Made a mistake when creatinvg cert

zanda · August 6, 2019, 12:07pm

Hello,

I am really unexperienced, please bear with me.

I have a SYNOLOGY NAS with the latest DSM version.

I went to create a new certificate for my NAS, but I made a mistake and left the “subject alternative name” empty.

The certificate I got works great over the internet, but of course I get errors when I access my NAS from my local network.

How can I edit or get a new certificate (it’s limited to one per email I believe) with this mistake corrected?

thanks in advance.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cl4p-tp.qwerty-soluciones.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): n/a

The operating system my web server runs on is (include version): n/a

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DSM 6.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): n/a

JuergenAuer · August 6, 2019, 1:24pm

Hi @zanda

that's a public visible, worldwide unique domain name. So you can create a certificate with that name.

How do you connect your NAS from your local network?

If you use a domain name that's only a local name, you can't create a certificate.

But checking your domain name there is no certificate with that domain - https://check-your-website.server-daten.de/?q=cl4p-tp.qwerty-soluciones.com#ct-logs

Same checking your main domain, there are only www + mail subdomains.

zanda · August 6, 2019, 1:40pm

Hello.

i made the cert today, maybe that’s why it’s not showing up (yet?) on your page.

www and the rest are certs for my webserver and subdomains, they are unrelated to what i am trying to do at home, alltho the domain qwerty-soluciones.com ofc is the same

i am doing some tests at home now because i want to implement secured vpn connections at some customers in the coming month.

using cl4p-tp.qwerty-soluciones.com to connect with openVPN works fine, certificate is accepted and valid.

but once i am connected to the VPN or if i try it locally, it doesn’t work.
sadly not all internet routers support NAT loopback, so instead of connecting to cl4p-tp.qwerty-soluciones.com , from the lan i connect to either cl4p-tp..local or just cl4p-tp

but then, the certificate isn’t valid.

i hoped i could get a certificate that was valid both for cl4p-tp.qwerty-soluciones.com and at the same time for cl4p-tp..local

JuergenAuer · August 6, 2019, 4:05pm

That

can't work. cl4p-tp..local doesn't end with a public suffix, cl4p-tp isn't a domain name.

So it's impossible what you want.

Create an exception in your browser if you want to use one of these domain names.

jsha · August 6, 2019, 4:14pm

Often, in OpenVPN configuration, there is a field where you specify which root certificate to trust. It seems likely based on what @JuergenAuer posted that you didn't create a Let's Encrypt certificate, but created a self-signed one, and then configured OpenVPN to trust it. That would allow OpenVPN to work, but it would mean things don't work in your browser.

zanda · August 6, 2019, 4:30pm

I hope this dissipates any doubt that I, in fact, generated a proper letsencrypt certificate:

[Album] Imgur

schoen · August 6, 2019, 4:43pm

Hi @zanda, I can see the problem you describe, but as @JuergenAuer mentioned, Let’s Encrypt is not allowed to issue certificates that cover non-unique names such as .local names.

There are various options. One interesting one might be to create another DNS entry for cl4p-tp2.qwerty-soluciones.com pointing to the same host, and then add that as an alternate name on the certificate. You could then put an entry in your own computer’s hosts or hosts.txt file pointing this to the local IP address.

zanda · August 6, 2019, 4:49pm

thanks for your answers.
editing hosts is not plausible. as i mentioned before i am doing some tests now in order to deploy this to customers later. i can’t go to 150 laptops and edit their hosts file.

but i think i can solve this by tinkering our DNS servers so they all resolve to ournas.ourdomain.com regardless if they are on the internet, local lan or vpn

thanks for all your help

system · September 29, 2019, 11:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.