Synology Inc. Online Community Forum

[GNOE Inc.]

I rewrote this little wiki using the suggestions made in this topic with great help of vvv850.

The main goal is to setup a free valid SSL-certificate for your DS provided by StartSSL.

Before we start you have to have ipkg installed on your DS. We also have to login into our DS. This can be done by enabling the option 'Enable SSH service' which can be found at our Disk Station Manager --> Network Services --> Terminal.

Okay, here we go!

1 -Log in your Synology DS as 'root' using putty (Windows) or using Linux command-prompt with instruction:

Code: Select all

ssh root@<my-syno-ip-address>

Use your 'admin' password to get in.

2 - We have to make a map in '/urs/syno' called 'ssl' and copy a openssl.conf from Internet. This is needed for the creation of cerrtificates:

Code: Select all

cd /usr/syno/
mkdir ssl
cd ssl
wget http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf

3 - When openssl.conf is downloaded and stored we change to a map which is only accessible to you so no one can copy your keys and crt files:

Code: Select all

cd /volume1/<my-private-map>

4 - First we have to check our OpenSSL version. Version OpenSSL 0.9.8g 19 Oct 2007 and newer are tested (thanx skipper!). After that we have to generate a private key-file as suggested in http://arnoutboer.nl/weblog/?p=281:

Code: Select all

openssl version
openssl genrsa -des3 -out some.key 2048

A self-made passphrase is asked (write it down, you'll need it later on!) and a file is created called 'some.key'

5 - Because a key is needed with no passphrase, a key-file is created from 'some.key' to 'some.nopass.key' with the instruction:

Code: Select all

openssl rsa -in some.key -out some.nopass.key

6 - Change back to your private map and create a request for a StartSSL verification which will be created as a 'some.csr'-file

Code: Select all

cd /volume1/<my-private-map>
openssl req -nodes -new -key some.key -out some.csr

There are some questions which have to be answered. Here's some output:

Enter pass phrase for some.key: (Enter a the self-made passphrase from step 3)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: (Prefix of the country)
State or Province Name (full name) [Some-State]: (State or Province name)
Locality Name (eg, city) []: (City)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (The name of your company)
Organizational Unit Name (eg, section) []: (The OU)
Common Name (eg, YOUR name) []: Can be your own name at StarttSSL or http://www.your-domain.xxx, FQDN - Fully Qualifed Domain Name)
Email Address []: (your email adress@your-domain)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (Just press enter)
An optional company name []: (Just press enter)

7 - Make an account at StartSSL and perform a Domain Validation witch can be found under 'Validations Wizard'.

8 - Choose after login the 'Certificates Wizards'

8.1 - Select Certificate Purpose
* Make sure you have already validated a domain name or email address before using this tool! Select the "Validations Wizard" for this task.
* Depending on your preferences and type of software, you need to have a prepared certificate request (CSR) ready for submission.
Certificate Target: Web Server SSL/TLS Certificate

8.2 - Generate Private Key
* If you created your own private key and certificate request (CSR), please skip this step.
* Provide a password for your private key. (At least 10 characters, max. 32)
* Allowed are only letters and numbers, without spaces!
* Please remember it or write it down somewhere...
Hit the skip button

8.3 - Submit Certificate Request (CSR)
* Copy and paste the content from the certificate request into the textbox below.
* Make sure, that you do not alter the content and you did not add any spaces!
* Always include the headers and footers of the CSR.
* The CSR must have a SHA1 hash or better, MD5 hashes are not allowed.
* The RSA key size must be 2048 bit or higher.
Here you copy/paste the content of your 'some.csr'-file you created in step 6

8.4 - Certificate Request Received
* You submitted your certificate signing request successfully!.
* All content of the certificate signing request is ignored except its public key.
* You may proceed to the next step now.
Hit the 'Continue' Button

8.5 - Add Domains
* Select the top target domain name for your certificate.
* Note: Only domain names which were validated within the last 30 days are eligible for selection.
Choose your domain and hit 'Continue'

8.6 - Add Domains
* You must add one sub domain to this certificate.
* The base domain <mydomainname> will be included by default in the Alt Name section.
* Note: In order to add multiple domains and sub domains, your Identity must be at least Class 2 validated. Check your status at the "Identity Card".
Here you have to fill in the subdomain, http://<subdomain>.<domainname>. For example: www.mydomain.com .
Note: when you do this the first time, consider a testing subdomainname, because when things go wrong you can't delete a subdomain and start over!
Click on 'Continue' when you're done.

8.7 - Ready Processing Certificate
* We have gathered enough information in order to sign your certificate now.
* The common name of this certificate will be set to <subdomain>.<mydomain>
* The certificate will have the following host names supported:
1. <mydomain>
2. <subdomain>.<mydomain>
* Please click on Continue in order to process the certificate.
Click on 'Continue'

8.8 - Save Certificate
* In the textbox below is your PEM encoded certificate.
* Copy and paste the content into a file and save it as ssl.crt.
* Make sure, that you do not alter the content and you did not add any spaces! Save it in ASCII format (plain text).
Save also the intermediate and root CA certificates for the installation at your server (Save As...).
Copy/Paste the content of the shown textbox in a new file called ssl.crt (as suggested) and save the intermediate and root file to your computer.
Note: don't use Wordpad or MS office programs to do that, they will add characters to the content. Use 'Notepad' (Windows) or 'vi' (Linux) instead. I used 'Kate' which is provided with Linux KDE distributions.
When done click the 'Finish'-button

9 - Now we have 6 file's:
Created on the Synology:
- some.key (step 3)
- some.nopass.key (step 4)
- some.csr (step 6)
Created by StartSSL (step 8.8 ) :
- ssl.crt (PEM encoded certificate)
- sub.class1.server.ca.pem (intermediate CA certificate)
- ca.pem (root CA certificate)
Remark: you can also download sub.class1.server.ca.pem and ca.pem directly from http://www.startssl.com/certs/

10 - The final chapter.....
Open your Synology Station Manager and log in with your admin account. Go to 'Management' --> 'Network Services' --> 'Web Services'
The option 'Enable HTTPS connection' has to be enabled. Click on the button 'Import Certificate'.
- At location 'Private Key:' browse to the 'some.nopass.key'-file (made in step 4)
- At location 'Certificate:' browse to the 'ssl.crt'-file (made in step 8.8 )
Hit the 'OK'-button. The web-server will be restarted and your https://<subdomain>.<domainname> is encrypted and verified!

addition: Adding the root and intermediate CA certificate to your Synology Diskstation (Thanx to Dodge!)
(This is a procedure for solving recognition by some (older) browser(version)s who do not recognize StartCom as a valid Certificate Authority)

11 -Log in your Synology DS as 'root' using putty (Windows) or using Linux command-prompt with instruction:

Code: Select all

ssh root@<my-syno-ip-address>

Use your 'admin' password to get in.

12 - Change to the map, which is only accessible to you, where you stored the ca.pem and sub.class1.server.ca.pem files:

Code: Select all

cd /volume1/<my-private-map>

13 - Make a new map called ssl.root in /usr/syno/etc/ssl:

Code: Select all

mkdir /usr/syno/etc/ssl/ssl.root

14 - Copy the ca.pem and sub.class1.server.ca.pem to the new map:

Code: Select all

cp ca.pem /usr/syno/etc/ssl/ssl.root/
cp sub.class1.server.ca.pem /usr/syno/etc/ssl/ssl.root

15 - Change the owner/file permissions to user 'root', group 'root' and make it read only for root:

Code: Select all

chown root:root /usr/syno/etc/ssl/ssl.root/*.pem
chmod 400 /usr/syno/etc/ssl/ssl.root/*.pem

16 - Add the certificates to your apache user- or system server. The user-webserver is the Apache configuration for you own website, the system-webserver handles the Synology system web-services (like the filemanager etc.). In this example we use the user-webserver:

Code: Select all

vi /usr/syno/apache/conf/extra/httpd-ssl.conf-user

- Use the arrow-key of your keyboard to go to the location below the line '#SSLCertificateChainFile /usr/syno/apache/conf/server-ca.crt' (approx. line 123).
- press the 'a' -key to enter the 'text-editing-modus'. Now you can add the following text:

Code: Select all

SSLCertificateChainFile /usr/syno/etc/ssl/ssl.root/sub.class1.server.ca.pem

- Use the arrow-key of your keyboard to go to the location below the line '#SSLCACertificateFile /usr/syno/apache/conf/ssl.crt/ca-bundle.crt' (approx. line 133)
- Add the following text:

Code: Select all

SSLCACertificateFile /usr/syno/etc/ssl/ssl.root/ca.pem

- Now we want to save the file and exit. Hit the <ESC>-key to exit the 'text-editing-modus' and hit the following key-strokes ending with <ENTER>-key:

Code: Select all

:wq!

NOTE: Changes made in /usr/syno/apache/conf/extra/httpd-ssl.conf-user or /usr/syno/apache/conf/extra/httpd-ssl.conf-sys do not survive a firmware update. Please remember to make the changes again after a firmware update.


16 - Finally, restart the Apache server:

Code: Select all

/usr/syno/etc/rc.d/S97apache-user.sh restart

(If you want to restart the System-webserver replace 'user' with 'sys'.)

Done!

Remember to store/backup the files from step 9 to a save and secure location, only accessible to you! When done, remove the files in /volume1/<my-private-map> and on your computer.

A full Dutch translation is published here.

If you got additions to this wikki, don't hesitate to post your remarks!

[RareForm]

Good write up on the process. I have personally had no issues when previously installing the private key and certificate. In fact, that part was unusually smooth. However, anyone who visit's my site for the first time will get a "Certificate Authority Cannot be Verified" warning, unless they already happen to have the StartSSL (root?) certificate installed/pre-installed on their browser. From what I have read, and from what StartSSL has stated to me- this is the result of not properly installing the intermediate and root certificates (server side).

Question- what should be done with the intermediate and root certificates? StartSSL pointed me to a page they have with instructions on installing for Apache (shown below). After following the instructions given to me by StartSSL- my DS107+ stopped responding to any website requests. Luckily, everything was backed up beforehand and I was able to SSH in and restore the appropriate config files mentioned in the instructions below. I'm thinking the problem may be due to the instructions provided by StartSSL are simply not applicable to Apache on the DS- or any Synology box, as from what I understand, Synology does not install a "typical" version of Apache- rather, it has been modified.

Unfortunately, without setting these certs up- people will get the browser warning messages stating the Certificate Authority cannot be verified- which was what i wanted to avoid by installing a legit certificate. If anyone has been able to get the intermediate and root certs working on a Synology box- please let me know the details!

Thanks.

---------------------------- StartSSL Instructions for installing intermediate & root cert on Apache ----------------------------

First of all you have to load the mod_ssl module. Many distributions and packages have this module shipped by default, otherwise check the documentation of Apache how to do this.

To configure a default SSL/TLS aware virtual server, you should add at least the following lines to your httpd.conf or ssl.conf file:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

<VirtualHost _default_:443>
DocumentRoot /home/httpd/private
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/apache/conf/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Download the ca.pem and sub.class1.server.ca.pem for the above configuration. Make sure to change the path according to your apache installation. For windows you need to use something like c:\apache\httpd.

[Steph]

Wow, thanks GNOE for your hard work !

I'm discovering too certificates and StartSSL. Before I start your wizard, I would have two questions :

- With the validation wizard from StartSSL, I created a private key and a certificate, following their instructions (copy-pasted the code in a txt file, changed name, ...). When I want to import them in the Synology administration, it says that my private key doesn't match my certificate. Could you tell me what am I doing wrong ? Apparently you didn't have this problem even though after you did, but I just would like to understand.
- As RareForm suggests, what's the point in doing all this if at then end, you still have all these horrible warnings ?

Thanks a million,

Steph

[Steph]

Okay, after reading again your tutorial, apparently the problem comes from the passphrase of the private key.

Another question though: with StartSSL, you create a certificate for xxx.yourdomain.com . To acces my synology, I use, for now, it's external address IP, will this be a problem ?

[GNOE Inc.]

Another question though: with StartSSL, you create a certificate for xxx.yourdomain.com . To access my synology, I use, for now, it's external address IP, will this be a problem ?

From what I know is that the URL must match exactly, otherwise warnings are presented. In your case you should access the Synology using your xxx.yourdomain.com.

What I have done is I make my internal (local) network part of the domain (yourdomain.com). Now I can access Diskmanager locally without opening port 5000 and 5001 to the Internet. this can be done by renaming the Synology (servername) to the same as the xxx in xxx.yourdomain.com.

@Rareform. T'ill at this moment I did't get the root certificate working. It would be nice if a Synology technician would react on this.....

[Steph]

What I have done is I make my internal (local) network part of the domain (yourdomain.com). Now I can access Diskmanager locally without opening port 5000 and 5001 to the Internet. this can be done by renaming the Synology (servername) to the same as the xxx in xxx.yourdomain.com.

You mean you added your Synology to your local domain (not Workgroup) and than you access it through diskstation.mydomain.local and you made a certificate with that domain ? If I understood correctly, how can that work from "outside" ? Your certificate will not match your external domain ?

@Rareform. T'ill at this moment I did't get the root certificate working. It would be nice if a Synology technician would react on this.....

You mean that you still have the warnings ? So what benefits do you have in doing everything you did ?

[GNOE Inc.]

You mean you added your Synology to your local domain (not Workgroup) and than you access it through diskstation.mydomain.local and you made a certificate with that domain ? If I understood correctly, how can that work from "outside" ? Your certificate will not match your external domain ?

No, I mean to make the servername the same as the subdomain you're entered in StartSSL. For example, if your subdomain is 'test' (so your FQDN is test.yourdomain.com) your diskmanager is accessed locally with test.yourdomain.com. In your Diskstation's Diskmanager change your servername to 'test' (System --> Network --> Server Name)

From internet, create your Domain-ISP's CNAME a link from test.yourdomain.com to your external ip-address. Your router must be configured to forward to your Synology Diskstation.

You mean that you still have the warnings ? So what benefits do you have in doing everything you did ?

It's working fine with me (I 'm using Kubuntu 9.10 with firefox 3.6.2pre (Namoroka)) and I also tested it with IE8, which was also working fine. It seems that StartSSL is (standard) not included in some browser(versions). That is what the root-certificate implementation should be for.

[Steph]

At the step 8.8, what do you do with the intermediate and the root CA files ? Are you suppose to use them ?

[Steph]

I believe you have to append them to the original certificate, no ?

I have a strange behaviour. I made a certificate for the domain

https://sub.mydomain.ch will return warnings and if I view the certificate, it says it comes from Synology. If i do https://sub.mydomain.ch:5001, I still have the warnings, but at least if I view the certificate, it mentions sub.mydomain.ch

Stranger, I have just found out that it works great with Internet Explorer 8.0, Chrome and Safari ! Does someone have an idea ?

Steph

[GNOE Inc.]

At the step 8.8, what do you do with the intermediate and the root CA files ? Are you suppose to use them ?

At the moment we don't use the intermediate and root CA files because we don't know how to implement these certificates (mentioned in the earlier postings). The root and intermediate certificates are for (older) browsers(versions) which don't have Startcom as a trusted Certificate Authentication company. Maybe that is why older browsers(version) return warnings.

I tested it with IE8 and Firefox 3.6.2pre, which works okay.

[Steph]

How come doesn't it work with Firefox ?

Here is a screenshot of my certificate in Firefox :



Is the 2nd line normal ? Is it because I'm class 1 ?

[GNOE Inc.]

Looks similar to my Firefox Certificate. Organization verification is only done in class 2 or 3 or EV and you have to pay for that. And that's what I don't like doing. I'm a typical Dutchmen....

[Steph]

ahahaha ok

But is it normal that I don't have the same certificate wheather i do https://sub.mydomain.com (synology manager) and https://sub.mydomain.com:7001 (filestation)

I don't understand why it doesn't work with Firefox 3.6

[Steph]

Maybe it's because the NAS doesn't send the complete CA chain as required.

Can one from the Synology Team speak ?

[GNOE Inc.]

Strange, I have not that problem. Do you mean you have two different certificates presented?
What kind of Synology do you use and what is your firmware-version? Do you access the Diskstation locally? What is your OpenSSl version?