Lets Encrypt Port 80 issue

Post your questions about myQNAPcloud service here.
telepheedian
New here
Posts: 2
Joined: Tue Jul 19, 2016 11:25 am

Re: Lets Encrypt Port 80 issue

Post by telepheedian »

chapeaurouge wrote:Still not working for me, even with no alternative name, restoring to default and trying again.

Latest version of 4.3 at this time on an old TS412.
I was having this issue on a fresh install. The issue was that the QTS SSL Certificate app was improperly installed. Since it's part of the system, I couldn't uninstall it, either. I was able to fix it by downloading the package using the Download link on the App Center page for it, then manually installing the QPKG.
digiweb
Starting out
Posts: 24
Joined: Mon Jan 02, 2017 7:22 am

Re: Lets Encrypt Port 80 issue

Post by digiweb »

I was able to install the cert but I used a no-ip DDNS domain. And when I try to use https, the DDNS does not work. It only works when I'm not using https.
QNAP TS-231+ with 2 4TB HGST Deskstar NAS drives on RAID1
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Lets Encrypt Port 80 issue

Post by schumaku »

digiweb wrote:And when I try to use https, the DDNS does not work. It only works when I'm not using https.
Impossible. DDNS (well, DNS A records in general) create a relation from a name to an IP address.
snarf007
Starting out
Posts: 40
Joined: Sun Jan 16, 2011 6:47 am

Re: Lets Encrypt Port 80 issue

Post by snarf007 »

myjablonec wrote:I just spent several hours with QNAP developers and finally have valid Let's Encrypt certificate with own domain.
The developers tried generete cert many times with different settings in acme_tiny.py. Here is summary of code, which I get from history and worked for me for generate cert again.

Code: Select all

cd /mnt/ext/opt/QcloudSSLCertificate
rm -rf cert/
rm -rf data/
/etc/init.d/QcloudSSLCertificate.sh restart
curl "https://s3.amazonaws.com/anry-temp-data/acme_tiny.py" -o bin/acme-tiny/acme_tiny.py
rm -rf /share/Web/.well-known

After that go to Control panel -> Security -> Certificate & private key -> first Restore to defautl, after that Replace certificate -> Get from Let's Encrypt -> fill domain name and email (doesn't work when I fill alternative name) ->if no error occurs, the certificate should be generated, so close the browser and reopen your NAS webgui with https.
Hope it will wor for you too.
For me the above procedure worked to use my own domain. Only use primary domain, no alternate domain names. Hope auto renewal works, there is a button with the message can be renewed 10 days before expire.
Seems a new version of acme_tiny.py does this trick? Wil it be part of a next firmware release?
Thanx!
User avatar
itsmarcos
Easy as a breeze
Posts: 310
Joined: Thu Sep 29, 2011 5:34 am

Re: Lets Encrypt Port 80 issue

Post by itsmarcos »

Hit this issue today. Following the steps on this thread I was still getting the same error.

Checked my firewall logs and noticed that IPv6 access to my qnap (port 80) was (of course) blocked. After opening port 80 (only) everything worked. It looks like the letsencrypt CA is trying IPv6 first (correct) but it doesn't fallback to IPv4 if IPv6 fails. Opening 443 was not needed.

This closed ticket on Github resolves this issue at the CA.

In a nutshell, if you have IPv6 enabled on your network and you hit this error, a solution could be opening port 80 for the IPv6 address of your QNAP (possibly 443 as well).

Primary

QNAP TVS-951N [latest QTS 5.0.x]
- disk 1: WDC Red WD80EFZX
- disk 2: WDC Red WD80EFZX
- disk 6: Samsung SSD Evo 500GB, SSD Cache
- disk 7:Samsung SSD Evo 500GB, HybridMount Cache
- External disk: WDC Red WD60EFRX
Dead one
QNAP TS-253B [4.4.x] - now dead


Remote backup
QNAP TS-219 P+ [latest 4.3.x]
- disk 1: HGST Deskstar 7K3000 HDS723030ALA640 3TB
- disk 2: WDC Red WD40EFRX
evil79genius
New here
Posts: 2
Joined: Thu Jul 27, 2017 6:59 am

Re: Lets Encrypt Port 80 issue

Post by evil79genius »

I've got it working, but that's not been so easy - maybe there's a different easier way, but here's the steps I've taken:
  • Enabled QNAP web-server (leaving it at default port 8280)
  • Manually configured port forward on my router, mapping external port 80 to internal port 8280 of QNAP
  • Created /share/Web/.well-known/acme-challenge/
  • Removed /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge directory and all its contents
  • Created symlink /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge pointing to /share/Web/.well-known/acme-challenge
  • Edited /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
    Here's a section beginning at line 691

    Code: Select all

    # fix open fail when router do not support NAT loopback
    tmp_wellknown_url = "http://localhost/.well-known/acme-challenge/{0}".format(
        http_challenge_dict['token'])
    resp = urlopen(tmp_wellknown_url)
    
    I've commented all such lines and inserted a line

    Code: Select all

    resp = urlopen(wellknown_url)
    right below the commented block
  • Requested new certificate via Control Panel > System > Security > Certificate & Private Key, specifying my own domain name.
Note: should your router not support NAT loopback, instead of commenting the lines and adding another one, it should work if you simply specify QNAP web-server port right after localhost in the tmp_wellknown_url, like this

Code: Select all

tmp_wellknown_url = "http://localhost:8280/.well-known/acme-challenge/{0}".format(
Hope it helps!
Marc J
Getting the hang of things
Posts: 62
Joined: Wed Oct 15, 2008 1:36 am

Re: Lets Encrypt Port 80 issue

Post by Marc J »

Well, today I managed to install a Let's Encrypt cert on my QNAP relatively easily, after a few tries. I got the port 80 / DNS error at first, so I then: -

1) Enabled the web server on port 80
2) forwarded incoming port 80 traffic to the QNAP (router configs)
3) Allowed all connections (QNAP security - I had previously locked it down to local 192.168.0.x and OpenVPN 10.8.0.x IP numbers only)

That let me install the Let's Encrypt cert on my custom subdomain (e.g. location.mydomain.com) which has it's own static IP.

I then undid 1,2 & 3 above as I don't usually need the web server on the QNAP, and prefer to have it only accessible to local & OpenVPN IPs.

My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
myjablonec
New here
Posts: 4
Joined: Tue May 24, 2016 9:31 pm

Re: Lets Encrypt Port 80 issue

Post by myjablonec »

Marc J wrote:My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
Well, my certificate expired few day ago, so it probably won't renew automatically. But 10 day before expiration you can try click "Renew" button and see what happen. Maybe because I didn't do that my renew option didn't work (but it told mistake about port 80), but I was possible to generate new certificate without trouble. Truth is, that I use webserver, but I cannot forward ports and I have some restriction on IPs.
kkeonline
New here
Posts: 2
Joined: Sat Nov 04, 2017 2:27 am

Re: Lets Encrypt Port 80 issue

Post by kkeonline »

Just got a qnap today and try to install letsencrypt certificate, but got the same problem.

The problem not from the software, but because my ISP is block port 80, so I have 2 options
1. call ISP to unblock port 80, then the script will work as it should.
2. find another way to install.
I choose 2. because I also don't want to open port 80 to public.

I follow all the above posts but none of them got success :(
Then I search how letsencrypt can issue without open port 80, then I found this post: https://community.letsencrypt.org/t/how ... 80/36192/6
whatever client you use must do one of three things to validate control over your hostname:
[*] It must respond appropriately to a request for http://$HOSTNAME/.well-known/acme-challenge/...
[*] It must respond appropriately (i.e., with an appropriate self-signed TLS certificate) to https://$HOSTNAME
[*] It must (or, alternatively, you must manually) change your DNS records to add a specified TXT record.
So only "https" is my only one chance because I can not do anything with QNAPcloud DNS and if the http worked I no need to find another way here.


How to install letsencrypt by validate with https on QTS4.3.x
1. ssh to qnap with your admin user
2. type these command

Code: Select all

ln -s /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known /home/httpd/
cd /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/
sed -ie 's/default="http"/default="https"/'  acme_tiny.py
cp acme_tiny.py acme_tiny.py.bak
3. Configure SSL through "System>Security>Certificate & Private Key" and click Replace Certificate, then select Let's Encrypt, input your qnap domain name and if you have your own domain name put it in alternative names.
4. **remember if you update the QTS SSL certificate utility to new version, you have to fix the acme_tiny.py again with this command vis ssh

Code: Select all

sed -ie 's/default="http"/default="https"/'  /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
snarf007
Starting out
Posts: 40
Joined: Sun Jan 16, 2011 6:47 am

Re: Lets Encrypt Port 80 issue

Post by snarf007 »

Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).

Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.

Hope this helps others to understand in (un)logic in the setup. :)
LaUs3r
Starting out
Posts: 30
Joined: Sun Aug 06, 2017 11:24 pm

Re: Lets Encrypt Port 80 issue

Post by LaUs3r »

thx....exactly what I was looking for as it did not work for me initially.
This was the "Port 80"-issue solution for me. :-)
Cheers,
LaUs3r

Models: TVS-863+ & TVS-463
Firmware: 4.5.2.1892

*new*
Models: 2 x TS-877XU-RP, WD DC HC330 10TB
Firmware: 5.0.0.1932
katsudonvince
First post
Posts: 1
Joined: Sun Mar 11, 2018 1:43 pm

Re: Lets Encrypt Port 80 issue

Post by katsudonvince »

[quote="snarf007"]Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).

Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.

Hope this helps others to understand in (un)logic in the setup. :)[/quote

My certificate is expiring in 10 days and the renewal button is now live but I have the same port 80 and DNS issues as others. You said to use the different port numbers on the admin gui (general setting). What is the best port number to use please, can you give any example or range please. Thanks
User avatar
jds580s
Know my way around
Posts: 206
Joined: Tue Dec 08, 2009 4:52 am

Re: Lets Encrypt Port 80 issue

Post by jds580s »

I had to make a small change to my configuration today after getting a Let’s Encrypt renewal error. Not sure if it’s related to New firmware since the last renewal, or just my specific setup.

I had force SSL enabled which I turned off, then I added a .htaccess file in the /web root with a Rewrite rule that allows http traffic to .well-known and anything else is redirected to https

After that I successfully was able to renew the cert.

Model: TVS-1282-i5-16G

[list]
[*]Firmware: QTS 4.5.3.1652 build 20210428
[*]Network: 10GbE ASUS XG-C100C card, MTU 9k
[*]RAID 1: [System] 2x WD Blue M.2 SSD 250GB
[*]RAID 6: [DATA] 5x HGST HDN728080ALE604 8TB
[list]
[*] Qtier RAID 1: 2x Samsung SSD 850 EVO 500GB + 2x Samsung SSD 860 EVO 500GB
[*] Cache RAID 1: 2x Samsung SSD 960 EVO 500GB NVMe M.2 in two NGFF PCIe 3.0 x4 adapter cards[/list][/list]
Model: TS-459 Pro
[list]
[*]Firmware: QTS 4.2.6 build 20210327
[*]RAID 6: 2x HGST HDN724030ALE640 3TB, x2 Seagate ST3000VN000 3TB
[*]External: 4TB HGST eSATA Drive, UPS
[*]Network: 1 Gbps, MTU 1500[/list]
[/color]
User avatar
kdh1968
New here
Posts: 5
Joined: Thu Jan 04, 2018 1:47 am

Re: Lets Encrypt Port 80 issue

Post by kdh1968 »

I followed the description of katsudonvince (Tue Jun 26, 2018 11:17 pm) and it works (for me) :DD
HS-251 (FW 4.5.4.1715)
TS-228A (FW 4.5.4.1715)
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Lets Encrypt Port 80 issue

Post by oyvindo »

This thread has been quiet for over a year now.
What has happened? Are all issues solved, or have all QNAP customers given up on trying to implement Let's Encrypt certificates?

Well, I have experimented a lot lately to try to get things working, with very mixed results. Some success, mostly failure.
The strange thing is that the Certificate&Private Key feature in the QNAP is not stable, in the sense that sometimes it works, sometimes not.
Repeating exactly the same procedure over and over again works 2-3 out of 10 times and the remaining attempts fail.
I have even been successfully able to generate a Let's Encrypt certificate with alternative names added, but only once. I could never repeat that successfully again.

The fact that this works sometimes, but fails most of the time, is quite annoying. Is this a QNAP problem or is it the Let's Encrypt service that is overloaded?

How to tell?
ImageImageImage
Post Reply

Return to “myQNAPcloud service”