I was having this issue on a fresh install. The issue was that the QTS SSL Certificate app was improperly installed. Since it's part of the system, I couldn't uninstall it, either. I was able to fix it by downloading the package using the Download link on the App Center page for it, then manually installing the QPKG.chapeaurouge wrote:Still not working for me, even with no alternative name, restoring to default and trying again.
Latest version of 4.3 at this time on an old TS412.
Lets Encrypt Port 80 issue
-
- New here
- Posts: 2
- Joined: Tue Jul 19, 2016 11:25 am
Re: Lets Encrypt Port 80 issue
-
- Starting out
- Posts: 24
- Joined: Mon Jan 02, 2017 7:22 am
Re: Lets Encrypt Port 80 issue
I was able to install the cert but I used a no-ip DDNS domain. And when I try to use https, the DDNS does not work. It only works when I'm not using https.
QNAP TS-231+ with 2 4TB HGST Deskstar NAS drives on RAID1
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: Lets Encrypt Port 80 issue
Impossible. DDNS (well, DNS A records in general) create a relation from a name to an IP address.digiweb wrote:And when I try to use https, the DDNS does not work. It only works when I'm not using https.
-
- Starting out
- Posts: 40
- Joined: Sun Jan 16, 2011 6:47 am
Re: Lets Encrypt Port 80 issue
For me the above procedure worked to use my own domain. Only use primary domain, no alternate domain names. Hope auto renewal works, there is a button with the message can be renewed 10 days before expire.myjablonec wrote:I just spent several hours with QNAP developers and finally have valid Let's Encrypt certificate with own domain.
The developers tried generete cert many times with different settings in acme_tiny.py. Here is summary of code, which I get from history and worked for me for generate cert again.Code: Select all
cd /mnt/ext/opt/QcloudSSLCertificate rm -rf cert/ rm -rf data/ /etc/init.d/QcloudSSLCertificate.sh restart curl "https://s3.amazonaws.com/anry-temp-data/acme_tiny.py" -o bin/acme-tiny/acme_tiny.py rm -rf /share/Web/.well-known
After that go to Control panel -> Security -> Certificate & private key -> first Restore to defautl, after that Replace certificate -> Get from Let's Encrypt -> fill domain name and email (doesn't work when I fill alternative name) ->if no error occurs, the certificate should be generated, so close the browser and reopen your NAS webgui with https.
Hope it will wor for you too.
Seems a new version of acme_tiny.py does this trick? Wil it be part of a next firmware release?
Thanx!
- itsmarcos
- Easy as a breeze
- Posts: 310
- Joined: Thu Sep 29, 2011 5:34 am
Re: Lets Encrypt Port 80 issue
Hit this issue today. Following the steps on this thread I was still getting the same error.
Checked my firewall logs and noticed that IPv6 access to my qnap (port 80) was (of course) blocked. After opening port 80 (only) everything worked. It looks like the letsencrypt CA is trying IPv6 first (correct) but it doesn't fallback to IPv4 if IPv6 fails. Opening 443 was not needed.
This closed ticket on Github resolves this issue at the CA.
In a nutshell, if you have IPv6 enabled on your network and you hit this error, a solution could be opening port 80 for the IPv6 address of your QNAP (possibly 443 as well).
Checked my firewall logs and noticed that IPv6 access to my qnap (port 80) was (of course) blocked. After opening port 80 (only) everything worked. It looks like the letsencrypt CA is trying IPv6 first (correct) but it doesn't fallback to IPv4 if IPv6 fails. Opening 443 was not needed.
This closed ticket on Github resolves this issue at the CA.
In a nutshell, if you have IPv6 enabled on your network and you hit this error, a solution could be opening port 80 for the IPv6 address of your QNAP (possibly 443 as well).
Primary
QNAP TVS-951N [latest QTS 5.0.x]
- disk 1: WDC Red WD80EFZX
- disk 2: WDC Red WD80EFZX
- disk 6: Samsung SSD Evo 500GB, SSD Cache
- disk 7:Samsung SSD Evo 500GB, HybridMount Cache
- External disk: WDC Red WD60EFRX
Dead one
QNAP TS-253B [4.4.x] - now dead
Remote backup
QNAP TS-219 P+ [latest 4.3.x]
- disk 1: HGST Deskstar 7K3000 HDS723030ALA640 3TB
- disk 2: WDC Red WD40EFRX
-
- New here
- Posts: 2
- Joined: Thu Jul 27, 2017 6:59 am
Re: Lets Encrypt Port 80 issue
I've got it working, but that's not been so easy - maybe there's a different easier way, but here's the steps I've taken:
Hope it helps!
- Enabled QNAP web-server (leaving it at default port 8280)
- Manually configured port forward on my router, mapping external port 80 to internal port 8280 of QNAP
- Created /share/Web/.well-known/acme-challenge/
- Removed /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge directory and all its contents
- Created symlink /etc/config/QcloudSSLCertificate/cert/.well-known/acme-challenge pointing to /share/Web/.well-known/acme-challenge
- Edited /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
Here's a section beginning at line 691I've commented all such lines and inserted a lineCode: Select all
# fix open fail when router do not support NAT loopback tmp_wellknown_url = "http://localhost/.well-known/acme-challenge/{0}".format( http_challenge_dict['token']) resp = urlopen(tmp_wellknown_url)
right below the commented blockCode: Select all
resp = urlopen(wellknown_url)
- Requested new certificate via Control Panel > System > Security > Certificate & Private Key, specifying my own domain name.
Code: Select all
tmp_wellknown_url = "http://localhost:8280/.well-known/acme-challenge/{0}".format(
-
- Getting the hang of things
- Posts: 62
- Joined: Wed Oct 15, 2008 1:36 am
Re: Lets Encrypt Port 80 issue
Well, today I managed to install a Let's Encrypt cert on my QNAP relatively easily, after a few tries. I got the port 80 / DNS error at first, so I then: -
1) Enabled the web server on port 80
2) forwarded incoming port 80 traffic to the QNAP (router configs)
3) Allowed all connections (QNAP security - I had previously locked it down to local 192.168.0.x and OpenVPN 10.8.0.x IP numbers only)
That let me install the Let's Encrypt cert on my custom subdomain (e.g. location.mydomain.com) which has it's own static IP.
I then undid 1,2 & 3 above as I don't usually need the web server on the QNAP, and prefer to have it only accessible to local & OpenVPN IPs.
My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
1) Enabled the web server on port 80
2) forwarded incoming port 80 traffic to the QNAP (router configs)
3) Allowed all connections (QNAP security - I had previously locked it down to local 192.168.0.x and OpenVPN 10.8.0.x IP numbers only)
That let me install the Let's Encrypt cert on my custom subdomain (e.g. location.mydomain.com) which has it's own static IP.
I then undid 1,2 & 3 above as I don't usually need the web server on the QNAP, and prefer to have it only accessible to local & OpenVPN IPs.
My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
-
- New here
- Posts: 4
- Joined: Tue May 24, 2016 9:31 pm
Re: Lets Encrypt Port 80 issue
Well, my certificate expired few day ago, so it probably won't renew automatically. But 10 day before expiration you can try click "Renew" button and see what happen. Maybe because I didn't do that my renew option didn't work (but it told mistake about port 80), but I was possible to generate new certificate without trouble. Truth is, that I use webserver, but I cannot forward ports and I have some restriction on IPs.Marc J wrote:My question is this - I read somewhere that Let's Encrypt certs installed on the QNAP will auto renew. Is this true? And if so, do I need to make sure the above steps are repeated (web server enabled, port 80 forwarded, allow access to all IPs) around the time that the renewal is die (i.e. every 3 months)? Or, will it renew without issue? Or, will I need to manually renew?
-
- New here
- Posts: 2
- Joined: Sat Nov 04, 2017 2:27 am
Re: Lets Encrypt Port 80 issue
Just got a qnap today and try to install letsencrypt certificate, but got the same problem.
The problem not from the software, but because my ISP is block port 80, so I have 2 options
1. call ISP to unblock port 80, then the script will work as it should.
2. find another way to install.
I choose 2. because I also don't want to open port 80 to public.
I follow all the above posts but none of them got success
Then I search how letsencrypt can issue without open port 80, then I found this post: https://community.letsencrypt.org/t/how ... 80/36192/6
How to install letsencrypt by validate with https on QTS4.3.x
1. ssh to qnap with your admin user
2. type these command
3. Configure SSL through "System>Security>Certificate & Private Key" and click Replace Certificate, then select Let's Encrypt, input your qnap domain name and if you have your own domain name put it in alternative names.
4. **remember if you update the QTS SSL certificate utility to new version, you have to fix the acme_tiny.py again with this command vis ssh
The problem not from the software, but because my ISP is block port 80, so I have 2 options
1. call ISP to unblock port 80, then the script will work as it should.
2. find another way to install.
I choose 2. because I also don't want to open port 80 to public.
I follow all the above posts but none of them got success
Then I search how letsencrypt can issue without open port 80, then I found this post: https://community.letsencrypt.org/t/how ... 80/36192/6
So only "https" is my only one chance because I can not do anything with QNAPcloud DNS and if the http worked I no need to find another way here.whatever client you use must do one of three things to validate control over your hostname:
[*] It must respond appropriately to a request for http://$HOSTNAME/.well-known/acme-challenge/...
[*] It must respond appropriately (i.e., with an appropriate self-signed TLS certificate) to https://$HOSTNAME
[*] It must (or, alternatively, you must manually) change your DNS records to add a specified TXT record.
How to install letsencrypt by validate with https on QTS4.3.x
1. ssh to qnap with your admin user
2. type these command
Code: Select all
ln -s /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known /home/httpd/
cd /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/
sed -ie 's/default="http"/default="https"/' acme_tiny.py
cp acme_tiny.py acme_tiny.py.bak
4. **remember if you update the QTS SSL certificate utility to new version, you have to fix the acme_tiny.py again with this command vis ssh
Code: Select all
sed -ie 's/default="http"/default="https"/' /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
-
- Starting out
- Posts: 40
- Joined: Sun Jan 16, 2011 6:47 am
Re: Lets Encrypt Port 80 issue
Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup.
-
- Starting out
- Posts: 30
- Joined: Sun Aug 06, 2017 11:24 pm
Re: Lets Encrypt Port 80 issue
thx....exactly what I was looking for as it did not work for me initially.
This was the "Port 80"-issue solution for me.
This was the "Port 80"-issue solution for me.
Cheers,
LaUs3r
Models: TVS-863+ & TVS-463
Firmware: 4.5.2.1892
*new*
Models: 2 x TS-877XU-RP, WD DC HC330 10TB
Firmware: 5.0.0.1932
LaUs3r
Models: TVS-863+ & TVS-463
Firmware: 4.5.2.1892
*new*
Models: 2 x TS-877XU-RP, WD DC HC330 10TB
Firmware: 5.0.0.1932
-
- First post
- Posts: 1
- Joined: Sun Mar 11, 2018 1:43 pm
Re: Lets Encrypt Port 80 issue
[quote="snarf007"]Again let's encrypt issues, now with renewal of the certificates.
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup. [/quote
My certificate is expiring in 10 days and the renewal button is now live but I have the same port 80 and DNS issues as others. You said to use the different port numbers on the admin gui (general setting). What is the best port number to use please, can you give any example or range please. Thanks
Found how to get the native let's encrypt work as I expected. Not the myQnapcloud, but the let's encrypt option under control panel|security|tab: Certificate & Private key (with option to add DNS aliases).
Previous port 80 and 443 where configured for the webserver for the Qnap gui (General settings). The every time my port 80 was not responding during let's encrypt setup.
Now I've enabled the webserver (under applications) with port 80 and 443 and the admin gui on different port numbers. Result the let's encrypt function works correct.
Conclusion: you need to have the webserver enabled and configured on port 80/443 to have let's encrypt working.
Hope this helps others to understand in (un)logic in the setup. [/quote
My certificate is expiring in 10 days and the renewal button is now live but I have the same port 80 and DNS issues as others. You said to use the different port numbers on the admin gui (general setting). What is the best port number to use please, can you give any example or range please. Thanks
- jds580s
- Know my way around
- Posts: 206
- Joined: Tue Dec 08, 2009 4:52 am
Re: Lets Encrypt Port 80 issue
I had to make a small change to my configuration today after getting a Let’s Encrypt renewal error. Not sure if it’s related to New firmware since the last renewal, or just my specific setup.
I had force SSL enabled which I turned off, then I added a .htaccess file in the /web root with a Rewrite rule that allows http traffic to .well-known and anything else is redirected to https
After that I successfully was able to renew the cert.
I had force SSL enabled which I turned off, then I added a .htaccess file in the /web root with a Rewrite rule that allows http traffic to .well-known and anything else is redirected to https
After that I successfully was able to renew the cert.
Model: TVS-1282-i5-16G
[list]
[*]Firmware: QTS 4.5.3.1652 build 20210428
[*]Network: 10GbE ASUS XG-C100C card, MTU 9k
[*]RAID 1: [System] 2x WD Blue M.2 SSD 250GB
[*]RAID 6: [DATA] 5x HGST HDN728080ALE604 8TB
[list]
[*] Qtier RAID 1: 2x Samsung SSD 850 EVO 500GB + 2x Samsung SSD 860 EVO 500GB
[*] Cache RAID 1: 2x Samsung SSD 960 EVO 500GB NVMe M.2 in two NGFF PCIe 3.0 x4 adapter cards[/list][/list]
Model: TS-459 Pro
[list]
[*]Firmware: QTS 4.2.6 build 20210327
[*]RAID 6: 2x HGST HDN724030ALE640 3TB, x2 Seagate ST3000VN000 3TB
[*]External: 4TB HGST eSATA Drive, UPS
[*]Network: 1 Gbps, MTU 1500[/list]
[/color]
- kdh1968
- New here
- Posts: 5
- Joined: Thu Jan 04, 2018 1:47 am
Re: Lets Encrypt Port 80 issue
I followed the description of katsudonvince (Tue Jun 26, 2018 11:17 pm) and it works (for me)
HS-251 (FW 4.5.4.1715)
TS-228A (FW 4.5.4.1715)
TS-228A (FW 4.5.4.1715)
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: Lets Encrypt Port 80 issue
This thread has been quiet for over a year now.
What has happened? Are all issues solved, or have all QNAP customers given up on trying to implement Let's Encrypt certificates?
Well, I have experimented a lot lately to try to get things working, with very mixed results. Some success, mostly failure.
The strange thing is that the Certificate&Private Key feature in the QNAP is not stable, in the sense that sometimes it works, sometimes not.
Repeating exactly the same procedure over and over again works 2-3 out of 10 times and the remaining attempts fail.
I have even been successfully able to generate a Let's Encrypt certificate with alternative names added, but only once. I could never repeat that successfully again.
The fact that this works sometimes, but fails most of the time, is quite annoying. Is this a QNAP problem or is it the Let's Encrypt service that is overloaded?
How to tell?
What has happened? Are all issues solved, or have all QNAP customers given up on trying to implement Let's Encrypt certificates?
Well, I have experimented a lot lately to try to get things working, with very mixed results. Some success, mostly failure.
The strange thing is that the Certificate&Private Key feature in the QNAP is not stable, in the sense that sometimes it works, sometimes not.
Repeating exactly the same procedure over and over again works 2-3 out of 10 times and the remaining attempts fail.
I have even been successfully able to generate a Let's Encrypt certificate with alternative names added, but only once. I could never repeat that successfully again.
The fact that this works sometimes, but fails most of the time, is quite annoying. Is this a QNAP problem or is it the Let's Encrypt service that is overloaded?
How to tell?