IT Takeover: Lets encrypt on NAS / O365 DNS hosted Domain


#1

Please fill out the fields below so we can help you better.

My domain is: bioversys.com / share.bioversys.com

I ran this command: N/A

It produced this output: N/A

My operating system is (include version): QNAP

My web server is (include version): N/A

My hosting provider, if applicable, is: Microsoft O365

I can login to a root shell on my machine (yes or no, or I don’t know): N/A

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

Hello Lets Encrypt,
Last week we took over a customer with the following Setup using lets encrypt. Sadly for me it is not clear how lets encrypt works, and already in 14 days the certificate will run out.

Goal: Renew the certificate from the customers NAS.

Setup: External users access the QNAP NAS using the address: share.bioversys.com.
The NAS uses the lets encrypt certificate which needs to be refreshed.
The DNS service is being provided by Microsoft O365.
The used Hoster is currently unknown from my side. Will need to check with the customer if required

If I understand correctly, I can either perform the tasks with and without shell access to the domainhosting. But as the NAS (share.bioversys.com) is using the lets encrypt certificate and not a homepage I am abit unsure what the procedure is.

Would be great if someone can understand my situation. Thanks


#2

hi baselnetgroup

There are a couple of ways of going about this.

A) The previous user may have installed the certificate manually. check the qnap interface and see if there is an option to install an SSL certificate

B) A lot of these NAS boxes run linux of some sort. Whether or not the control panel allows for automatic renewals of certificate is something you need to investigate.

C) Most linux server install a client such as certbot to take care of the automatic renewal. This may not be possible in your case.

Steps I would take

A) Use a client such as ZeroSSL or HTTPSforFree to setup and account and allow you to complete registration and proof of ownership

B) Once you have the certificate install it on your NAS box.

C) Evaluate options such as installing a client to automatically renew the certificate.

D) Evaluate whether or not you need a public certificate at all. If the nas is behind a web server or something else you may not need a public CA (lets encrypt) to issue certificates.


#3

A above) Once you have a LE certificate (it can be prepared on a different server), you can easily install it on the QNAP via the web interface. However it is a manual copy/paste operation and would have to be repeated every 60 or 70 days.

I don’t think you will have much joy using “certbot” to automate the whole process on the QNAP because the QNAP way of doing things is quite unusual with non-standard folder layouts, etc.

However, I run the excellent bash script “getssl” via a crontab and find it to be very reliably once setup.


#4

Hi guys,

I used this guide https://certbot.eff.org/#centosrhel7-other
While trying to create the certificate I receive following message:

sudo certbot certonly --standalone -d share.bioversys.com

Failed authorization procedure. share.bioverssys.com (tls-sni-01): urn:acme:error:unauthorized :: The Client lacks sufficient authorization :: Incorrect Validation certificate for TLS-SNI-01 challenge. Requested .acme.invalid from 195.65.42.21:443. Received certificate containing ‘share.bioversys.com

My guess is that due to the fact that the certificate is already existing I get this error or because I cant verify my ownership of the domain? Any tips?
I have searched for the error message, but sofar they are all running a webserver, which in my case isnt.


#5

Damm, just read your Point grb43…
I’ll try a different approach. opps.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.