Synology Inc. Online Community Forum

[DevineMe]

>>> DiskStation login: admin <-- ???
>>> Password:

Did you try...

DiskStation login: root
Password: (password same as admin)

And as for the keys.. That is either hit or miss, if they take then the DSM will say setting applied after you click ok. If somethings wrong
there will be a error message. If you've been getting a error message when applying your certs then don't worry about it, they were
probably not stored. Just un-install all that stuff and go with the newer method.

[bouncemeister]

>>> DiskStation login: admin <-- ???
>>> Password:

Did you try...

DiskStation login: root
Password: (password same as admin)

And as for the keys.. That is either hit or miss, if they take then the DSM will say setting applied after you click ok. If somethings wrong
there will be a error message. If you've been getting a error message when applying your certs then don't worry about it, they were
probably not stored. Just un-install all that stuff and go with the newer method.

Thanx! I read your message the wrong way. Since i didn't know a user called "root" existed, i thought i had to go to the root of the drive and go to the mentioned directory from there.
Now that i logged in as "root" there weren't any error messages when generating the key.

I enabled https again at webservices and also enabled https port 7001 at file station 2. I also enabled "Automatically redirect HTTP connections to HTTPS", like you said.
Now i get the certificate error message every time i try to access my diskstation.
I was afraid i couldn't enter my diskstation anymore, but i added an exception in firefox and luckily i could enter the diskstation manager again.
I disabled "Automatically redirect HTTP connections to HTTPS" for now.
I'll wait a while to see if the certificate thing will work, i read somewhere that it might take a while.

[bouncemeister]

Hmm, no luck yet...

Code: Select all

Secure Connection Failed

[i]name.domain.com[/i]:7001 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The certificate is not valid for any server names.

(Error code: sec_error_unknown_issuer)

    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.


I tried to access it locally and also through the internet.

[DevineMe]

If you look at the certificate using Internet Explorer you will see the warning "the certificate cannot be verified up to a trusted certification authority".

Well umm, Yeah. We created it ourselves, WITHOUT the "trusted certification authority" HOWEVER, if you add the exception and look
at the Certification Path tab, you will see "This certificate is OK." And YES the SSL IS WORKING.

Now, if you want a properly signed and verified certificate, get out you credit card and proof of who you are, then head over to Verisign. They'll gladly generate one for your site and even check the certificate every time someone logs on for nice little year to year fee .

Personally, and this is strictly my own personal view, while I DO think that the trusted "third party" verification scheme is a good one for e-commerce, I don't believe it should cost anyone anything. I have no problem with someone making money of this if they can. Just realize that no magical or governmental internet entity came out of no where and deemed Verisign a "trusted certification authority". They just kinda did it on there own and it worked. Also realize that Verisign nor anybody else can tell me or you that we CANNOT use SSL just because our certificate wasn't signed.

PS, Backup, you had it working at this point

Now that i logged in as "root" there weren't any error messages when generating the key.

I enabled https again at webservices and also enabled https port 7001 at file station 2. I also enabled "Automatically redirect HTTP connections to HTTPS", like you said.
Now i get the certificate error message every time i try to access my diskstation.
I was afraid i couldn't enter my diskstation anymore, but i added an exception in firefox and luckily i could enter the diskstation manager again.

[bouncemeister]

Thanks for the explanation!
Now i get it.
You've been a great help for me!

Thanx again!

[xdanx]

Hello,

I've follow this ... but I continue to have this error ...
This certificate doesn't match ....

(Code d'erreur : sec_error_unknown_issuer)

[DevineMe]

Hello,

I've follow this ... but I continue to have this error ...
This certificate doesn't match ....

(Code d'erreur : sec_error_unknown_issuer)

Haven't seen this error before so I have no clue (sorry), I would say re-read the thread and follow the steps
VERY closely.

[kinslayer]

Hi,

Glad I found your post as it seems it has everything I'm looking for - a self signed SSL cert and nice straightforward instructions.

However, it seems I am falling at the first hurdle as when I click on the link to download openssl.cnf I just get directed to a generic "Page Can Not Be Found" screen (It actually says that http://www.gateway-1.homedns.org cannot be found). I'm assuming that the file is on your DiskStation and that the link is just a DDNS address.

So, my question is. Am I failing because I'm doing something completely wrong or is it that I am in the wrong geographical zone (UK) or is it just that your server has been off for a few weeks and thus I am unable to access the site.

Thanks in advance for your assistance.

[Riki]

I really hope someone replys to this. I have the same problem as other, could someone please post a working link to the cnf file needed for this tutorial?

This one is broke still: http://www.gateway-1.homedns.org/synology/openssl.cnf

Thanks!!

[vvv850]

Hey,

I found openssl.cnf here: http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf .
I tested it for creating the request key and it worked.

Hope it helps.

[Dintid]

I used the build in SSL support in my NAS.

Using Telnet:

Edit the mkcert.sh file in order to fill in your information, as it is default to Synology.
vi /usr/syno/etc/ssl/mkcert.sh

Once you are done editing, hit ESC and type :gw and press [ENTER]

Now run the mkcert.sh by typing:
cd /usr/syno/etc/ssl/ press [ENTER]
./mkcert.sh press [ENTER]

restart relevant services or just restart entire nas.

[MrTorben]

I suck at linux, so while the concept of "backup file before editing" is probably dead simple to some, i don't even know where to start.

i know you can google all that info but let me just type out what i did to change the mkcert.sh and executing it.

i am running DSM 2.2, i enabled SSL(https) under Webservices since i wanted to expose FileStation to the internet. I have a domain name which will forward http://sub.domain.com to httpS://sub.domain.com. (this was done on the forwarding option on godaddy).
you cannot forward to a specific port number at this point. but i needed it to work without having to type any port number.
on my router/firewall (linksys) i opened port 443(https) to forward to my diskstation. this will allow requests via https default port 443 to hit my diskstation.
problem is i need it to hit port 7001 to get to the filestation app.
So i enabled Webstation and added a virtual host (plenty instructions available for that)
i created a virtual host in the same section, picked a folder name "subredir" set the hostname to my sub.domain.com and selected https as protocol, port 443.
even if you would pick 7001 here, i dont think you can redirect a url at the dns level(godaddy) to a different port. this has to happen at the webserver.
now if i browsed to sub.domain.com, i would hit my virtual host on the diskstation and whatever is in that folder "subredir".

now I created a index.html page in notepad (rename the txt -> html) and inserted

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Filestation</title>
<meta http-equiv="REFRESH" content="0;url=https://sub.domain.com:7001"></HEAD>
<BODY>
Optional page text here.
</BODY>
</HTML>

now hitting that site would forward the browser to https://sub.domain.com:7001
before this works, you have to go to your router again an add another forward to your diskstations IP on port 7001.

now to the certificate part.
I enabled telnet and ssh access at network services and terminal.
I downloaded and ran WinSCP on my windows laptop, logged in as root (used admin pass) to my diskstation(hostname of syno box) ; ignored the errors and warning and continued on to get to the browser interface and browsed to /usr/syno/etc/ssl. created a backup folder and duplicated the three folders and one file from the ssl directory into the backup directory. this solved my lack of knowledge as to how to do that via commandline.
then I telneted to the diskstation; CMD for the win command window(dos screen). typed "telnet diskstation" or whatever the host name of your device is. log in as root (admin password) again.

as DinTid wrote: type and run (enter)
vi /usr/syno/etc/ssl/mkcert.sh

you can navigate the file with the arrow keys on your keyboard, to get familer with it.
you cannot make any edit in this current mode.
type: i [enter]
this will allow you to edit the file.
as rickywk said, you want to edit the data in lines 69-75, 168-174
to make sure I was not messing up too much stuff at once, I only edited the one line that appeared to be relevant to the url of my domain name.
line 173. the line count is displayed at the bottom of you command window.
it originally states synology.com.
I replaced it with *.mydomain.com
the * should allow multiple sub.domain.com addresses to be used. however I am no expert on SSL certs. so you could also put sub.domain.com in there.
I left the rest of the file alone, I can edit it later once I have confirmed that I am actually able to generate a new cert with this change.
now hit the ESC key to exit out of the edit/insert mode of the file.
it was mentioned to type :gw to save the file, that didn’t work for me, I got an error
I typed :w to write the changes the ":" is part of the command you type
and then :q to close the file
the screen should get you back to the same command you started at Diskstation> with a blinking cursor

now use the commands Dintid posted

cd /usr/syno/etc/ssl/ press [ENTER]
./mkcert.sh press [ENTER]

your cmd window will run through the script

once done, go to your diskstation admin console in the browser and restart it.

now I brwosed to https://sub.domain.com, I still get cert warnings, ignored them, to get to the filestation login page then clicked in IE8 on the certificate error button visiable at the end of the address bar. clicked view certificate. now I was able to see the details of the cert
and sure enough it showed my new url in the cert. success. (now that you know it worked, you could edit the rest of the lines mentioned above to show your name/state/email/etc)

the initial errors you see in IE should now only complain about it coming from an untrusted source, of course, as your diskstation, the source of this ssl cert is not trusted like verisign/twarte in the eyes of IE.

what I have not figured out how to import this cert to IE and trust it, which should eliminate all the warnings. however my company controls some of the security settings in IE and I may just be stuck with the warning unless I pay for a cert from a third party.

if someone has some input on how to get the self signed cert trusted in IE and/or if there is a better way to get the port forwarding to work, I am all ear. ( as a site note, I have other sites hosted on a different server behind the same firewall, so I cant forward all ports to the diskstation by default. it needs to respond based on a hostname.)

please excuse my bad writing, I just had my right arm operated on an typing this one handed with my left.

[DevineMe]

Wow MrTorben, that was a really long post. I kinda understand your logic and will try to offer a few suggestions for trying out. I will try to address the IE8 issue first. Understand I am by no means a authority and am kinda in the same Linux boat as you. So here it goes..

For IE8 see if the article How to make IE8 trust a self-signed certificate in 20 irritating steps helps. If you have access (permissions) to the "certmgr.msc" (use Start->Run) you can use it to edit certificate placement on XP also. Now in doing a little digging I discovered my own IE8 not accessing my Synology at all!! I don't really care because I use FireFox portable extensively all the time. Firefox, does not fuss when told to trust a certificate, it just freaking does it. What I learned today, how ever irrelevant to me personaly might be a issue for good post over at the GRC newsgroups though. Depends on whether or not IE8 is "force" validating all certificates now. I don't really know now because I haven't used IE8 to access my NAS since it's been installed. That tells you how much I use IE8, ehh? Should be interesting to find out why though so I put that on my todo list.

Update:IE error was caused by having restrictions set to high. To fix quickly ->Control panel ->Internet Options -> On Security Tab -> Reset all zones to default..
After this that was done, IE started using the unsigned certs again (with warning of coarse).

About the Port forwarding. Have you tried just forwarding 80 and 443 request to the NAS's HTTPS IP? I think (but am not sure) all you need to use File Station is web access to Synology Disk Station Manager. This only requires port 443 to be open. Forwarding, is bit off topic for this forum I think.

[vvv850]

First of all thank you for the detailed description on how to modify the mkcert.sh.

If I understand correctly, you are trying to access the diskstationmanager/filestation/audiostation interface remotely by ssl without typing the port number (eg: https://www.domain.com not https://www.domain.com:5001). If this is the case i will tell you what I have done:

- first of all filestation/diskstationmanager/audiostation share the same port numbers (by default 5000 for http and 5001 for https)(you can change them by clicking the options icon next to the home one in diskmanager
- go to web services and check "enable HTTPS" and "Automatically redirect HTTP connections to HTTPS"
- access your router and port forward the HTTP and HTTPS port you have configured (default 5000 and 5001)
- you will also need to forward port 443 (standard ports for HTTP and HTTPS)
Unless you have a website published at this stage it should work by entering "https://www.domain.com". For this to work only by entering www.domain.com you should also forward the 80 port, but i think in your case it should work by default because of the forwarding option from godaddy.

If you are trying to access the filestation directly I think the only method is the one you mentioned by entering the port number set in filestation-customise otherwise you should set 7001 in the options menu on the top left toolbar.

For the SSL certificate to be trusted you need to copy the ca.crt from /usr/syno/etc/ssl/ssl.crt to your computer and then install it. I myself installed it in the Trusted Root Certification Authorities.

[Dintid]

I really hope someone replys to this. I have the same problem as other, could someone please post a working link to the cnf file needed for this tutorial?

This one is broke still: http://www.gateway-1.homedns.org/synology/openssl.cnf

Thanks!!

I just quoted a random post about this problem to highlight what my post is about

In order to obtain an openssl.cnf file head over to:
http://www.openssl.org/source/ and download the latest version of OpenSSL. As of writing this post, the latest on is http://www.openssl.org/source/openssl-0.9.8l.tar.gz

Extract the archive using 7-zip (for windows) or something similar. Locate the openssl.cnf file and copy it to the location mentioned in the guide listed in this thread.

Final words:
I hope I don't break any rules by posting this, but its really a nice alternative to having to copy the ca.crt file to every single client who need a proper SSL verification. You will need a fully functional domain name for this one though:
I decided on spending just $16 to buy SSL certificate for 1 year from http://www.clickssl.com/.

They have an easy guide to install as well, listed here:
http://www.clickssl.com/howtogeneratecsr.aspx

Generate CSR key
ApacheSSL mod-ssl

Install SSL certificate:
ApacheSSL mod-ssl