Let's Encrypt SSL Certificate Idiot's Guide

Post your questions about myQNAPcloud service here.
Karl4077
New here
Posts: 3
Joined: Sun May 10, 2020 6:59 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by Karl4077 »

terrytse wrote: Fri Jun 14, 2019 3:40 pm use Let's Encrypt SSL Certificate with own domain name

On Qnap
1. Enable Web Server with port 80. Control Panel --> Applications --> Web Server
2. Ensure Qnap System port is not using port 80. Control Panel --> System --> General Setting --> System Port is not port 80

On your router
3. create a port forward rule, forward external port 80 to internal port 80, server is your qnap

On you Browser
4. test web access to your qnap public ip or FQDN, http://your_qnap_ip:80
5. make sure it will not redirect to your Qnap admin login page

On Qnap
6. download and install Let's Encrypt SSL Cert, Control Panel --> System --> Security --> Certificate & Private Key, click "Replace Certificate" --> get from Let's Encrypt
7 . enter your own domain name qnap.myowndoamin.com and your email address


i am able to install Let's Encrypt SSL Cert by doing above.


** tested enable "force secure connection (HTTPS) only" under Control Panel --> System --> General Setting, seem it will break
I did all these steps.
Web-Server on port 80 and 443
Sysadmin on 8080 and 4439, forced https

But when I try to get the cert I get the message:
"A domain validation challenge was net received from the ACME Server, Ensure that your router and QNAP device both accept inbound traffic on ports 80 and 443 ...."

So when I try domain:80 or http://domain it is working, I get the web-servers page.
But when I try domain:443 it is not working but with https://domain.

Why not? Whats the difference of 443 and https?
Could anyone give me a tip?

Thanks a lot!
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by dolbyman »

If you want a tip .. DO NOT EXPOSE YOUR QNAP QTS INTERFACE TO WAN ... SSL encryption will do nothing to prevent your NAS from getting hacked
Karl4077
New here
Posts: 3
Joined: Sun May 10, 2020 6:59 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by Karl4077 »

Sure, I need a good password...
If this is not enough, how can I securely access my NAS from the WAN?
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by dolbyman »

passwords and even 2Fa are just circumvented via exploits .. QNAP NAS cannot be web exposed... in the last two months two large ransomware campaigns have deleted thousands of users qnap units ..

The only way to access your NAS from WAN is to run your own VPN server on a dedicated appliance and access it via that
Karl4077
New here
Posts: 3
Joined: Sun May 10, 2020 6:59 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by Karl4077 »

So don't use the QNAP VPN server either?
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by dolbyman »

No .. I wouldn't expose anything that QNAP has programmed to the web..

A capable router or raspi would be a much better alternative
sturmth
New here
Posts: 6
Joined: Sun Jun 19, 2016 8:56 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by sturmth »

I had a lot of problems to manage step 6 of the tutorial. Everytime the QTS told me, that I should open port 80 and 443 on the NAS and the router. But everything was done. I tested it!

The problem was the directory ".well-known" which was existent from my formerly used SSL-certificate from Zero SSL. You must delete it completely in the web server directory. It can be done with WinSCP and login with admin rights.
Don't worry if the systems throws the error "Failed to validate intermediate Certificate". Let the machine work for some minutes. I takes long but it succeeds. I had another problem after this was done. The https port of the webserver was reset to 8081. Manually set it to 443 and everthing runs fine.
hello_world.c
New here
Posts: 4
Joined: Mon Mar 30, 2020 5:27 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by hello_world.c »

@Doozer: Yes, but there is an extra step in the latest firmware to enable mywnapcloud. It's under Control Panel - Network & File Services - Network & Virtual Switch. In there, go to Access Services - DDNS and you should see the myQNAPcloud service. In my case, this was disabled and after enabling it here everything else started to work.

Took me forever to find this. The way the folks at qnap manage to scatter essential settings across as many places as possible is really infuriating at times.
msaxer
First post
Posts: 1
Joined: Sat Oct 15, 2016 7:37 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by msaxer »

As @dolbyman has mentioned twice already you should really reconsider if you're contemplating exposing your QNAP NAS to the internet via [youraccount].myqnapcloud.com. By that he and I really mean - YOU SHOULD NOT DO IT.

Even with 2FA and SSL enabled there were two significant ransomware attacks which QNAP only addressed with a patch after many users had already been hit. I noticed one of the attacks on my NAS when I found a bunch of encrypted .7z files and .txt files explaining how to pay to decrypt them. Thankfully my backup procedure was good enough that I didn't lose any data, but it could have been awful if I'd relied entirely on the NAS's RAID 5 array to keep my data safe. I definitely dodged a bullet there and I immediately disabled ALL external connections to my NAS from outside my LAN.
kowalski78
First post
Posts: 1
Joined: Sun Oct 03, 2021 11:45 am

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by kowalski78 »

It's nice thanks but just two days qnap tolds me: Try again later.
What's happened?
dhighway
Starting out
Posts: 19
Joined: Sun Mar 23, 2014 12:33 am

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by dhighway »

Yes, same here! :(

If anyone finds the solution, I'd be VERY GRATEFUL if you could please share the info - Thx!!
jgg204
Starting out
Posts: 18
Joined: Fri Oct 19, 2018 1:22 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by jgg204 »

Previously I would open port 80 on router, renew the cert, and close port 80

Now, even if I open port 80, it will not renew.
tapentan
New here
Posts: 2
Joined: Wed Aug 07, 2013 5:51 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by tapentan »

I also have the same problem.
Do not know if this problem is related to this or not
https://letsencrypt.org/zh-tw/docs/dst- ... mber-2021/
https://medium.com/geekculture/will-you ... 4a018df257
I tried to remove the ca to see if this can solve the renew problem but I don't know how to do this on QNAP box. the command or config location seems not exist on QNAP box.
goliash
New here
Posts: 2
Joined: Sun Aug 30, 2020 8:09 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by goliash »

After update to version 5.0.0.xxx I wasn't able to renew/issue new certificate from Let's Encrypt (My QNAP said something like that it cannot reach Let's Encrypt server). Issue was with root certificate on the NAS:

Luckily I found this article on QNAP website and there is a way how to fix it: https://www.qnap.com/en/how-to/faq/arti ... stallrenew

Copied from QNAP website:
If you encounter failed to install or renew myQNAPcloud or Let's Encrypt SSL certificate on QTS 5.0.0.1785 build 20210908, this can be resolved in subsequent QTS version, or can using the steps below to fix manually:
1. download the rootca.pem file and upload it to the NAS Public folder on your NAS.
2. connect to the NAS via ssh (steps to access ssh can be found here).
3. issue the below command to overwrite the original rootca.pem file on your NAS:
  • cp /share/Public/rootca.pem /etc/ssl/certs/
Once this is done, you should be able to install the SSL certificate successfully.
tapentan
New here
Posts: 2
Joined: Wed Aug 07, 2013 5:51 pm

Re: Let's Encrypt SSL Certificate Idiot's Guide

Post by tapentan »

Thanks, it works for me, too.
My QTS is 4.3.4.1652
Post Reply

Return to “myQNAPcloud service”