How to's: Generate Custom SSL Certificates

Anything regarding SSL/SSH and other security questions may go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Sun Jun 14, 2009 9:46 pm

>>> DiskStation login: admin <-- ???
>>> Password:

Did you try...

DiskStation login: root
Password: (password same as admin)

And as for the keys.. That is either hit or miss, if they take then the DSM will say setting applied after you click ok. If somethings wrong
there will be a error message. If you've been getting a error message when applying your certs then don't worry about it, they were
probably not stored. Just un-install all that stuff and go with the newer method.

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Mon Jun 15, 2009 6:33 am

DevineMe wrote:>>> DiskStation login: admin <-- ???
>>> Password:

Did you try...

DiskStation login: root
Password: (password same as admin)

And as for the keys.. That is either hit or miss, if they take then the DSM will say setting applied after you click ok. If somethings wrong
there will be a error message. If you've been getting a error message when applying your certs then don't worry about it, they were
probably not stored. Just un-install all that stuff and go with the newer method.
Thanx! I read your message the wrong way. Since i didn't know a user called "root" existed, i thought i had to go to the root of the drive and go to the mentioned directory from there.
Now that i logged in as "root" there weren't any error messages when generating the key.

I enabled https again at webservices and also enabled https port 7001 at file station 2. I also enabled "Automatically redirect HTTP connections to HTTPS", like you said.
Now i get the certificate error message every time i try to access my diskstation.
I was afraid i couldn't enter my diskstation anymore, but i added an exception in firefox and luckily i could enter the diskstation manager again.
I disabled "Automatically redirect HTTP connections to HTTPS" for now.
I'll wait a while to see if the certificate thing will work, i read somewhere that it might take a while.

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Mon Jun 15, 2009 4:45 pm

Hmm, no luck yet...

Code: Select all

Secure Connection Failed

[i]name.domain.com[/i]:7001 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The certificate is not valid for any server names.

(Error code: sec_error_unknown_issuer)

    * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

    * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
I tried to access it locally and also through the internet.

User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Mon Jun 15, 2009 5:00 pm

If you look at the certificate using Internet Explorer you will see the warning "the certificate cannot be verified up to a trusted certification authority".

:roll: Well umm, Yeah. :roll: We created it ourselves, WITHOUT the "trusted certification authority" HOWEVER, if you add the exception and look
at the Certification Path tab, you will see "This certificate is OK." And YES the SSL IS WORKING.

Now, if you want a properly signed and verified certificate, get out you credit card and proof of who you are, then head over to Verisign. They'll gladly generate one for your site and even check the certificate every time someone logs on for nice little year to year :shock: fee :shock:.

Personally, and this is strictly my own personal view, while I DO think that the trusted "third party" verification scheme is a good one for e-commerce, I don't believe it should cost anyone anything. I have no problem with someone making money of this if they can. Just realize that no magical or governmental internet entity came out of no where and deemed Verisign a "trusted certification authority". They just kinda did it on there own and it worked. Also realize that Verisign nor anybody else can tell me or you that we CANNOT use SSL just because our certificate wasn't signed.

PS, Backup, you had it working at this point
Now that i logged in as "root" there weren't any error messages when generating the key.

I enabled https again at webservices and also enabled https port 7001 at file station 2. I also enabled "Automatically redirect HTTP connections to HTTPS", like you said.
Now i get the certificate error message every time i try to access my diskstation.
I was afraid i couldn't enter my diskstation anymore, but i added an exception in firefox and luckily i could enter the diskstation manager again.

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Mon Jun 15, 2009 8:03 pm

Thanks for the explanation! :D
Now i get it.
You've been a great help for me!

Thanx again! :D

xdanx
I'm New!
I'm New!
Posts: 2
Joined: Tue Sep 08, 2009 4:43 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by xdanx » Tue Sep 08, 2009 4:47 pm

Hello,

I've follow this ... but I continue to have this error ...
This certificate doesn't match ....

(Code d'erreur : sec_error_unknown_issuer)

User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Sun Sep 27, 2009 11:48 am

xdanx wrote:Hello,

I've follow this ... but I continue to have this error ...
This certificate doesn't match ....

(Code d'erreur : sec_error_unknown_issuer)
Haven't seen this error before so I have no clue (sorry), I would say re-read the thread and follow the steps
VERY closely.

kinslayer
I'm New!
I'm New!
Posts: 4
Joined: Mon Oct 19, 2009 7:35 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by kinslayer » Mon Oct 19, 2009 7:42 pm

Hi,

Glad I found your post as it seems it has everything I'm looking for - a self signed SSL cert and nice straightforward instructions.

However, it seems I am falling at the first hurdle as when I click on the link to download openssl.cnf I just get directed to a generic "Page Can Not Be Found" screen (It actually says that http://www.gateway-1.homedns.org cannot be found). I'm assuming that the file is on your DiskStation and that the link is just a DDNS address.

So, my question is. Am I failing because I'm doing something completely wrong or is it that I am in the wrong geographical zone (UK) or is it just that your server has been off for a few weeks and thus I am unable to access the site.

Thanks in advance for your assistance.

Riki
I'm New!
I'm New!
Posts: 7
Joined: Sat Jan 09, 2010 7:53 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by Riki » Sat Jan 09, 2010 7:57 pm

I really hope someone replys to this. I have the same problem as other, could someone please post a working link to the cnf file needed for this tutorial?

This one is broke still: http://www.gateway-1.homedns.org/synology/openssl.cnf

Thanks!!

User avatar
vvv850
Experienced
Experienced
Posts: 133
Joined: Wed Jan 20, 2010 2:38 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by vvv850 » Wed Jan 20, 2010 4:18 pm

Hey,

I found openssl.cnf here: http://123adm.free.fr/home/pages/docume ... penssl.cnf .
I tested it for creating the request key and it worked.

Hope it helps. :D
DS209+II DSM 2.3-1139 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1
DS710+ DSM 2.3-1161 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1

User avatar
Dintid
Student
Student
Posts: 73
Joined: Tue Oct 27, 2009 1:33 pm
Location: Denmark

Re: How to's: Generate Custom SSL Certificates

Unread post by Dintid » Wed Jan 20, 2010 7:00 pm

I used the build in SSL support in my NAS.

Using Telnet:

Edit the mkcert.sh file in order to fill in your information, as it is default to Synology.
vi /usr/syno/etc/ssl/mkcert.sh

Once you are done editing, hit ESC and type :gw and press [ENTER]

Now run the mkcert.sh by typing:
cd /usr/syno/etc/ssl/ press [ENTER]
./mkcert.sh press [ENTER]

restart relevant services or just restart entire nas.
DS1513+ && DS214

MrTorben
Trainee
Trainee
Posts: 14
Joined: Wed Aug 12, 2009 2:13 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by MrTorben » Sun Jan 31, 2010 8:32 pm

I suck at linux, so while the concept of "backup file before editing" is probably dead simple to some, i don't even know where to start.

i know you can google all that info but let me just type out what i did to change the mkcert.sh and executing it.

i am running DSM 2.2, i enabled SSL(https) under Webservices since i wanted to expose FileStation to the internet. I have a domain name which will forward http://sub.domain.com to httpS://sub.domain.com. (this was done on the forwarding option on godaddy).
you cannot forward to a specific port number at this point. but i needed it to work without having to type any port number.
on my router/firewall (linksys) i opened port 443(https) to forward to my diskstation. this will allow requests via https default port 443 to hit my diskstation.
problem is i need it to hit port 7001 to get to the filestation app.
So i enabled Webstation and added a virtual host (plenty instructions available for that)
i created a virtual host in the same section, picked a folder name "subredir" set the hostname to my sub.domain.com and selected https as protocol, port 443.
even if you would pick 7001 here, i dont think you can redirect a url at the dns level(godaddy) to a different port. this has to happen at the webserver.
now if i browsed to sub.domain.com, i would hit my virtual host on the diskstation and whatever is in that folder "subredir".

now I created a index.html page in notepad (rename the txt -> html) and inserted

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Filestation</title>
<meta http-equiv="REFRESH" content="0;url=https://sub.domain.com:7001"></HEAD>
<BODY>
Optional page text here.
</BODY>
</HTML>

now hitting that site would forward the browser to https://sub.domain.com:7001
before this works, you have to go to your router again an add another forward to your diskstations IP on port 7001.

now to the certificate part.
I enabled telnet and ssh access at network services and terminal.
I downloaded and ran WinSCP on my windows laptop, logged in as root (used admin pass) to my diskstation(hostname of syno box) ; ignored the errors and warning and continued on to get to the browser interface and browsed to /usr/syno/etc/ssl. created a backup folder and duplicated the three folders and one file from the ssl directory into the backup directory. this solved my lack of knowledge as to how to do that via commandline.
then I telneted to the diskstation; CMD for the win command window(dos screen). typed "telnet diskstation" or whatever the host name of your device is. log in as root (admin password) again.

as DinTid wrote: type and run (enter)
vi /usr/syno/etc/ssl/mkcert.sh

you can navigate the file with the arrow keys on your keyboard, to get familer with it.
you cannot make any edit in this current mode.
type: i [enter]
this will allow you to edit the file.
as rickywk said, you want to edit the data in lines 69-75, 168-174
to make sure I was not messing up too much stuff at once, I only edited the one line that appeared to be relevant to the url of my domain name.
line 173. the line count is displayed at the bottom of you command window.
it originally states synology.com.
I replaced it with *.mydomain.com
the * should allow multiple sub.domain.com addresses to be used. however I am no expert on SSL certs. so you could also put sub.domain.com in there.
I left the rest of the file alone, I can edit it later once I have confirmed that I am actually able to generate a new cert with this change.
now hit the ESC key to exit out of the edit/insert mode of the file.
it was mentioned to type :gw to save the file, that didn’t work for me, I got an error
I typed :w to write the changes the ":" is part of the command you type
and then :q to close the file
the screen should get you back to the same command you started at Diskstation> with a blinking cursor

now use the commands Dintid posted

cd /usr/syno/etc/ssl/ press [ENTER]
./mkcert.sh press [ENTER]

your cmd window will run through the script

once done, go to your diskstation admin console in the browser and restart it.

now I brwosed to https://sub.domain.com, I still get cert warnings, ignored them, to get to the filestation login page then clicked in IE8 on the certificate error button visiable at the end of the address bar. clicked view certificate. now I was able to see the details of the cert
and sure enough it showed my new url in the cert. success. (now that you know it worked, you could edit the rest of the lines mentioned above to show your name/state/email/etc)

the initial errors you see in IE should now only complain about it coming from an untrusted source, of course, as your diskstation, the source of this ssl cert is not trusted like verisign/twarte in the eyes of IE.

what I have not figured out how to import this cert to IE and trust it, which should eliminate all the warnings. however my company controls some of the security settings in IE and I may just be stuck with the warning unless I pay for a cert from a third party.

if someone has some input on how to get the self signed cert trusted in IE and/or if there is a better way to get the port forwarding to work, I am all ear. ( as a site note, I have other sites hosted on a different server behind the same firewall, so I cant forward all ports to the diskstation by default. it needs to respond based on a hostname.)

please excuse my bad writing, I just had my right arm operated on an typing this one handed with my left.

User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Mon Feb 01, 2010 4:10 am

Wow MrTorben, that was a really long post. I kinda understand your logic and will try to offer a few suggestions for trying out. I will try to address the IE8 issue first. Understand I am by no means a authority and am kinda in the same Linux boat as you. So here it goes..

For IE8 see if the article How to make IE8 trust a self-signed certificate in 20 irritating steps helps. If you have access (permissions) to the "certmgr.msc" (use Start->Run) you can use it to edit certificate placement on XP also. Now in doing a little digging I discovered my own IE8 not accessing my Synology at all!! I don't really care because I use FireFox portable extensively all the time. Firefox, does not fuss when told to trust a certificate, it just freaking does it. What I learned today, how ever irrelevant to me personaly might be a issue for good post over at the GRC newsgroups though. Depends on whether or not IE8 is "force" validating all certificates now. I don't really know now because I haven't used IE8 to access my NAS since it's been installed. That tells you how much I use IE8, ehh? Should be interesting to find out why though so I put that on my todo list.

Update:IE error was caused by having restrictions set to high. To fix quickly ->Control panel ->Internet Options -> On Security Tab -> Reset all zones to default..
After this that was done, IE started using the unsigned certs again (with warning of coarse).

About the Port forwarding. Have you tried just forwarding 80 and 443 request to the NAS's HTTPS IP? I think (but am not sure) all you need to use File Station is web access to Synology Disk Station Manager. This only requires port 443 to be open. Forwarding, is bit off topic for this forum I think.
Last edited by DevineMe on Wed May 05, 2010 7:07 am, edited 1 time in total.

User avatar
vvv850
Experienced
Experienced
Posts: 133
Joined: Wed Jan 20, 2010 2:38 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by vvv850 » Sun Feb 07, 2010 9:44 pm

First of all thank you for the detailed description on how to modify the mkcert.sh.

If I understand correctly, you are trying to access the diskstationmanager/filestation/audiostation interface remotely by ssl without typing the port number (eg: https://www.domain.com not https://www.domain.com:5001). If this is the case i will tell you what I have done:

- first of all filestation/diskstationmanager/audiostation share the same port numbers (by default 5000 for http and 5001 for https)(you can change them by clicking the options icon next to the home one in diskmanager
- go to web services and check "enable HTTPS" and "Automatically redirect HTTP connections to HTTPS"
- access your router and port forward the HTTP and HTTPS port you have configured (default 5000 and 5001)
- you will also need to forward port 443 (standard ports for HTTP and HTTPS)
Unless you have a website published at this stage it should work by entering "https://www.domain.com". For this to work only by entering www.domain.com you should also forward the 80 port, but i think in your case it should work by default because of the forwarding option from godaddy.

If you are trying to access the filestation directly I think the only method is the one you mentioned by entering the port number set in filestation-customise otherwise you should set 7001 in the options menu on the top left toolbar.

For the SSL certificate to be trusted you need to copy the ca.crt from /usr/syno/etc/ssl/ssl.crt to your computer and then install it. I myself installed it in the Trusted Root Certification Authorities.
DS209+II DSM 2.3-1139 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1
DS710+ DSM 2.3-1161 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1

User avatar
Dintid
Student
Student
Posts: 73
Joined: Tue Oct 27, 2009 1:33 pm
Location: Denmark

Re: How to's: Generate Custom SSL Certificates

Unread post by Dintid » Sat Feb 13, 2010 8:07 am

Riki wrote:I really hope someone replys to this. I have the same problem as other, could someone please post a working link to the cnf file needed for this tutorial?

This one is broke still: http://www.gateway-1.homedns.org/synology/openssl.cnf

Thanks!!
I just quoted a random post about this problem to highlight what my post is about :wink:

In order to obtain an openssl.cnf file head over to:
http://www.openssl.org/source/ and download the latest version of OpenSSL. As of writing this post, the latest on is http://www.openssl.org/source/openssl-0.9.8l.tar.gz

Extract the archive using 7-zip (for windows) or something similar. Locate the openssl.cnf file and copy it to the location mentioned in the guide listed in this thread.

Final words:
I hope I don't break any rules by posting this, but its really a nice alternative to having to copy the ca.crt file to every single client who need a proper SSL verification. You will need a fully functional domain name for this one though:
I decided on spending just $16 to buy SSL certificate for 1 year from http://www.clickssl.com/.

They have an easy guide to install as well, listed here:
http://www.clickssl.com/howtogeneratecsr.aspx

Generate CSR key
ApacheSSL mod-ssl

Install SSL certificate:
ApacheSSL mod-ssl
DS1513+ && DS214

Post Reply

Return to “Security/Secured Mods”