- Login to your NAS and make sure the following Apps are installed:
- Git
- Python 2.7
- Make sure your NAS is reachable from the public internet under the domain you want to get a certificate for on port 80.
- Create a folder to store qnap-letsencrypt in under
/share/YOUR_DRIVE/. Do not create it directly in/share/, as it will be lost after a reboot!
By default, there is no ca-bundle (bundle of root certificates which we should trust) installed. Therefore we will have to download one manually.
-
On your local pc with an intact certificate store, run
curl -s https://curl.haxx.se/ca/cacert.pem | sha1sum -
On your nas, in the directory you want to install qnap-letsencrypt in, run
wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem sha1sum cacert.pem -
Compare the hashes obtained in step 1 and 2, they must match.
-
On your nas, in the directory you were in before
git config --system http.sslVerify true git config --system http.sslCAinfo `pwd`/cacert.pem git clone https://github.com/Yannik/qnap-letsencrypt.git mv cacert.pem qnap-letsencrypt cd qnap-letsencrypt git config --system http.sslCAinfo `pwd`/cacert.pem
-
Run
init.sh -
Create a Certificate Signing Request(csr):
single domain cert: (replace nas.xxx.de with your domain name)
cd letsencrypt openssl req -new -sha256 -key keys/domain.key -subj "/CN=nas.xxx.de" > domain.csrmultiple domain cert: (replace nas.xxx.de and nas.xxx.com with your domain names)
cd letsencypt cp ../openssl.cnf openssl-csr-config.cnf printf "subjectAltName=DNS:nas.xxx.de,DNS:nas.xxx.com" >> openssl-csr-config.cnf openssl req -new -sha256 -key keys/domain.key -subj "/" -reqexts SAN -config openssl-csr-config.cnf > domain.csr -
mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig(backup) -
Run
renew_certificate.sh -
account.key,domain.keyand even the csr (according to acme-tiny readme) can be reused, so just create a cronjob to runrenew_certificate.shevery night, which will renew your certificate if it has less than 30 days leftAdd this to
/etc/config/crontab:30 3 * * * cd /share/CE_CACHEDEV1_DATA/qnap-letsencrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1Then run:
crontab /etc/config/crontab /etc/init.d/crond.sh restart
Anything that's added to one of the following directories is gone after a reboot:
/root/(.gitconfig,.bash_history)/share/(with the exception of anything added to drives mounted there)/etc/ssl/,/etc/ssl/certs
Additionally, the following is not surviving a reboot:
- Cronjobs added using
crontab -e
Note that qpkgs get installed to /share/CE_CACHEDEV1_DATA/.qpkg. Due to this they are only available after unlocking your disks encryption.
- Anything that is on a drive, e.g.
/share/CE_CACHEDEV1_DATA/ /etc/stunnel/stunnel.pem(the ssl certificate used for the webinterface) seems to survive a reboot
In my tests, all the above applied. I couldn't see anything additional being lost.
This is only documented as it was part of my research and is not needed for the letsencrypt certificate generation.
First, install Perl from the qnap app manager.
Then, in your qnap-letsencrypt directory:
mkdir certs
cat cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "certs/cert" n ".pem"}'
wget --ca-certificate cacert.pem https://raw.githubusercontent.com/ChatSecure/OpenSSL/master/tools/c_rehash
/opt/bin/perl c_rehash certs
export SSL_CERT_FILE=`pwd`/cacert.pem
You can now copy this to /etc/ssl/certs. Alternatively, you can do this directly in /etc/ssl/certs if you want to, but remember, that it is lost after a reboot.
#from urllib.request import urlopen # Python 3
#from urllib2 import urlopen # Python 2
urlopen("https://google.com")
If you get this:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
there is something wrong.
Remember to run export SSL_CERT_FILE=cacert.pem though, as it is done in renew_certificates.sh
Please open a pull request!
GPLv2
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent