folder on your NAS.
2. connect to the NAS via ssh (steps to access ssh can be found here).
https://www.qnap.com/en/how-to/faq/arti ... -using-ssh
3. issue the below command to overwrite the original rootca.pem file on your NAS:
cp /share/Public/rootca.pem /etc/ssl/certs/
Once this is done, you should be able to install the SSL certificate successfully.

The copy of the rootca.pem file is OK but how can I know if it works now?
The application that gave problems, still give problems and said I need to ask support here.

Doing this https://docs.qnap.com/operating-system/ ... 64956.html
is not possible because I dont have an import certificate function.

Why such much hustle and not fix this in a firmware update?