I have an issue when trying to access my Qnap NAS via HTTPS. Firefox returns this error: SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION and Chrome NET::ERR_CERT_INVALID.
The domain name hasn't been active for a long time (it was a something.myqnapcloud.com, I can look for it if it could help solve the issue). I've only accessed it using IP.
I know that those certificates only work for URLs, so the browser can't verify the authenticity of the webpage if I'm using the IP to access. I've always dealt with this issue by adding an exception (I reviewed the certificate and it was the same issued to the right url and so on), but not anymore. Since the last browser updates (both chromium-based and Firefox browsers), I cannot add the exception.
Furthermore, Firefox says that the connection isn't secured. Chrome only shows a "dummy" certificate. And when trying mobile, it's the same thing except when using the Chromium or the Bromite browser, that they allow me to add the exception (as I did before before) and shows me 3 certificates (but I don't trust it, since I have no clue of what's happening overall). I'll upload screenshots of all situation at the end of the message.
I wonder what's going on. Maybe the browser standards changed something regarding SSL/TLS certificates and I can't add the exception anymore. Or maybe there's something actually wrong and there's someone eavesdropping (...).
While reviewing the post, it came to me that the issue could be on the server/certificate side, but I don't know what could be wrong.
Any help, any thoughts, any insight... will be much appreciated!
Your screenshot says your certificate is called "dummy" and it has a 7 day expiry, so it's not an LE certificate although you may have tried to then use Let's Encrypt intermediates for the other parts your certificate chain (which won't work if your end-entity certificate is just a dummy cert and not an LE issued cert).
Get a proper cert from Let's Encrypt and install that.
It is (should be) a LE certificate. I had installed it myself. However, it gets renewed automatically by the Qnap OS, I don't know if it might be an issue.
I don't know what having a dummy certificate means. Seeing it, among the other things, is what ringed my alarm and made me stop trying to access the server with my credentials...
This is one of the certificates shown by the chromium browser on android (but there are another 2)
The certificate you currently have installed on your server, is a self-signed certificate.
Having three certificates is normal, they form what's called the "certificate chain".
The problem here is that the first certificate in the chain is meant to be your Let's Encrypt certificate for something.myqnapcloud.com. In your case, it's been replaced by a self-signed certificate for dummy.
How this happened is not clear, but you probably need to re-install the Let's Encrypt certificate you had before.
Cool trick with the "thisisunsafe". It took me to the webpage. THX @_az !!
But as you said, if there is actually something wrong, it won't be wise to access the server bypassing this warning.
I don't know how to check if there is a maninthemiddle (question, from pure ignorance, if there is a maninthemiddle, is it any safer to access the webserver while disconnected from the net (on local)?
Being the something.myqnapcloud.com no longer available, could be part of the problem? Having a certificate issued for a non existent URL... Or is this stupidity in my brain? haha
There are other ways of accessing the webserver, but I've never used them so I don't know if I'll be able to re-install the certificate using them (one is via a USB cable, and the other is by using the NAS as a media center connected directly to a screen). And I don't know if it's possible to do it with SSH. I'll try to reach QNAP tech support, but they aren't very helpful when things go complicated (their advise usually is to factory-reset).
I do not have the default port 80 redirected to my NAS. The NAS doesn't accept connections from this port, either. Could it be that when the NAS tried to auto-renew the certificate, it couldn't due the the port not being port 80? Should I change both in the router and in the NAS, in the future? Or is there another way?
Could this be the culprit of my problems?
If qnap is using the http-01 challenge, it requires port 80 from the outside to be open to do this.
You could also portmap external port 80 to internal e.g. port 8080. (Change 8080 to whatever your qnap is running the HTTP server on.) So you'd only have to change your router and leave the NAS on its current port.
It is not a infinite array of choices.
In fact, there are only three possible choices allowed via ACME protocol:
HTTP-01
DNS-01
HTTPS-ALPN-01
Not sure which of those are supported by QNAP.
That said, you might be able to hide the entire system behind a reverse proxy that you control.
I don't know your network, so I can't be certain, nor can I give any reasonable advice on the unknown.
I unplugged the internet cable and started investigating. I realized that there were no TLS certificate in the dedicated QNAP menu.
I checked if I had the port 80 activated and forwarded, same with 443. All good. Webserver activated.
According to this https://forum.qnap.com/viewtopic.php?t=144434 everything should be already fine. Only thing I could see that was out of order was the "force secure connection (HTTPS) only", that I had activated. However, everything was fine until now. Certificates renewed automatically several times.
To whom it might concern, the solution was to reset the admin passwd and access ports to default (hardware button), remove the HDDs and reinstall (repair) the OS. After that, no certificate was installed, so I could fresh-install a LE cert. All pots have to be forwarded properly or the process will freeze and HTTPS won't work (keep HTTP active until finished, it eases the troubleshooting process).
I just ignored the warning and installed a self-signed certificate on an other NAS.
I will still have to change the port in the router when the qnap tries to renew the certificate.