SSL Certificate problem

Anything regarding SSL/SSH and other security questions may go here
Forum rules
Please note the disclaimer before modifying your Synology Product.

SSL Certificate problem

Postby Zizou75 » Thu Oct 20, 2011 1:27 pm

Hi, I was looking to secure my Synology DS411J with a custom SSL certificate by following the instructions here:

http://forum.synology.com/wiki/index.ph ... rtificates

After an initial error about "can't open config file: /usr/syno/ssl/openssl.cnf" when doing step 2 of the certificate authority key (which I solved by downloading the latest openssl and putting the openssl.cnf file in the relevant directory, I completed all the steps. Only real thing I noticed that it forced me to enter a passphrase.

After rebooting the NAS as per instruction I ran a check of the new certificate with sslshoppers ssl checker:

(http://www.sslshopper.com/ssl-checker.html#)

obfuscated.dyndns.org resolves to xx.xx.xx.xx

The certificate will expire in 3649 days. Remind me

The hostname (obfuscated.dyndns.org) is correctly listed in the certificate.

The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate


This all seemed great (it is picking up all the right info) but when I try to browse to https://obfuscated.dyndns.org (should be the SSL encrypted web station) in firefox 7 I get:

Secure Connection Failed

An error occurred during a connection to obfuscated.dyndns.org.

Peer's certificate has an invalid signature.

(Error code: sec_error_bad_signature)


and in Internet Explorer 9:

There is a problem with this website's security certificate.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).

(continue to this website does nothing).


I have installed the ca.crt as per the instructions and imported the certificate into the trusted certificate list in firefox, but no joy.

The non-ssl webstation still works fine.

Can anyone advise?
Zizou75
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Oct 20, 2011 1:22 pm

Re: SSL Certificate problem

Postby norcat » Tue Nov 01, 2011 3:53 am

After failing with the same article as yours I followed the instructions here to success: Adding “https://” to Your Site for Free and Misconceptions About the Security of Self-Signed Certificates

The script issues these three openssl commands:
openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out DS.key
openssl req -new -key DS.key -x509 -out DS.crt -days 999

First command generates the private key file with password protection, second generates a private key file without password protection, third generates the certificate using the key. After done I imported DS.key and DS.crt from control panel, System, DSM settings, Http service. Then followed the instructions to import DS.crt into client browser and done, https worked without further ado.

About openssl.cnf, I used the 'OpenSSL for Windows' here OpenSSL Binary Distributions and got the same error as you. Default install was to C:\OpenSSL-Win32 and openssl.exe was in bin folder there. Resolution was to create C:\usr\local\ssl folders and copy the openssl.cfg from bin folder into ssl folder and rename it openssl.cnf.

By the way, now I could also enable Https for Web Station, no additional certificate import needed.
DS111 (DSM 5.0) and DS109 (DSM 4.2), both connected to gigabit ethernet and wireless lan.
norcat
Versed
Versed
 
Posts: 239
Joined: Sat Oct 29, 2011 2:31 am

Re: SSL Certificate problem

Postby Zizou75 » Fri Dec 02, 2011 6:42 am

Apologies for the delayed reply, I didn't get a mail saying someone had posted on this thread but thanks, thanks, a thousand thanks. The method you described worked a treat and I would recommend it to anyone for whom the listed process is not working.

Now I just need Synology to update the DS audio app to SSL compatibility and my life is complete! :)
Zizou75
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Oct 20, 2011 1:22 pm

Re: SSL Certificate problem

Postby LA2NV » Tue Jan 24, 2012 6:39 pm

This is great information and the linked websites are very helpful in providing background and information on this process. I'm not really clear why Synolgy doesn’t have simple process to create a SSL certificate as I would assume anyone wanting to use HTTPS would need this unless they planned on buying them.

But I am really new to Linux and the SSL certificate process. I was wondering if someone could point me to a little more step by step of the process. All these examples (especially the Synology Wiki) skip over a lot.

I really want to access my files when traveling with only HTTPS and having to accept the default certificates validity makes me uncomfortable. So, having my own that I authenticate with a key on my laptop is perfect. But I'm really not clear the finer points of this process as described.

I have the DS212 with DSM 3.2 and want to access through windows IE 8 or 9. Getting the certificate into IE is pretty straight forward, but generating the keys with openssl and getting the resulting files into the right place is a little unclear. Most importantly, I'm not clear if using the scripts indicated will automatically overwrite the existing keys which I would not want to do. Also the openssl.cnf issue as described confuses me. Not sure how this whole thing fits into the process describes on the sinology wiki or the linked website http://www.clintharris.net/2009/self-si ... tificates/ . Seems like you are saying that some additional program needs to be installed. But I'm not sure why that would be or is this something Windows is missing or something the DS is missing.

Any help is much appreciated.
LA2NV
I'm New!
I'm New!
 
Posts: 9
Joined: Sat Jan 14, 2012 6:17 pm

Re: SSL Certificate problem

Postby Zizou75 » Thu Mar 29, 2012 2:28 pm

LA2NV wrote:Also the openssl.cnf issue as described confuses me. Not sure how this whole thing fits into the process describes on the sinology wiki or the linked website http://www.clintharris.net/2009/self-si ... tificates/ . Seems like you are saying that some additional program needs to be installed. But I'm not sure why that would be or is this something Windows is missing or something the DS is missing.

Any help is much appreciated.


openssl is the program on the synology used to generate the keys. If you follow the synology wiki instructions an error comes up "WARNING: can't open config file: /usr/syno/ssl/openssl.cnf". In order to fix this error you need to download the latest openssl package and copy the openssl.cnf to /usr/syno/ssl. There is no other installation required other than just copying that file (which will require a bit of command line savvy but not much more).

Once that is in place, follow the commands listed by norcat above which will generate a DS.key and a DS.crt. These files can then be imported (after copying to somewhere the web interface can browse to) via the synology web interface and that is it.
Zizou75
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Oct 20, 2011 1:22 pm


Return to Security/Secured Mods

Who is online

Users browsing this forum: No registered users and 1 guest