Let's Encrypt NAS Port 80 Blocked


#1

Hi,

I’ve tried let’s encrypt before with my NAS, which has the interface to pull it without doing anything in the command line or too technical. I never got it to work because port 80 was blocked by my ISP and this is the port designated by my NAS to pull the certs. I tried other options but ultimately gave up.

Well, fast-forward. I had the brilliant idea of trying this again with a VPN! My VPN is not strict like my ISP, and well, since my bits go through the VPN now primarily, I can open port 80 on the VPN. So I gave it a shot. The loading icon had me waiting for at least a minute and then bam! Cert populates. It took two minutes for it to work via the web but now it’s completely legit! I have the green lock! I’m so happy, you have no idea.

A couple questions: do I need to keep port 80 open constantly on my VPN for the certificate to work? Or do I only need it open when I pull the cert from let’s encrypt through my NAS UI? In the latter case I’d have to open port and do this every 90 days…maybe I should try to automate.

Anyway, just posting it for those questions and also to anyone who has a blocked port by ISP, a VPN is a workaround.

Edit: now that I official have a cert through let’s encrypt. Does that mean all internet traffic between my NAS and a client are now encrypted (similar to SFTP?) ? Someone told me before SSL is useless…wasn’t sure how they were saying this. Encrypted content is better than naked content, no?


#2

[quote=“encrypter, post:1, topic:32497”]
I’m so happy, you have no idea.[/quote]

Good thinking! I’m glad it worked for you.

No, port 80 is only needed when performing the validation for certificate issuance. Unless you choose to use OCSP stapling, you wouldn’t need to communicate with the CA at all during the lifetime of the certificate.

By the way, port 80 isn’t the only option for validation (there are also methods that use port 443 or DNS records), but perhaps it’s the only option directly supported by your NAS.

Thanks for sharing the idea; it’s a nice one.

Having a certificate doesn’t cause traffic to become encrypted. You need to use encrypted protocols for that. For some of those protocols, like HTTPS, the certificate should be presented in the course of the protocol to authenticate the fact that you have a direct encrypted connection to the server.

You should check which protocols the NAS is using when talking to the client. For example, if the client is a web browser, and you’re using HTTPS, that should be fine; on the other hand, if you’re using SMB, NFS, or FTP, probably not fine. :slight_smile:


#3

I hope it helps someone who was struggling like I was!

Both ports were blocked for me :frowning:. I tried some others but ran into issues with verifying ownership of the DNS on the NAS since it gives me one through their branding. I’m not sure what OCSP is but I’ll look it up. I don’t mind doing this every 90 days until I find a way to automate.

This makes sense. Well from a browser prospective it uses HTTPS protocol like you said, which verifies my certificate. So any browser bits moving between my NAS and a client via the internet should be encrypted, correct (sorry, I like to clarify)? Let’s say it’s an app: if the app has options to verify certificate of the NAS and also use HTTPS that would be encrypted also since it’s using HTTPS protocol.

I only use SMD for LAN purposes. People use that outside of LAN? Also never have used NFS. I wouldn’t use FTP since I’m concerned with encryption. Does SFTP on the otherhand use a certificate like HTTPS does to validate? In that case would it use my let’s encrypt certificate or do I have to generate a self-signed one specifically for SFTP. This might be outside the scope of topic, if so I apologize.


#4

I guess getting the cert doesn’t magically encrypt like you said, it depends on your protocol. But the cert allows you to ensure you’re communicating with the appropriate party? I should read more on the point of the cert…I want to understand.

Edit: this looks like a good place to start: https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work#20833


#5

See also


#6

I’ve heard of man in the middle before. I feel good (understanding) after reading the link I posted above.


#7

Hey schoen,

When my 90 days expire, so I just simply do the same thing again through my NAS? In that case, what happens if I don’t renew? The cert just returns “expired?” Can I renew on the 90th day or I have to wait one day after?

Say it expires tomorrow, April 21. Do I have to wait until April 22 to request a new cert or can I do it on April 21? Lastly, can I add some alternative domains even though I didn’t add them the first time around?


#8

[quote=“encrypter, post:7, topic:32497”]
When my 90 days expire, so I just simply do the same thing again through my NAS?[/quote]

Right. Hopefully someday your NAS will have software support that could make this automatic.

You can renew at any time (but if you renew more than a few times per week, you’ll be blocked by a rate limit). We normally recommend renewing 30 days before your certificate will expire. Your certificate doesn’t have to be expired to renew. Overlapping validity of certificates is no problem.

That’s also no problem.


#9

We can only be hopeful. But until then, it’s okay :slight_smile:

Why do you recommend 30 days prior? So once I renew I can delete the old certificate and change default to the new? Sorry for all the newbie questions, just want to be sure. Thanks for all your input, schoen.


#10

So that if something goes wrong, either technically or organizationally, you still have a reasonable chance to avoid an outage due to an expired certificate.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.