Page 2 of 3
Re: Lets Encrypt Port 80 issue
Posted: Tue Jun 06, 2017 5:56 am
by telepheedian
chapeaurouge wrote:Still not working for me, even with no alternative name, restoring to default and trying again.
Latest version of 4.3 at this time on an old TS412.
I was having this issue on a fresh install. The issue was that the QTS SSL Certificate app was improperly installed. Since it's part of the system, I couldn't uninstall it, either. I was able to fix it by downloading the package using the Download link on the App Center page for it, then manually installing the QPKG.
Re: Lets Encrypt Port 80 issue
Posted: Thu Jun 22, 2017 6:57 am
by digiweb
I was able to install the cert but I used a no-ip DDNS domain. And when I try to use https, the DDNS does not work. It only works when I'm not using https.
Re: Lets Encrypt Port 80 issue
Posted: Thu Jun 22, 2017 10:54 pm
by schumaku
digiweb wrote:And when I try to use https, the DDNS does not work. It only works when I'm not using https.
Impossible. DDNS (well, DNS A records in general) create a relation from a name to an IP address.
Re: Lets Encrypt Port 80 issue
Posted: Tue Jun 27, 2017 7:11 am
by snarf007
myjablonec wrote:I just spent several hours with QNAP developers and finally have valid Let's Encrypt certificate with own domain.
The developers tried generete cert many times with different settings in acme_tiny.py. Here is summary of code, which I get from history and worked for me for generate cert again.
Code: Select all
cd /mnt/ext/opt/QcloudSSLCertificate
rm -rf cert/
rm -rf data/
/etc/init.d/QcloudSSLCertificate.sh restart
curl "https://s3.amazonaws.com/anry-temp-data/acme_tiny.py" -o bin/acme-tiny/acme_tiny.py
rm -rf /share/Web/.well-known
After that go to Control panel -> Security -> Certificate & private key -> first Restore to defautl, after that Replace certificate -> Get from Let's Encrypt -> fill domain name and email (doesn't work when I fill alternative name) ->if no error occurs, the certificate should be generated, so close the browser and reopen your NAS webgui with https.
Hope it will wor for you too.
For me the above procedure worked to use my own domain. Only use primary domain, no alternate domain names. Hope auto renewal works, there is a button with the message can be renewed 10 days before expire.
Seems a new version of acme_tiny.py does this trick? Wil it be part of a next firmware release?
Thanx!
Re: Lets Encrypt Port 80 issue
Posted: Sun Jul 23, 2017 7:49 am
by itsmarcos
Hit this issue today. Following the steps on this thread I was still getting the same error.
Checked my firewall logs and noticed that IPv6 access to my qnap (port 80) was (of course) blocked. After opening port 80 (only) everything worked. It looks like the letsencrypt CA is trying IPv6 first (correct) but it doesn't fallback to IPv4 if IPv6 fails. Opening 443 was not needed.
This closed
ticket on Github resolves this issue at the CA.
In a nutshell, if you have IPv6 enabled on your network and you hit this error, a solution could be opening port 80 for the IPv6 address of your QNAP (possibly 443 as well).
Re: Lets Encrypt Port 80 issue
Posted: Thu Jul 27, 2017 7:21 am
by evil79genius
I've got it working, but that's not been so easy - maybe there's a different easier way, but here's the steps I've taken:
- Enabled QNAP web-server (leaving it at default port 8280)
- Manually configured port forward on my router, mapping external port 80 to internal port 8280 of QNAP
- Created /share/Web/.well-known/acme-challenge/
- Removed /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge directory and all its contents
- Created symlink /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge pointing to /share/Web/.well-known/acme-challenge
- Edited /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
Here's a section beginning at line 691
Code: Select all
# fix open fail when router do not support NAT loopback
tmp_wellknown_url = "http://localhost/.well-known/acme-challenge/{0}".format(
http_challenge_dict['token'])
resp = urlopen(tmp_wellknown_url)
- Requested new certificate via Control Panel > System > Security > Certificate & Private Key, specifying my own domain name.
Note: should your router not support NAT loopback, instead of commenting the lines and adding another one, it should work if you simply specify QNAP web-server port right after localhost in the tmp_wellknown_url, like this
Code: Select all
tmp_wellknown_url = "http://localhost:8280/.well-known/acme-challenge/{0}".format(
Hope it helps!
Re: Lets Encrypt Port 80 issue
Posted: Wed Sep 06, 2017 11:07 pm
by Marc J
Well, today I managed to install a Let's Encrypt cert on my QNAP relatively easily, after a few tries. I got the port 80 / DNS error at first, so I then: -
1) Enabled the web server on port 80
2) forwarded incoming port 80 traffic to the QNAP (router configs)
3) Allowed all connections (QNAP security - I had previously locked it down to local 192.168.0.x and OpenVPN 10.8.0.x IP numbers only)
That let me install the Let's Encrypt cert on my custom subdomain (e.g. location.mydomain.com) which has it's own static IP.
I then undid 1,2 & 3 above as I don't usually need the web server on the QNAP, and prefer to have it only accessible to local & OpenVPN IPs.
My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
Re: Lets Encrypt Port 80 issue
Posted: Thu Sep 07, 2017 1:22 am
by myjablonec
Marc J wrote:My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
Well, my certificate expired few day ago, so it probably won't renew automatically. But 10 day before expiration you can try click "Renew" button and see what happen. Maybe because I didn't do that my renew option didn't work (but it told mistake about port 80), but I was possible to generate new certificate without trouble. Truth is, that I use webserver, but I cannot forward ports and I have some restriction on IPs.
Re: Lets Encrypt Port 80 issue
Posted: Sat Nov 04, 2017 3:11 am
by kkeonline
Just got a qnap today and try to install letsencrypt certificate, but got the same problem.
The problem not from the software, but because my ISP is block port 80, so I have 2 options
1. call ISP to unblock port 80, then the script will work as it should.
2. find another way to install.
I choose 2. because I also don't want to open port 80 to public.
I follow all the above posts but none of them got success
Then I search how letsencrypt can issue without open port 80, then I found this post:
https://community.letsencrypt.org/t/how ... 80/36192/6
whatever client you use must do one of three things to validate control over your hostname:
[*] It must respond appropriately to a request for http://$HOSTNAME/.well-known/acme-challenge/...
[*] It must respond appropriately (i.e., with an appropriate self-signed TLS certificate) to https://$HOSTNAME
[*] It must (or, alternatively, you must manually) change your DNS records to add a specified TXT record.
So only "https" is my only one chance because I can not do anything with QNAPcloud DNS and if the http worked I no need to find another way here.
How to install letsencrypt by validate with https on QTS4.3.x
1. ssh to qnap with your admin user
2. type these command
Code: Select all
ln -s /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known /home/httpd/
cd /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/
sed -ie 's/default="http"/default="https"/' acme_tiny.py
cp acme_tiny.py acme_tiny.py.bak
3. Configure SSL through "System>Security>Certificate & Private Key" and click Replace Certificate, then select Let's Encrypt, input your qnap domain name and if you have your own domain name put it in alternative names.
4. **remember if you update the QTS SSL certificate utility to new version, you have to fix the acme_tiny.py again with this command vis ssh
Code: Select all
sed -ie 's/default="http"/default="https"/' /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
Re: Lets Encrypt Port 80 issue
Posted: Tue Jan 16, 2018 7:06 pm
by snarf007
Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup.
Re: Lets Encrypt Port 80 issue
Posted: Sat Feb 17, 2018 6:24 pm
by LaUs3r
thx....exactly what I was looking for as it did not work for me initially.
This was the "Port 80"-issue solution for me.
Re: Lets Encrypt Port 80 issue
Posted: Wed Jun 27, 2018 5:17 am
by katsudonvince
[quote="snarf007"]Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup.
[/quote
My certificate is expiring in 10 days and the renewal button is now live but I have the same port 80 and DNS issues as others. You said to use the different port numbers on the admin gui (general setting). What is the best port number to use please, can you give any example or range please. Thanks
Re: Lets Encrypt Port 80 issue
Posted: Sun Jul 22, 2018 5:59 am
by jds580s
I had to make a small change to my configuration today after getting a Let’s Encrypt renewal error. Not sure if it’s related to New firmware since the last renewal, or just my specific setup.
I had force SSL enabled which I turned off, then I added a .htaccess file in the /web root with a Rewrite rule that allows http traffic to .well-known and anything else is redirected to https
After that I successfully was able to renew the cert.
Re: Lets Encrypt Port 80 issue
Posted: Thu Aug 02, 2018 3:13 am
by kdh1968
I followed the description of katsudonvince (Tue Jun 26, 2018 11:17 pm) and it works (for me)
Re: Lets Encrypt Port 80 issue
Posted: Mon Jan 20, 2020 10:17 pm
by oyvindo
This thread has been quiet for over a year now.
What has happened? Are all issues solved, or have all QNAP customers given up on trying to implement Let's Encrypt certificates?
Well, I have experimented a lot lately to try to get things working, with very mixed results. Some success, mostly failure.
The strange thing is that the Certificate&Private Key feature in the QNAP is not stable, in the sense that sometimes it works, sometimes not.
Repeating exactly the same procedure over and over again works 2-3 out of 10 times and the remaining attempts fail.
I have even been successfully able to generate a Let's Encrypt certificate with alternative names added, but only once. I could never repeat that successfully again.
The fact that this works sometimes, but fails most of the time, is quite annoying. Is this a QNAP problem or is it the Let's Encrypt service that is overloaded?
How to tell?