Cert errors (old openssl)
-
- New here
- Posts: 2
- Joined: Sun Oct 03, 2021 2:37 am
Cert errors (old openssl)
I've noticed I can't connect to some domains anymore and I believe it's due to a letsencrypt certificate expiring on Sept 30th. Details here:
https://letsencrypt.org/docs/dst-root-c ... mber-2021/
They mention openssl versions < 1.1.0 are affected. I see that my qnap is on 1.0.2za. Is there any way to upgrade the openssl version on a qnap? I'm on the latest firmware 4.5.4.1800, on a ts-251+.
Edit: More info here:
https://www.openssl.org/blog/blog/2021/ ... ertExpire/
Still not sure what I can do to fix.
https://letsencrypt.org/docs/dst-root-c ... mber-2021/
They mention openssl versions < 1.1.0 are affected. I see that my qnap is on 1.0.2za. Is there any way to upgrade the openssl version on a qnap? I'm on the latest firmware 4.5.4.1800, on a ts-251+.
Edit: More info here:
https://www.openssl.org/blog/blog/2021/ ... ertExpire/
Still not sure what I can do to fix.
- Turbo112
- Know my way around
- Posts: 120
- Joined: Mon May 30, 2011 9:09 pm
- Location: Netherlands
Re: Cert errors (old openssl)
Hi
You can connect with ssh and remove the expired certificate
## Remove DST_Root_CA_X3 synlink
[ -f /opt/etc/ssl/certs/2e5ac55d.0 ] && rm -f /opt/etc/ssl/certs/2e5ac55d.0
## Remove DST_Root_CA_X3 expired sertificat
[ -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt ] && rm -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt
Note: after a reboot it will be back again...
You can connect with ssh and remove the expired certificate
## Remove DST_Root_CA_X3 synlink
[ -f /opt/etc/ssl/certs/2e5ac55d.0 ] && rm -f /opt/etc/ssl/certs/2e5ac55d.0
## Remove DST_Root_CA_X3 expired sertificat
[ -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt ] && rm -f /opt/etc/ssl/certs/DST_Root_CA_X3.crt
Note: after a reboot it will be back again...
-
- New here
- Posts: 3
- Joined: Sat Oct 20, 2018 10:37 pm
Re: Cert errors (old openssl)
I'm facing the same problem. Removing the mentioned files does not change anything. Even after requesting a new certificate via let's encrypt, the certificate seems to be requested using the outdated DST Root CA X3.
-
- First post
- Posts: 1
- Joined: Fri Oct 15, 2021 11:33 pm
Re: Cert errors (old openssl)
Hi,
Nobody has a fix for this yet? The latest version 5 seems to have upgraded to openssl 1.1.1, but our model is not supported yet for version 5. Unsure what our options are. I've imported the ISRG root certificates, removed the DST Root certificate + symlink. Fetched a new letsencrypt certificate. But it still is using DST as the root certificate.
-
- New here
- Posts: 3
- Joined: Fri Aug 01, 2014 2:25 pm
Re: Cert errors (old openssl)
Experiencing the same problem on a TS-469 Pro.
Currently using Open SSL 1.0.2k and cannot upgrade to newer firmware.
Could really do with having the let's encrypt root certificates being updated.
Currently using Open SSL 1.0.2k and cannot upgrade to newer firmware.
Could really do with having the let's encrypt root certificates being updated.
-
- First post
- Posts: 1
- Joined: Wed Apr 21, 2021 1:34 am
Re: Cert errors (old openssl)
ANy planned fox for this coming down the pipe
-
- New here
- Posts: 8
- Joined: Sun Sep 08, 2019 7:58 am
Re: Cert errors (old openssl)
Facing the same issue, is there any fix out yet?
-
- New here
- Posts: 8
- Joined: Sun Sep 08, 2019 7:58 am
Re: Cert errors (old openssl)
Ok, This is the fix.
1) Find where root certificates have been stored in your Qnap, mine was in /etc/ssl/certs
cd /etc/ssl/certs
ls -lth | grep DST_Root_CA_X3.pem
rm -f 2e5ac(whatever your is)
rm -f DST_Root_CA_X3.pem
2) Copy these two files in /etc/ssl/certs
https://letsencrypt.org/certs/isrgrootx1.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem
3) reboot your qnap.
1) Find where root certificates have been stored in your Qnap, mine was in /etc/ssl/certs
cd /etc/ssl/certs
ls -lth | grep DST_Root_CA_X3.pem
rm -f 2e5ac(whatever your is)
rm -f DST_Root_CA_X3.pem
2) Copy these two files in /etc/ssl/certs
https://letsencrypt.org/certs/isrgrootx1.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem
3) reboot your qnap.
-
- Starting out
- Posts: 34
- Joined: Wed Apr 16, 2014 11:33 pm
Re: Cert errors (old openssl)
Do it, but after reboot, the files lets-encrypt-r3.pem and isrg root x1.pem has disappeared from /etc/ssl/certs/
-
- New here
- Posts: 8
- Joined: Sun Sep 08, 2019 7:58 am
Re: Cert errors (old openssl)
Unfortunately, that's correct. This is the workaround I did and it works for me until the Qnap firmware updates.
0) Download rootca.pem - I modified this file with removing DST Root X3 expired and added DST Root CA X1 and Lets Encrypt R3
https://file.io/ZMnU9VEs7qAb
put it some where in your NAS box, I copied here
/share/Files/RootCA
1) Installed auto startup script
https://github.com/OneCDOnly/create-autorun
2)
chmod +x 010-example.sh
#here is the commands for replacing the rootca file after each reboots.
sleep 5
rm -f /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem is deleted."
sleep 2
cp /share/Files/RootCA/rootca.pem /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem file has been replaced."
Last edited by LightMoon on Tue Oct 26, 2021 4:55 pm, edited 1 time in total.
- Toxic17
- Ask me anything
- Posts: 6469
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Cert errors (old openssl)
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- New here
- Posts: 2
- Joined: Sun Oct 03, 2021 2:37 am
Re: Cert errors (old openssl)
I updated to qts 5 and it's now showing openssl 1.1.11 but unfortunately that did not fix the ssl issue for me. Here's a quick test to see:
curl https://flacsfor.me
Should return: <body bgcolor="black"></body>
But errors instead (on mine).
curl https://flacsfor.me
Should return: <body bgcolor="black"></body>
But errors instead (on mine).
-
- Experience counts
- Posts: 2141
- Joined: Wed May 26, 2010 2:44 am
Re: Cert errors (old openssl)
Does not work with the QNAP-shipped curl, but works with Entware's curl:j1dopeman wrote: ↑Sat Oct 30, 2021 9:11 am Here's a quick test to see:
curl https://flacsfor.me
Should return: <body bgcolor="black"></body>
But errors instead (on mine).
Code: Select all
[~] # /sbin/curl https://flacsfor.me
curl: (60) SSL certificate problem: certificate has expired
[~] # /opt/bin/curl https://flacsfor.me
<body bgcolor="black"></body>
-
- First post
- Posts: 1
- Joined: Sun Mar 27, 2022 11:58 am
Re: Cert errors (old openssl)
Hello LightMoonLightMoon wrote: ↑Tue Oct 26, 2021 4:54 pmUnfortunately, that's correct. This is the workaround I did and it works for me until the Qnap firmware updates.
0) Download rootca.pem - I modified this file with removing DST Root X3 expired and added DST Root CA X1 and Lets Encrypt R3
https://file.io/ZMnU9VEs7qAb
put it some where in your NAS box, I copied here
/share/Files/RootCA
1) Installed auto startup script
https://github.com/OneCDOnly/create-autorun
2)
chmod +x 010-example.sh
#here is the commands for replacing the rootca file after each reboots.
sleep 5
rm -f /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem is deleted."
sleep 2
cp /share/Files/RootCA/rootca.pem /etc/ssl/certs/rootca.pem
echo "$(date) - The rootca.pem file has been replaced."
Could you update your rootca.pem file share link in file.io? Now it shows file was deleted.
Appreciate that.