Cert errors (old openssl)

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
j1dopeman
New here
Posts: 2
Joined: Sun Oct 03, 2021 2:37 am

Cert errors (old openssl)

Post by j1dopeman »

I've noticed I can't connect to some domains anymore and I believe it's due to a letsencrypt certificate expiring on Sept 30th. Details here:

https://letsencrypt.org/docs/dst-root-c ... mber-2021/

They mention openssl versions < 1.1.0 are affected. I see that my qnap is on 1.0.2za. Is there any way to upgrade the openssl version on a qnap? I'm on the latest firmware 4.5.4.1800, on a ts-251+.

Edit: More info here:
https://www.openssl.org/blog/blog/2021/ ... ertExpire/

Still not sure what I can do to fix.
User avatar
Turbo112
Know my way around
Posts: 120
Joined: Mon May 30, 2011 9:09 pm
Location: Netherlands

Re: Cert errors (old openssl)

Post by Turbo112 »

Hi

You can connect with ssh and remove the expired certificate

## Remove DST_Root_CA_X3 synlink
[ -f /opt/etc/ssl/certs/2e5ac55d.0 ] && rm -f /opt/etc/ssl/certs/2e5ac55d.0
## Remove DST_Root_CA_X3 expired sertificat
[ -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt ] && rm -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt

Note: after a reboot it will be back again...
seb13
New here
Posts: 3
Joined: Sat Oct 20, 2018 10:37 pm

Re: Cert errors (old openssl)

Post by seb13 »

I'm facing the same problem. Removing the mentioned files does not change anything. Even after requesting a new certificate via let's encrypt, the certificate seems to be requested using the outdated DST Root CA X3.
Turbo112 wrote: Tue Oct 05, 2021 3:58 am
## Remove DST_Root_CA_X3 synlink
[ -f /opt/etc/ssl/certs/2e5ac55d.0 ] && rm -f /opt/etc/ssl/certs/2e5ac55d.0
## Remove DST_Root_CA_X3 expired sertificat
[ -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt ] && rm -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt
dahul
First post
Posts: 1
Joined: Fri Oct 15, 2021 11:33 pm

Re: Cert errors (old openssl)

Post by dahul »

seb13 wrote: Fri Oct 08, 2021 1:45 am I'm facing the same problem. Removing the mentioned files does not change anything. Even after requesting a new certificate via let's encrypt, the certificate seems to be requested using the outdated DST Root CA X3.
Turbo112 wrote: Tue Oct 05, 2021 3:58 am
## Remove DST_Root_CA_X3 synlink
[ -f /opt/etc/ssl/certs/2e5ac55d.0 ] && rm -f /opt/etc/ssl/certs/2e5ac55d.0
## Remove DST_Root_CA_X3 expired sertificat
[ -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt ] && rm -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt
Hi,

Nobody has a fix for this yet? The latest version 5 seems to have upgraded to openssl 1.1.1, but our model is not supported yet for version 5. Unsure what our options are. I've imported the ISRG root certificates, removed the DST Root certificate + symlink. Fetched a new letsencrypt certificate. But it still is using DST as the root certificate.
kcrackerg
New here
Posts: 3
Joined: Fri Aug 01, 2014 2:25 pm

Re: Cert errors (old openssl)

Post by kcrackerg »

Experiencing the same problem on a TS-469 Pro.
Currently using Open SSL 1.0.2k and cannot upgrade to newer firmware.
Could really do with having the let's encrypt root certificates being updated.
bigdcdn
First post
Posts: 1
Joined: Wed Apr 21, 2021 1:34 am

Re: Cert errors (old openssl)

Post by bigdcdn »

ANy planned fox for this coming down the pipe
LightMoon
New here
Posts: 8
Joined: Sun Sep 08, 2019 7:58 am

Re: Cert errors (old openssl)

Post by LightMoon »

Facing the same issue, is there any fix out yet?
LightMoon
New here
Posts: 8
Joined: Sun Sep 08, 2019 7:58 am

Re: Cert errors (old openssl)

Post by LightMoon »

Ok, This is the fix.
1) Find where root certificates have been stored in your Qnap, mine was in /etc/ssl/certs

cd /etc/ssl/certs
ls -lth | grep DST_Root_CA_X3.pem
rm -f 2e5ac(whatever your is)
rm -f DST_Root_CA_X3.pem

2) Copy these two files in /etc/ssl/certs

https://letsencrypt.org/certs/isrgrootx1.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem

3) reboot your qnap.
Pereto
Starting out
Posts: 34
Joined: Wed Apr 16, 2014 11:33 pm

Re: Cert errors (old openssl)

Post by Pereto »

Do it, but after reboot, the files lets-encrypt-r3.pem and isrg root x1.pem has disappeared from /etc/ssl/certs/
LightMoon
New here
Posts: 8
Joined: Sun Sep 08, 2019 7:58 am

Re: Cert errors (old openssl)

Post by LightMoon »

Pereto wrote: Thu Oct 21, 2021 3:36 am Do it, but after reboot, the files lets-encrypt-r3.pem and isrg root x1.pem has disappeared from /etc/ssl/certs/
Unfortunately, that's correct. This is the workaround I did and it works for me until the Qnap firmware updates.

0) Download rootca.pem - I modified this file with removing DST Root X3 expired and added DST Root CA X1 and Lets Encrypt R3
https://file.io/ZMnU9VEs7qAb
put it some where in your NAS box, I copied here
/share/Files/RootCA

1) Installed auto startup script
https://github.com/OneCDOnly/create-autorun

2)
chmod +x 010-example.sh

#here is the commands for replacing the rootca file after each reboots.
sleep 5
rm -f /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem is deleted."
sleep 2
cp /share/Files/RootCA/rootca.pem /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem file has been replaced."
Last edited by LightMoon on Tue Oct 26, 2021 4:55 pm, edited 1 time in total.
User avatar
Toxic17
Ask me anything
Posts: 6468
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Cert errors (old openssl)

Post by Toxic17 »

try using this package, it may help:

viewtopic.php?f=320&t=117049

Dependencies: QPerl
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
j1dopeman
New here
Posts: 2
Joined: Sun Oct 03, 2021 2:37 am

Re: Cert errors (old openssl)

Post by j1dopeman »

I updated to qts 5 and it's now showing openssl 1.1.11 but unfortunately that did not fix the ssl issue for me. Here's a quick test to see:
curl https://flacsfor.me
Should return: <body bgcolor="black"></body>
But errors instead (on mine).
virtualdj
Experience counts
Posts: 2141
Joined: Wed May 26, 2010 2:44 am

Re: Cert errors (old openssl)

Post by virtualdj »

j1dopeman wrote: Sat Oct 30, 2021 9:11 am Here's a quick test to see:
curl https://flacsfor.me
Should return: <body bgcolor="black"></body>
But errors instead (on mine).
Does not work with the QNAP-shipped curl, but works with Entware's curl:

Code: Select all

[~] # /sbin/curl https://flacsfor.me
curl: (60) SSL certificate problem: certificate has expired

[~] # /opt/bin/curl https://flacsfor.me
<body bgcolor="black"></body>
alwaysray
First post
Posts: 1
Joined: Sun Mar 27, 2022 11:58 am

Re: Cert errors (old openssl)

Post by alwaysray »

LightMoon wrote: Tue Oct 26, 2021 4:54 pm
Pereto wrote: Thu Oct 21, 2021 3:36 am Do it, but after reboot, the files lets-encrypt-r3.pem and isrg root x1.pem has disappeared from /etc/ssl/certs/
Unfortunately, that's correct. This is the workaround I did and it works for me until the Qnap firmware updates.

0) Download rootca.pem - I modified this file with removing DST Root X3 expired and added DST Root CA X1 and Lets Encrypt R3
https://file.io/ZMnU9VEs7qAb
put it some where in your NAS box, I copied here
/share/Files/RootCA

1) Installed auto startup script
https://github.com/OneCDOnly/create-autorun

2)
chmod +x 010-example.sh

#here is the commands for replacing the rootca file after each reboots.
sleep 5
rm -f /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem is deleted."
sleep 2
cp /share/Files/RootCA/rootca.pem /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem file has been replaced."
Hello LightMoon
Could you update your rootca.pem file share link in file.io? Now it shows file was deleted.
Appreciate that.
Post Reply

Return to “Miscellaneous”