Location of SSL certs?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
goodelyfe
Know my way around
Posts: 122
Joined: Tue Jul 01, 2014 5:50 pm

Location of SSL certs?

Post by goodelyfe »

If im using Control Panel --> System --> Security --> Certificate & Private Key, click "Replace Certificate"

where are the certs being saved?

I'm trying to remedy me replacing the certs in whichever (for whatever app/service) directory every renewal (if that makes sense?)
RussellNS
New here
Posts: 3
Joined: Wed Jul 03, 2019 4:22 am

Re: Location of SSL certs?

Post by RussellNS »

I'm having a similar issue. To put the TLDR (so to speak) up front, I found the QNAP SSL certs in:

Code: Select all

/mnt/HDA_ROOT/.config/stunnel
In my use case, I don't want to expose port 80 on my NAS to the outside world at all. So I have a Docker container on another box that downloads and auto-renews free certs from Let's Encrypt, and places them in a 'private' directory on the NAS. Everything works, fine and dandy. However, when I go to update the cert the same way you describe (NAS Web GUI -> Control Panel --> System --> Security --> Certificate & Private Key -> "Replace Certificate" -> Import Certificate -> Certificate -> click "Browse"), it wants me to provide a file that's on my local host. I can't seem to provide a file/symlink/path to a certificate that already exists on the NAS. This kind of breaks the automation behind the 'auto-renew' of the Docker container. In essence, the Docker container will auto-renew the cert in a path on the NAS, but the NAS Web GUI has to be manually updated every renewal.

So I went digging for the path to these files in hopes I could create a symbolic link to the cert files that the Docker container will automatically renew. In this way, I hope to not have to have any manual steps. I hope that aging certs will get auto-renewed by the Docker container and the NAS Web GUI will always point to whatever current cert is.

I haven't played around with the files in the path up above yet, other than to view the original, self signed certs that were there, and then manually import the certs from Let's Encrypt. The certs in this directory do in fact update.

Hope this helps.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Location of SSL certs?

Post by Toxic17 »

have you tried LEgo?

viewtopic.php?f=320&t=132911

you can put the certs wherever you want.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Location of SSL certs?

Post by oyvindo »

RussellNS wrote: Tue Aug 27, 2019 10:46 pm I'm having a similar issue. To put the TLDR (so to speak) up front, I found the QNAP SSL certs in:

Code: Select all

/mnt/HDA_ROOT/.config/stunnel
That does not seem to be the location used when certificate files are imported. Only if they are retrieved directly from Let's Encrypt or if your restore back to default.
Do you have any idea where imported certificates are stored?
ImageImageImage
Wotf783
First post
Posts: 1
Joined: Sun Dec 28, 2014 8:39 pm

Re: Location of SSL certs?

Post by Wotf783 »

Hi,

I did little search because i did almost same thing as @RussellNS and I crossed to this library: https://github.com/Yannik/qnap-letsencrypt
In README there is actually nice info about QNAP behavior, but that's out of topic.

But as you can see in section #setting-up-qnap-letsencrypt, a third step is

Code: Select all

mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig
which I thought it would be it. But it was not.
I checked what stunnel is and decided to have a little fun and break what i can.

I found out that the main certificates are actually backups. 🤣

So the location is:

Code: Select all

/etc/stunnel/
:
certificate:

Code: Select all

/etc/stunnel/backup.cert
private key:

Code: Select all

/etc/stunnel/backup.key
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Location of SSL certs?

Post by oyvindo »

No, that is not correct.
After much research and experimenting, I found that what happens duwing certificat generating (and during import), is that the *.cert and *.key file is merged and stored in the stunnel.pem file. Whatever was in there previously is extracted and saved as backup.cert and backup.key.
I was able to verify this by simply deleting both backup files, and guess what? The certificates continue to work just as they should. But if I delete the pem, file, it fails.
ImageImageImage
jamesking
Starting out
Posts: 32
Joined: Sun Oct 09, 2016 3:50 pm

Re: Location of SSL certs?

Post by jamesking »

Thanks for this, I've found it very useful. I'm trying to automatically import a certificate I generate on another machine.

I've managed to replace the stunnel.pem (and uca.pem) with copies of a certificate that I've generated elsewhere. (in /etc/stunnel or, /mnt/HDA_ROOT/.config/stunnel, which seem to be sim linked).

I am finding that in the web GUI the QNAP still shows "default secure certificate being used". Does anyone know how to actually force the qnap to use the certificate I have successfully copied across?

I am basically using this code from the github, but modified to my own files:

/etc/init.d/stunnel.sh stop
cat letsencrypt/keys/domain.key letsencrypt/chained.pem > /etc/stunnel/stunnel.pem
cp letsencrypt/intermediate.pem /etc/stunnel/uca.pem
/etc/init.d/stunnel.sh start

This doesn't seem to (fully) work since, as I say, the web interface claims my custom certificate isn't being used.

James
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Location of SSL certs?

Post by oyvindo »

QNAP NAS servers do not need certifactes to operate unless you specifically activate https.
Installing valid certificates doesn't make them available to, and used by any applications automatically, except for the default Logon GUI (and perhaps som underlying system bound protocols).
If you install an app where you wish to use a certificate, then the app config has to be adjusted to point to the right certificate store. This has to be done for each and every app. Often, several apps can share the same certificates, but not always.
ImageImageImage
jamesking
Starting out
Posts: 32
Joined: Sun Oct 09, 2016 3:50 pm

Re: Location of SSL certs?

Post by jamesking »

Thank you.

I have done that, for, for example, Plex, with no issue. I want to update the SSL for, e.g.

https://qnap.mydomain.com:444/share.cgi?ssid=0pIeRds

(this is for sharing files from the Public folder - "Share Link")
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Location of SSL certs?

Post by dolbyman »

dont expose your nas to want ..not safe
jamesking
Starting out
Posts: 32
Joined: Sun Oct 09, 2016 3:50 pm

Re: Location of SSL certs?

Post by jamesking »

Even for the share links?
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Location of SSL certs?

Post by dolbyman »

yes..any part of qts ..qnap does a horrible job of programming these things
gcstang
Starting out
Posts: 16
Joined: Sat Jun 27, 2020 4:31 am

Re: Location of SSL certs?

Post by gcstang »

jamesking wrote: Tue Jan 12, 2021 7:44 pm Thanks for this, I've found it very useful. I'm trying to automatically import a certificate I generate on another machine.

I've managed to replace the stunnel.pem (and uca.pem) with copies of a certificate that I've generated elsewhere. (in /etc/stunnel or, /mnt/HDA_ROOT/.config/stunnel, which seem to be sim linked).

I am finding that in the web GUI the QNAP still shows "default secure certificate being used". Does anyone know how to actually force the qnap to use the certificate I have successfully copied across?

I am basically using this code from the github, but modified to my own files:

/etc/init.d/stunnel.sh stop
cat letsencrypt/keys/domain.key letsencrypt/chained.pem > /etc/stunnel/stunnel.pem
cp letsencrypt/intermediate.pem /etc/stunnel/uca.pem
/etc/init.d/stunnel.sh start

This doesn't seem to (fully) work since, as I say, the web interface claims my custom certificate isn't being used.

James
I followed a similar setup and this worked, however in the UI it still shows as the old default certificate but when I connect using HTTPS it shows the one I put there instead.

Regards
Rene72
Getting the hang of things
Posts: 94
Joined: Thu Apr 23, 2015 3:36 pm

Re: Location of SSL certs?

Post by Rene72 »

/etc/init.d/stunnel.sh stop
cat letsencrypt/keys/domain.key letsencrypt/chained.pem > /etc/stunnel/stunnel.pem
cp letsencrypt/intermediate.pem /etc/stunnel/uca.pem
/etc/init.d/stunnel.sh start
I need some help, I download ssl certs on a dedicated system and renew them aswell.
The certificates I install with powershell on several windows servers with a script that runs scheduled.
Only on my QNAP nas I want to do the same.

I got these certificates:

cert.cer
cert.key
chain.cer
fullchain.cer
cert.pfx
fullchain.pfx

I dont have .pem cert so can I use any of these files or must I convert it ? Are the bash scripts to automate the import of these certs from a folder on the NAS ?
fabriziorizzo
Starting out
Posts: 34
Joined: Tue Sep 20, 2016 6:40 am

Re: Location of SSL certs?

Post by fabriziorizzo »

@rene72, did you figure this out... how to adapt these commands for the LE cert files?
-
Fabrizio
TVS-1282T (Intel I7-6700 @ 3.4GHz, 32GB RAM, 8x 16TB Seagate Exos ST16000NM001G RAID-6, 4x 960GB Corsair Force LE SSD RAID-10, 2x Samsung 512GB M.2 Flash RAID1 cache, 40gbps bonded eth0+1+2+3)
Locked

Return to “Miscellaneous”