SSL is verified on new iPhone but SSL is expired on my other devices | Clear SSL cache possible?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://pacmannas.myqnapcloud.com

I ran this command: updated FW on QNAP NAS to install renewed SSL cert

It produced this output: received new iPhone and can visit domain without having to first trust

My web server is (include version): QNAP FW 4.3.6.1831

The operating system my web server runs on is (include version): QNAP FW 4.3.6.1831

My hosting provider, if applicable, is: myqnapcloud.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I created the following thread a month ago seeking help when I couldn't renew my cert on my QNAP:

However after a recent FW update, I was able to renew the certificate on my QNAP NAS. Unfortunately, on the devices that had shown that the cert is expired, it continues to say it's expired. Upon receiving my new iPhone, I was able to visit the site without having been required to trust the site.

This is especially cumbersome for me because the domain is used to connect to my self-hosted RSS server. The apps that I use, Reeder & Unread, both do not have the option to accept self-signed SSL, so they don't connect to the server. But these apps work fine on my new iPhone because the SSL is stated to not be expired.

Is there a way to clear the cache on my other devices so that I can get my apps to properly function again as they currently do on my iPhone?

Thanks!!
-A

edit: this is what I see on my Unread app:

IMG_0038.PNG1920×1440 46.8 KB

The error message just says the cert is not valid - not that it is expired.

The reason is that your NAS is sending just a "leaf" certificate. It should send the leaf along with the intermediate chain. I do not know how you configure this on your QNAP. Browsers often make up their own chain which is why it works on your phone. Other clients may not or may do it poorly so it is best if you send the whole chain not just the leaf

You can use this site to see your cert chain
https://decoder.link/sslchecker/pacmannas.myqnapcloud.com/443

And, compare it to a working site like this one:
https://decoder.link/sslchecker/community.letsencrypt.org/443

And, note, I did not see a self-signed cert - it was a valid Lets Encrypt cert issued on Nov2

I, too, only see a leaf:
SSL Server Test: pacmannas.myqnapcloud.com (Powered by Qualys SSL Labs)

echo | openssl s_client -connect pacmannas.myqnapcloud.com:443 | head
depth=0 CN = pacmannas.myqnapcloud.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = pacmannas.myqnapcloud.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000005)
DONE
---
Certificate chain
 0 s:CN = pacmannas.myqnapc4loud.com
   i:C = US, O = Let's Encrypt, CN = R3
---

Thank you @MikeMcQ and @rg305 for the feedback.

I only mentioned "self-signed" as if to bypass the current issue of the cert being invalid by forcing the app to accept the cert. Unfortunately, there is no option for that available for either of the apps that I am using to access the site which is the URL to the server on my NAS. Both of these apps require SSL to be used to access the RSS server that I have self-hosted.

Why I initially said it expired is because of how I'm seeing it based on the following screenshot:

F93F65D2-F89A-4162-80F7-4C451B389699_1_105_c1024×768 56.3 KB

Now I don't know how to address this based on what you have provided me. That it is a "leaf" I don't understand, and how to get the whole chain to be sent is something that I have tried to research and find out. All that I did to install the certificate was essentially push a button on my QNAP NAS to get it installed. I've also included my logs below the screenshot.

Screen Shot 2021-11-10 at 22.31.343360×2100 324 KB

e[1;32m11/04/21 00:53:00: ../common/src/log.c: 146: qnap_log_chk_file_size(): log restart e[0m
e[1;32m11/04/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/04/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=89e[0m
e[1;32m11/05/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/05/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=88e[0m
e[1;32m11/06/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/06/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=87e[0m
e[1;32m11/07/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/07/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=86e[0m
e[1;32m11/08/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/08/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:43:15: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:43:15: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:15: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:43:16: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:43:16: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:43:16: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:16: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:43:16: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:43:16: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/08/21 03:43:21: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:43:21: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:21: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:43:21: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:43:21: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:43:21: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:22: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:43:22: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:43:22: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/08/21 03:43:45: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:43:45: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:45: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:43:45: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:43:45: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:43:45: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:43:45: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:43:45: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:43:45: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/08/21 03:44:42: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:44:42: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:44:42: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:44:43: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:44:43: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:44:43: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:44:43: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:44:43: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:44:43: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/08/21 03:45:00: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:45:00: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:45:00: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:45:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:45:00: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:45:00: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:45:00: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:45:00: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:45:00: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/08/21 03:45:21: ssl_agent.c: 885: main():start cmd=check_can_request_certe[0m
e[1;30m11/08/21 03:45:21: ssl_agent.c: 896: main():cmd: check_can_request_certe[0m
e[1;32m11/08/21 03:45:21: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;35m11/08/21 03:45:21: ../common/src/cert_utils.c: 534: check_can_request_cert():check_can_request_cert request_count=0e[0m
e[1;32m11/08/21 03:45:21: ssl_agent.c: 683: execute_command():check_can_request_cert status_code=0e[0m
e[1;30m11/08/21 03:45:21: ssl_agent.c: 909: main():response: { "result": { "can_request_cert": 1 }, "status_code": 0, "message": "" }e[0m
e[1;32m11/08/21 03:46:15: ssl_agent.c: 885: main():start cmd=get_statuse[0m
e[1;30m11/08/21 03:46:15: ssl_agent.c: 896: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:46:15: ssl_agent.c: 507: execute_command():device_name=PacManNas api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.come[0m
e[1;32m11/08/21 03:46:15: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;30m11/08/21 03:46:15: ssl_agent.c: 909: main():response: { "result": { "cname": "pacmannas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.6" }, "status_code": -3000, "message": "get_certificate_info failed" }e[0m
e[1;30m11/08/21 03:46:16: letsencrypt_agent.c: 555: main():cmd: get_statuse[0m
e[1;32m11/08/21 03:46:16: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=85e[0m
e[1;32m11/08/21 03:46:16: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0e[0m
e[1;30m11/08/21 03:46:16: letsencrypt_agent.c: 568: main():response: { "result": { "certificate_domain_name": "PacManNas.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "ahaghgoo@ucla.edu", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2021\/11\/02", "applied_on_device_end_datetime": "2022\/01\/31", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }e[0m
e[1;32m11/09/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/09/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=84e[0m
e[1;32m11/10/21 00:53:00: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificatee[0m
e[1;32m11/10/21 00:53:00: ssl_cli.c: 324: main():certificate remaining_days=83e[0m

If you or anyone else has further feedback, I'd greatly appreciate it!!

Please show "More Details":

Sorry that wasn't as useful as I had hoped it would be

What are these other devices you need to have working?

I looked at the qnap forum and there are posts going back to 2012 showing how to manually edit the certs in qnap so it sends the whole chain (leaf and intermediates). So, it does not seem qnap has prioritized making this easy.

Maybe looking at these failing devices might suggest a different solution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.