Lets Encrypt Port 80 issue

Post your questions about myQNAPcloud service here.
telepheedian
New here
Posts: 2
Joined: Tue Jul 19, 2016 11:25 am

Re: Lets Encrypt Port 80 issue

Postby telepheedian » Tue Jun 06, 2017 5:56 am

chapeaurouge wrote:Still not working for me, even with no alternative name, restoring to default and trying again.

Latest version of 4.3 at this time on an old TS412.


I was having this issue on a fresh install. The issue was that the QTS SSL Certificate app was improperly installed. Since it's part of the system, I couldn't uninstall it, either. I was able to fix it by downloading the package using the Download link on the App Center page for it, then manually installing the QPKG.

digiweb
Starting out
Posts: 22
Joined: Mon Jan 02, 2017 7:22 am

Re: Lets Encrypt Port 80 issue

Postby digiweb » Thu Jun 22, 2017 6:57 am

I was able to install the cert but I used a no-ip DDNS domain. And when I try to use https, the DDNS does not work. It only works when I'm not using https.
QNAP TS-231+ with 2 4TB HGST Deskstar NAS drives on RAID1

User avatar
schumaku
Guru
Posts: 43512
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Lets Encrypt Port 80 issue

Postby schumaku » Thu Jun 22, 2017 10:54 pm

digiweb wrote:And when I try to use https, the DDNS does not work. It only works when I'm not using https.
Impossible. DDNS (well, DNS A records in general) create a relation from a name to an IP address.

snarf007
Starting out
Posts: 37
Joined: Sun Jan 16, 2011 6:47 am

Re: Lets Encrypt Port 80 issue

Postby snarf007 » Tue Jun 27, 2017 7:11 am

myjablonec wrote:I just spent several hours with QNAP developers and finally have valid Let's Encrypt certificate with own domain.
The developers tried generete cert many times with different settings in acme_tiny.py. Here is summary of code, which I get from history and worked for me for generate cert again.

Code: Select all

cd /mnt/ext/opt/QcloudSSLCertificate
rm -rf cert/
rm -rf data/
/etc/init.d/QcloudSSLCertificate.sh restart
curl "https://s3.amazonaws.com/anry-temp-data/acme_tiny.py" -o bin/acme-tiny/acme_tiny.py
rm -rf /share/Web/.well-known

After that go to Control panel -> Security -> Certificate & private key -> first Restore to defautl, after that Replace certificate -> Get from Let's Encrypt -> fill domain name and email (doesn't work when I fill alternative name) ->if no error occurs, the certificate should be generated, so close the browser and reopen your NAS webgui with https.
Hope it will wor for you too.


For me the above procedure worked to use my own domain. Only use primary domain, no alternate domain names. Hope auto renewal works, there is a button with the message can be renewed 10 days before expire.
Seems a new version of acme_tiny.py does this trick? Wil it be part of a next firmware release?
Thanx!

User avatar
itsmarcos
Know my way around
Posts: 226
Joined: Thu Sep 29, 2011 5:34 am

Re: Lets Encrypt Port 80 issue

Postby itsmarcos » Sun Jul 23, 2017 7:49 am

Hit this issue today. Following the steps on this thread I was still getting the same error.

Checked my firewall logs and noticed that IPv6 access to my qnap (port 80) was (of course) blocked. After opening port 80 (only) everything worked. It looks like the letsencrypt CA is trying IPv6 first (correct) but it doesn't fallback to IPv4 if IPv6 fails. Opening 443 was not needed.

This closed ticket on Github resolves this issue at the CA.

In a nutshell, if you have IPv6 enabled on your network and you hit this error, a solution could be opening port 80 for the IPv6 address of your QNAP (possibly 443 as well).

Primary
QNAP TS-253B [4.3.4]
- disk 1: WDC Red WD60EFRX
- disk 2: WDC Red WD80EFZX
Backup
QNAP TS-219 P+ [4.3.3]
- disk 1: HGST Deskstar 7K3000 HDS723030ALA640 3TB
- disk 2: WDC Red WD40EFRX

evil79genius
First post
Posts: 1
Joined: Thu Jul 27, 2017 6:59 am

Re: Lets Encrypt Port 80 issue

Postby evil79genius » Thu Jul 27, 2017 7:21 am

I've got it working, but that's not been so easy - maybe there's a different easier way, but here's the steps I've taken:
  • Enabled QNAP web-server (leaving it at default port 8280)
  • Manually configured port forward on my router, mapping external port 80 to internal port 8280 of QNAP
  • Created /share/Web/.well-known/acme-challenge/
  • Removed /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge directory and all its contents
  • Created symlink /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge pointing to /share/Web/.well-known/acme-challenge
  • Edited /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
    Here's a section beginning at line 691

    Code: Select all

    # fix open fail when router do not support NAT loopback
    tmp_wellknown_url = "http://localhost/.well-known/acme-challenge/{0}".format(
        http_challenge_dict['token'])
    resp = urlopen(tmp_wellknown_url)

    I've commented all such lines and inserted a line

    Code: Select all

    resp = urlopen(wellknown_url)

    right below the commented block
  • Requested new certificate via Control Panel > System > Security > Certificate & Private Key, specifying my own domain name.
Note: should your router not support NAT loopback, instead of commenting the lines and adding another one, it should work if you simply specify QNAP web-server port right after localhost in the tmp_wellknown_url, like this

Code: Select all

tmp_wellknown_url = "http://localhost:8280/.well-known/acme-challenge/{0}".format(


Hope it helps!

Marc J
Getting the hang of things
Posts: 50
Joined: Wed Oct 15, 2008 1:36 am

Re: Lets Encrypt Port 80 issue

Postby Marc J » Wed Sep 06, 2017 11:07 pm

Well, today I managed to install a Let's Encrypt cert on my QNAP relatively easily, after a few tries. I got the port 80 / DNS error at first, so I then: -

1) Enabled the web server on port 80
2) forwarded incoming port 80 traffic to the QNAP (router configs)
3) Allowed all connections (QNAP security - I had previously locked it down to local 192.168.0.x and OpenVPN 10.8.0.x IP numbers only)

That let me install the Let's Encrypt cert on my custom subdomain (e.g. location.mydomain.com) which has it's own static IP.

I then undid 1,2 & 3 above as I don't usually need the web server on the QNAP, and prefer to have it only accessible to local & OpenVPN IPs.

My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?

myjablonec
New here
Posts: 4
Joined: Tue May 24, 2016 9:31 pm

Re: Lets Encrypt Port 80 issue

Postby myjablonec » Thu Sep 07, 2017 1:22 am

Marc J wrote:My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?


Well, my certificate expired few day ago, so it probably won't renew automatically. But 10 day before expiration you can try click "Renew" button and see what happen. Maybe because I didn't do that my renew option didn't work (but it told mistake about port 80), but I was possible to generate new certificate without trouble. Truth is, that I use webserver, but I cannot forward ports and I have some restriction on IPs.

kkeonline
New here
Posts: 2
Joined: Sat Nov 04, 2017 2:27 am

Re: Lets Encrypt Port 80 issue

Postby kkeonline » Sat Nov 04, 2017 3:11 am

Just got a qnap today and try to install letsencrypt certificate, but got the same problem.

The problem not from the software, but because my ISP is block port 80, so I have 2 options
1. call ISP to unblock port 80, then the script will work as it should.
2. find another way to install.
I choose 2. because I also don't want to open port 80 to public.

I follow all the above posts but none of them got success :(
Then I search how letsencrypt can issue without open port 80, then I found this post: https://community.letsencrypt.org/t/how ... 80/36192/6
whatever client you use must do one of three things to validate control over your hostname:
[*] It must respond appropriately to a request for http://$HOSTNAME/.well-known/acme-challenge/...
[*] It must respond appropriately (i.e., with an appropriate self-signed TLS certificate) to https://$HOSTNAME
[*] It must (or, alternatively, you must manually) change your DNS records to add a specified TXT record.


So only "https" is my only one chance because I can not do anything with QNAPcloud DNS and if the http worked I no need to find another way here.


How to install letsencrypt by validate with https on QTS4.3.x
1. ssh to qnap with your admin user
2. type these command

Code: Select all

ln -s /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known /home/httpd/
cd /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/
sed -ie 's/default="http"/default="https"/'  acme_tiny.py
cp acme_tiny.py acme_tiny.py.bak

3. Configure SSL through "System>Security>Certificate & Private Key" and click Replace Certificate, then select Let's Encrypt, input your qnap domain name and if you have your own domain name put it in alternative names.
4. **remember if you update the QTS SSL certificate utility to new version, you have to fix the acme_tiny.py again with this command vis ssh

Code: Select all

sed -ie 's/default="http"/default="https"/'  /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py

snarf007
Starting out
Posts: 37
Joined: Sun Jan 16, 2011 6:47 am

Re: Lets Encrypt Port 80 issue

Postby snarf007 » Tue Jan 16, 2018 7:06 pm

Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).

Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.

Hope this helps others to understand in (un)logic in the setup. :)

LaUs3r
New here
Posts: 8
Joined: Sun Aug 06, 2017 11:24 pm

Re: Lets Encrypt Port 80 issue

Postby LaUs3r » Sat Feb 17, 2018 6:24 pm

thx....exactly what I was looking for as it did not work for me initially.
This was the "Port 80"-issue solution for me. :-)
Cheers,
LaUs3r

Model name: TVS-863+
Firmware: 4.3.3.0262 Build 20170727

katsudonvince
First post
Posts: 1
Joined: Sun Mar 11, 2018 1:43 pm

Re: Lets Encrypt Port 80 issue

Postby katsudonvince » Wed Jun 27, 2018 5:17 am

[quote="snarf007"]Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).

Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.

Hope this helps others to understand in (un)logic in the setup. :)[/quote

My certificate is expiring in 10 days and the renewal button is now live but I have the same port 80 and DNS issues as others. You said to use the different port numbers on the admin gui (general setting). What is the best port number to use please, can you give any example or range please. Thanks

superketto
Starting out
Posts: 16
Joined: Tue Apr 15, 2014 3:08 am

Re: Lets Encrypt Port 80 issue

Postby superketto » Sun Jul 22, 2018 5:46 am

After the update to the July 4.3.3 build the Let 'encrypt generation no longer works.
Do you also find the same problem ??

User avatar
jds580s
Know my way around
Posts: 198
Joined: Tue Dec 08, 2009 4:52 am

Re: Lets Encrypt Port 80 issue

Postby jds580s » Sun Jul 22, 2018 5:59 am

I had to make a small change to my configuration today after getting a Let’s Encrypt renewal error. Not sure if it’s related to New firmware since the last renewal, or just my specific setup.

I had force SSL enabled which I turned off, then I added a .htaccess file in the /web root with a Rewrite rule that allows http traffic to .well-known and anything else is redirected to https

After that I successfully was able to renew the cert.

Model: TVS-1282-i5-16G
  • Firmware: QTS 4.3.4.0537
  • Network: 10GbE ASUS XG-C100C card, MTU 9k
  • RAID 1: [System] 2x WD Blue M.2 SSD 250GB
  • Single Volume: [QVR Pro Storage] 1x WD Purple 4TB
  • RAID 6: [DATA] 5x HGST HDN728080ALE604 8TB
    • Qtier RAID 1: 2x Samsung SSD 850 EVO 500GB
    • Cache RAID 1: 2x Samsung SSD 960 EVO 500GB NVMe M.2 in two NGFF PCIe 3.0 x4 adapter cards
Model: TS-459 Pro
  • Firmware: QTS 4.2.6 build 20180504
  • RAID 6: 2x HGST HDN724030ALE640 3TB, x2 Seagate ST3000VN000 3TB
  • External: 4TB HGST eSATA Drive, UPS
  • Network: 1 Gbps, MTU 1500

User avatar
kdh1968
First post
Posts: 1
Joined: Thu Jan 04, 2018 1:47 am

Re: Lets Encrypt Port 80 issue

Postby kdh1968 » Thu Aug 02, 2018 3:13 am

I followed the description of katsudonvince (Tue Jun 26, 2018 11:17 pm) and it works (for me) :DD
HS 251 +
4.3.4.0644


Return to “myQNAPcloud service”

Who is online

Users browsing this forum: No registered users and 20 guests