Self-signed or LE

Hi,

I had a problem with issuing and renewing LE certificates automatically with my QNAP NAS. Qnap has a dedicated section in setting to issue to download, install and renew Let's Encrypt certificates. It used to work as a charm, but now it seems like it fails in the process and it actually breaks any way to use https to connect to the server.

I wonder what's the benefit (in my case) of having a LE certificate instead of a self-signed certificate. Installing self-signed certs can be done instantly and is super easy (literally, one click).
It's a small private server. Only 4 or 5 users have access. All of them close to me.

Should I go with the trouble to dig deeper and try to find what does the qnap LE "tool" break, or shall I install the self-signed certificate and roll with it (at least, until they fix the "tool").

Thx!! :slight_smile:

1 Like

If you aren't seeing any adverse effects from using the self-signed cert, there really isn't any reason to do anything else. Browsers will gripe (even if you bypass the cert warning, you'll usually get some kind of "warning" or indication that you've added a security exception), but if that doesn't bother you or your users, and you're fine with installing the cert on your users' machines, I don't really see a major benefit to the LE cert.

7 Likes

Thx! Will try a self-signed certificate :slight_smile:

When you say this:

What do you mean? In the client machines, all it takes is to "trust" the self-signed certificate (add it to exceptions in the browser...), right? Or do I have to manually install something :o?

Since we are here, with exceptions, do you know if there is a way of being reassured that the connection is actually encrypted? In Firefox, if you pull the thread and got to technical details... you can see that the connection is encrypted. But I can't see that info when using chromium. Do you know if it is possible to see it?

1 Like

If you trust a self-signed cert, it will work from there, but it will persistently give you a warning about the cert. If you use a local CA, as I do, you can install that CA cert on the client machines, and then not get cert warnings. But that's somewhat more involved infrastructure.

Well, the fact that it's https at all should demonstrate that; AFAIK there's no way to do https with no encryption at all. But I don't see a way to directly show that in Chrome.

9 Likes

If TLS is involved (i.e.: https://) the connection is encrypted.

That said, if the key exchange between client and server is RSA, the holder of the private key can decrypt the connection. Well, in theory that's also true for any connection if you have access to the server. So "encrypted" only goes so far.

2 Likes

NULL encryption - LOL
See: Null encryption - Wikipedia

And RFC 2410 - The NULL Encryption Algorithm and Its Use With IPsec
"NULL provides the means for ESP to provide authentication and integrity without confidentiality."

6 Likes

Yes that's right. There's also aNULL modes with encryption but without authentication (i.e. no certs).

Though in a browser context those modes are not implemented for obvious reasons.

4 Likes

I'll look into installing the certificate on the local machines. To do so, just download the certificate itself and import it to the windows certificate store (where)? Tried, but the warning still appears on the browser.