Synology NAS using LE as a CA Signing Authority?


#1

Hi
I was searching a Synology community form to see if they would include LE in there CA Signing settings and came across this post http://forum.synology.com/enu/viewtopic.php?f=3&t=93279
One user recommended not using LE due to security concerns here is the excerpt from that post below (Can someone reply to this concern please?)
"Re: Simplify https Setup (letsencrypt.org)

Post by mhjort » Sun Jan 11, 2015 5:51 pm

I don’t like the idea of having another company handling my certificate, and have access to my server, where they are able to install the certificate and revoke it, and what else ?
Also according to the site, nothing has to be validated ? Then how secure is it ?

A SSL certificate is pretty cheap these days (around $5 / year), and installing it on a synology box, can be done in 2 min.
https://www.synology.com/en-us/knowledg … orials/611

But then again, this might be handy for some, It’s not something I would use tho."


#2

I think the poster’s concern is about running software from Let’s Encrypt on the NAS itself. As a Synology owner myself, I hope that they implement the ACME protocol directly in the Synology OS so that it “just works” without having to add software.

Anyway, if you want a certificate for the Synology NAS, you can do so using the Let’s Encrypt client in manual mode. Mine is actually doing that right now. I don’t have time presently to write up a tutorial, but when we get closer to launch I’ll put one together if someone doesn’t beat me to it!


#3

Ok Thanks jcjones Do you know if there are plans to approach companies like Synology to do just what you stated in regards to the ACME protocol being part of the Synology NAS OS? If not can this be requested? I can start a support request on the sinology side and get others to do that as well via the Synology community


#4

We welcome anyone to implement ACME and make certificate management easy for themselves or their customers. I think a community response from their customers requesting the feature is the most scalable way to take action. Thanks!


#5

I’m not entirely sure what the actual concern is here. You don’t give anyone access to your server. All you’re doing is running software that automatically requests new certificates when they are needed.

There is some automation to install those new certificates when they are received, but that shouldn’t be any ADDITIONAL concern. By definition you have to trust all trusted certificate authorities. Any single one of them can make certificates for any domain. Now that the intermediate certificates are cross signed, this already goes for LE as well. There is lots wrong with a system that inherently trusts a large list of CA’s and LE is not going to fix that. But it will make it much easier to get domain validation and encryption running on all servers.

“Nothing has to be validated” seems like a very generic claim. This is not true. When a certificate is requested for a certain domain, LE asks the requester to put a file on that domain for verification of control of the domain. This is done by the software running on your server. That way LE knows you are requesting a cert for a domain you have control over and the new cert is made and issued. The software on your server than updates the certs on your server with the new one.

In short, all it does is automate the steps you would have done manually.

Maybe the concern is that a perfectly good cert is automatically replaced with one that somehow doesn’t work? I don’t really know. And this seems highly unlikely.

And if you don’t trust LE… well, tough, your browser now does. So unless you dig in there and remove CA’s from that trusted list. Any certificate issued for any domain by LE will be trusted by your browser and everyone elses.


#6

Hey J.C. Jones can you please elaborate on how you can get a certificate for the Synology NAS with the LE client?

I also own a Synology NAS and requested LE beta access for the melo.myds.me domain.
I got the invite yesterday but I can’t figure out how to run the LE client in manual mode. Actually I can not run it on the NAS at all and trying to run it on my desktop (e.g. with ./letsencrypt-auto -d melo.myds.me auth) gives me this error:

Failed authorization procedure. melo.myds.me (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge

I am quite new to this, never requested a certificate for a domain, since I did never own a domain and I am sure I am missing something and do not understand the entire picture yet, so any advice is much appreciated!

Thanks in advance =)


#7

For your NAS you’ll probably need to use Manual mode, until Synology supports ACME directly. In Manual mode, you will get a file to place on your NAS’s web server function that is the “challenge response.”

(I’m not sure if there’s a walkthrough for Manual mode yet, but that’d be a great blog for someone to write!)


#8

I truly think there should be some manual/walkthrough for a manual mode because not everyone has apache and/or nginx on linux, there is Windows, nas boxes, non-webservers (email-server for example) etc.


#9

Hi, if somebody could help me to have The certificate up and running on my symbology it would be great. I have no clue how to get it done


#10

This is not simple, as the synology box won’t support running the client directly.

A workaround, which worked for me, was to run the client on a different machine using
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual. In a second console, using ssh root@synology-box, you need to create the /volume1/web/.well-known/acme-challenge folder for the challenge in your webroot. The manual installer will ask you to place two files there, and press enter after each step.

Note that the first time I was asked to make files with a different content header. This can be done with vi /volume1/web/.well-known/acme-challenge/.htaccess with content
<Files "*"> ForceType 'application/jose+json' </Files>
The second time I tried it both files to be placed were text/plain, which didn’t require any changes and worked much simpler.


#11

Hi,

Would it be possible for you to jot down some additional steps you took to get to a working authentication on your NAS? I tried running a manual request from my Ubuntu machine and to follow the steps the manual process describes, but I can’t get it to work.

Thanks!


#12

Which part are you struggling with specifically: Installing the certificates after you received them, or getting the certificate issued in the first place? Also appropriate error messages might help? Thanks.


#13

Hi everyone,

I am also interested in how to implement a LE cert with my Syno :slight_smile:

Thank you for your help !


#14

Thanks for the reply. I found that I should first solve issues with redirecting my domain name to my Synology’s dynamic hostname as I do not have a static ip adress. Therefore it makes sense I can pass the first step of the manual LE client config to put the response file in place. This will take a couple of days, depending if I can get my hosting provider to cooperate. I have requested some sub domains as part of the LE Beta program as well where I can more easily redirect and use mod_rewrite on the NAS side if needed. Will report back if I manage to prgress a bit.


#15

You can follow below step to using Let’s Encrypt CA on Synology NAS.

  1. join Let’s Encrypt Beta, type in your domain name and e-mail address
    https://docs.google.com/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM/viewform?edit_requested=true

  2. wait about one day, you will get a mail from Let’s Encrypt, It is mean your domain already on Let’s Encrypt Server’s whitelist.

  3. log in your synology then creat folders (.well-known/acme-challenge) in “web” shared folder.
    e.g. web/.well-known/acme-challenge
    note: you have to enable web station service and make sure let’s encrypt server could access your NAS by 80 port.

  4. use ubuntu OS 14.04.1, open terminal then type
    $ git clone https://github.com/letsencrypt/letsencrypt
    $ cd letsencrypt
    $ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual

  5. type your domain name and agree IP will be saved.
    e.g. test.synology.me

  6. You will get some information.
    ++++++++++
    Make sure your web server displays the following content at
    h ttp://test.synology.me/.well-known/acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is before continuing:

aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg

Content-Type header MUST be set to text/plain.
++++++++++

  1. creat a file in NAS acme-challenge folder.

e.g. /acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is

note1: you can creat file on ubuntu then upload to Synolgoy NAS by file station
note2: file content is “aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg” from above information
note3: make sure the file encoding format is UTF-8. You can check or change the format by Synology text editor on file station.

  1. finish step 6 then press Enter key on ubuntu terminal. You will get the CA files at below path on ubuntu OS.
    /etc/letsencrypt/archive/test.synology.me

  2. copy below files out from step 7 path

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

  1. import privkey1.pem, cert1.pem and chain1.pem to Synology NAS certificate.
    control panel > Security > Certificate > “Import certificate”

Private key = privkey1.pem
Certificate = cert1.pem
Intermediate certificate = chain1.pem

  1. Enjoy Let’s Encrypt :slight_smile:

#16

Thanks dip987!

I followed your step-by-step guide, which was straight forward and everything just worked as described! Finally I am not required to import the ca.crt of my self-signed certificate =)


#17

Thanks, dip987!

When I do the steps I get a privkey.pem which has some bytes in it, but it seems to be corrupt or broken. When I want to import the certs to my Syno-box, I get an error, that the import of the certificate failed. Furthermore, I cannot open the certificate with openssl, it gives me following error:

openssl x509 -inform pem -in privkey3.pem -noout -text
unable to load certificate
140008398669472:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Also with any other tool like “QuickLook” in OSX, no content is shown for the privkey.

Is this related to certonly option, a general error with letsencrypt or a local problem.

BTW: I installed yesterday Ubuntu 14.04.1, updated the system, cloned LE from Git.

Thanks


#18

Hi Steve

I have no idea about this problem.

Maybe you can try to delete below path on ubuntu OS. then try to run let’s encrypt script to get new CA again.

“/etc/letsencrypt/archive/your.domain.name”


#19

I followed your steps, which seemed to success:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/**/fullchain.pem.

How ever, the folder
/etc/letsencrypt/live
is empty!

What did I wrong?

Note that I failed to run the python part in step 6:
socket.error: [Errno 98] Address already in use


#20

CA path is here
/etc/letsencrypt/archive/******