SSL private key and certificate do not match

Anything regarding SSL/SSH and other security questions may go here
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
Paddi
Beginner
Beginner
Posts: 26
Joined: Fri Jan 10, 2014 1:50 pm

Re: SSL private key and certificate do not match

Unread post by Paddi » Thu Feb 06, 2014 3:24 pm

amgatx wrote:Howdy Abraham!

I can tell you the way I converted the files. If you are running Windows, just open the file with Notepad. Go to Save As... and then look at the bottom of the pop up window. Underneath the "Save as type..." you should see a selection for "Encoding:" Choices might be ANSI, Unicode, and UTF-8. Just choose UTF-8 and re-save the file. This should get you converted to the right format.
Hi Abraham,

amgatx beat me to it , if you have a pass phrase or anything you can unlock it in the startSSL control panel , but i just done as suggested and changed the setting in save as option...

i haven't heard anything back from Synology yet since is sent them the cert and key file, that was at the beginning of the week

i will update as soon as i hear anything

paddi

Paddi
Beginner
Beginner
Posts: 26
Joined: Fri Jan 10, 2014 1:50 pm

Re: SSL private key and certificate do not match

Unread post by Paddi » Wed Feb 19, 2014 4:18 pm

Hi All,

just an update to my Problem, which is now fixed :

Support came back to me with this :

The standard certificate format is to have 3 lines of information as below

-----BEGIN CERTIFICATE-----
{{CERTIFICATE HASH DATA}}
-----END CERTIFICATE-----

However for some reason the certificates supplied were all on a single line, ie:

-----BEGIN CERTIFICATE-----{{CERTIFICATE HASH DATA}}-----END CERTIFICATE-----


they sent me back the .crt files , but i still wasn't able to get them to install (still getting private key and .certificate not matching error,

i had a backup of the StartSSL certificate and key (you can export if you dont) and i used the key from that along with the certificates that had been sent back and everything went fine.

now im not to sure what combination worked and solved the issue ...

but using the Key file that was installed alongside the StartSSL certificate worked ...i had checked everything om the startSSL control panel and was given no errors but this fixed my problem

hopefully save someone a lot of time and tears... if it works for you

Paddi

abrahamq
I'm New!
I'm New!
Posts: 2
Joined: Wed Feb 05, 2014 11:34 pm

Re: SSL private key and certificate do not match

Unread post by abrahamq » Sat Feb 22, 2014 5:15 am

amgatx wrote:Howdy Abraham!

I can tell you the way I converted the files. If you are running Windows, just open the file with Notepad. Go to Save As... and then look at the bottom of the pop up window. Underneath the "Save as type..." you should see a selection for "Encoding:" Choices might be ANSI, Unicode, and UTF-8. Just choose UTF-8 and re-save the file. This should get you converted to the right format.
Hi Paddi
still struggling with this. I opened the certificate with Notepad++ found encoding, converted to UTF-8, saved it. Using the synology DSM settings under certificate I tried to import this file for the private key and certificate (my understanding is the key is in the same file?). This time I no longer have the previous error but instead "illegal certificate". I assume that when I have opened the certificate with notepad it is not decrypted so the file is corrupted. Any ideas?

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Sat Feb 22, 2014 6:14 am

I've heard of the key and certificate being together in one file, but I've never seen it. You are likely to have separate files for the certificate, encrypted key, decrypted key. where did you get your certificate?

If you do have the key and certificate in the same file, you should be able to see this when opening the file.

jwy
I'm New!
I'm New!
Posts: 6
Joined: Sat Nov 28, 2009 11:36 am

Re: SSL private key and certificate do not match

Unread post by jwy » Sun Apr 27, 2014 5:37 pm

I used startssl to create a SSL/TLS server key and certificate (ssl.key and ssl.crt) and also downloaded the startssl's intermediate cert (sub.class1.server.ca.pem). I originally used Libre Office to save the cut-and-pasted ssl.key and ssl.crt as a text files.

My initial attempt to import the certificates into my Synology diskstation (running DSM 5.x) resulted in the widely reported "private key and certificate do not match". I read the advice here and used NotePad to save both ssl.key and ssl.crt as Text (encoded using UTF-8 -- with CR & LF). My next attempt to import these certificates failed again with the same mismatch error. I then noted the advice about ensuring that ssl.crt included -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- ; at this point I realized that startssl does not by default include " REQUEST" in the file. After adding this to the begin and end sections, the import succeeded.

I note that my diskstation still lists the "Self-Signed Certificate" and lists "Synology" as the issuer -- even though an export of the cert shows that my startssl issued server certificate is in the system... If anyone explain the way that works, please share :)

jwy
I'm New!
I'm New!
Posts: 6
Joined: Sat Nov 28, 2009 11:36 am

Re: SSL private key and certificate do not match

Unread post by jwy » Sun Apr 27, 2014 8:01 pm

After enabling HTTPS Connections (Control Panel -> Network -> DSM Settings), I learned that the web service fails. In fact, if you are foolish enough to also select Automatic redirect to HTTPS, you will lock yourself out and have to reset the entire DS and go through the reinstall of the DSM...

I am convinced that this is not a fully baked feature and that Synology still has some work to do to make this come together easily for end-users. Has anyone found a step-by-step how-to on how to use quickconnect and CA-signed ssl certificate together?

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Sun Apr 27, 2014 8:43 pm

Hello jwy! I feel your pain. I'm not sure there is a way to make this come together easily for end-users. It sounds like your certificate might not have been installed properly. I would import your certificate again; I believe this will simply overwrite the certificate already installed. I have a third party certificate installed and it clearly states: status: third party certificate; Issued by: StartCom Class 1 Primary Intermediate Server CA. If your certificate is not properly identifying itself, some of the files may have gotten mixed up when you uploaded the cert. I know I had so many versions of the cert files it was confusing. Eventually it starts to make sense though.

The DSM is a pandora's box, that's for sure. But I have HTTPS connection and auto HTTPS redirect enabled, and everything seems to be working fine. This is after 4 months of continuous refinement however. But I don't understand why you say you will lock yourself out and have to reinstall the DSM. This shouldn't happen by simply enabling these two options.

Then you mention quickconnect, and I think that may be part of the problem. I do not have quickconnect enabled and have never used this feature. Anytime the computer is automating the decisions to make it easy for non-technical people to use the software, I find that it ends up confusing me and making things more difficult. That being said, I would assume you should be able to use this service with a CA-signed SSL cert installed on the box with no problems. How are you using quickconnect?

I wish I had more to offer in the way of solutions. Perhaps you can reply again and elaborate on how these services are overlapping in your installation. Good luck to you! :D

vicw
Sharp
Sharp
Posts: 166
Joined: Wed Apr 04, 2007 1:31 am

Re: SSL private key and certificate do not match

Unread post by vicw » Mon Apr 28, 2014 12:48 am

jwy wrote:After enabling HTTPS Connections (Control Panel -> Network -> DSM Settings), I learned that the web service fails. In fact, if you are foolish enough to also select Automatic redirect to HTTPS, you will lock yourself out and have to reset the entire DS and go through the reinstall of the DSM...

I am convinced that this is not a fully baked feature and that Synology still has some work to do to make this come together easily for end-users. Has anyone found a step-by-step how-to on how to use quickconnect and CA-signed ssl certificate together?
I was foolish enough to enable the redirect, and ultimately ended up resetting. Unfortunately, the procedure that Synology provides specifies that setting. That was a lesson learned for me.

I agree that this feature is not working properly at all. I'm into my third day or so of total frustration with it. I've been waiting for five days now for Synology support to respond to my plea for help on this, and I finally just created a certificate myself in the meantime. I can't tell how effective it is, or whether data is being encrypted or not, but I can live with it for now.

For the life of me, I don't understand why Synology puts this burden on its users. We should be able to just import the composite .PFX Certificate file that StartSSL generates, as we are able to do on our PC browsers. There is no reason why we are doing all of this manipulation of date encryption. We should never have to deal with the internals of that file.

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Mon Apr 28, 2014 1:41 am

jwy wrote:After enabling HTTPS Connections (Control Panel -> Network -> DSM Settings), I learned that the web service fails.
I think this is where a little elaboration will help me understand what is happening to y'all. Your web service should not fail because you have enabled HTTPS connections.
vicw wrote:I can't tell how effective it is, or whether data is being encrypted or not, but I can live with it for now.
One thing is for sure, these SSL certificates don't have anything to do with actually encrypting the information. If you are successfully connecting using the https:// protocol, the information is encrypted. Even if your browser doesn't like the certificate and gives you errors and the red X on the https, the data is still encrypted.

I'm a little confused what the problem is for you; even when I was having cert issues, I was still able to connect to the DSM with a red X. If y'all care to elaborate a little, maybe I can begin to understand. :D
vicw wrote:For the life of me, I don't understand why Synology puts this burden on its users. We should be able to just import the composite .PFX Certificate file that StartSSL generates, as we are able to do on our PC browsers. There is no reason why we are doing all of this manipulation of date encryption. We should never have to deal with the internals of that file.
I believe this is more standard procedure for verifying servers connected to the internet, rather than a Synology thing. If there were a way to simply load up the certificate, it would bypass the domain validation procedure mentioned here:

"The commercial CAs that issue the bulk of certificates that clients trust for email servers and public HTTPS servers typically use a technique called "domain validation" to authenticate the recipient of the certificate. Domain validation involves sending an email containing an authentication token or link, to an email address that is known to be administratively responsible for the domain. This could be the technical contact email address listed in the domain's WHOIS entry, or an administrative email like postmaster@ or root@ the domain. The theory behind domain validation is that only the legitimate owner of a domain would be able to read emails sent to these administrative addresses."

but getting it to actually work, that's an undertaking for sure. Even with everything installed properly, there seem to be days when I get the red X anyway. :roll: let me know if my limited knowledge is of any use! :mrgreen:

vicw
Sharp
Sharp
Posts: 166
Joined: Wed Apr 04, 2007 1:31 am

Re: SSL private key and certificate do not match

Unread post by vicw » Mon Apr 28, 2014 1:58 am

In my case, I don't think it's a matter of the web service failing, just that after the Apply button is pressed to enable HTTPS, while the redirect feature is enabled, the browser displays a never ending cycle indicating that the web service is restarting. In fact, the browser is unable to reconnect with the DSM. and that screen never gets updated.

On a subsequent attempt to connect, the browser indicated that It's not Possible to Connect to the "Device Name", and any attempt to sign on via port 5000 is redirected to 5001, hence the same error condition leaves you in a hopeless state, especial if the Telnet alternative isn't enabled.

The sad part is that the procedure that Synology provides to enable HTTPS, calls for enabling the redirect feature, exacerbating the problem into a crisis.

Regarding the encryption, it's good to hear that encryption is still working, despite the red X condition. That's the state my unit is in, having temporarily given up on curing the problems with the certificate, and having resorted to generating my own certificate for the interim.

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Mon Apr 28, 2014 2:32 am

So the question is, what is preventing a connection using the https protocol?

jwy mentioned that the certificate listed in Control Panel > Security > Certificate does not match the certificate he exported to check. If that's the case, you could be stuck in some weird middle ground where it's not set up properly. However, even with a bogus or non-existent certificate, I would think you should still be able to connect, albeit with the red X.

However, there clearly is a small black hole which is able to be fallen into somewhere along the journey of securing the DSM by importing a SSL certificate. Y'all are not alone. Have you checked this thread: http://forum.synology.com/enu/viewtopic ... 19&t=67329 :?: There seems to be some good information out there; I will keep digging to see if I can find anything. :D

vicw
Sharp
Sharp
Posts: 166
Joined: Wed Apr 04, 2007 1:31 am

Re: SSL private key and certificate do not match

Unread post by vicw » Mon Apr 28, 2014 2:52 am

Thanks for your interest and help with the problem.

Unfortunately, the condition totally blocks connection. Part of the description in the error message that is displayed says that "When Chrome tried to connect to <Server Name>, it returned unusual and incorrect credentials." It goes on to say that date was blocked from transfer, so there was no risk of it being captured.

I saw what appeared to be a match to my certificate when I looked at Control Panel/Security/Certificate.

Yes, I have been studying the thread you provided. It was somewhat helpful in describing that it's necessary to decrypt the Private Key and copy/paste it to the key file back to Synology.

I wonder what is going on with Synology Support? In my past experience, they were always pretty prompt getting back to users. I am thinking they might be deluged with issues related to damage by the heartbleed problem. I believe that's what bricked my old trusty DS111, which made it necessary for me to buy the DS214 as a replacement.

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Mon Apr 28, 2014 3:02 am

You may be right about the Synology support. I should think they would recognize this black hole and be able to explain exactly what combination of settings is causing it. It sounds like the rest of the DSM is functioning normally when this occurs, and it is only the https connection which is unavailable.

You might try reinstalling the certificate and ensuring you use the decrypted private key. http://www.synology.com/en-global/support/tutorials/464 is also a good reference if you are starting over. However I don't believe this would have anything to do with the main problem of not being able to connect via https, unless this issue really is some bug in the DSM. I think more likely it is an unfortunate combination of settings which conspire against you if you do them in the right (wrong) order. Once this happens, the only ways out are with SSH or telnet, or by a reset. So the real question is, what is causing this black hole and how can it be prevented?

I see you have already replied to that thread I posted. There has to be someone out there who can provide a precise explanation why this black hole exists and how to avoid it. I would hope that Synology support will be that someone, and hopefully they will be replying to you early this week. Let us know if they do!! :)

vicw
Sharp
Sharp
Posts: 166
Joined: Wed Apr 04, 2007 1:31 am

Re: SSL private key and certificate do not match

Unread post by vicw » Mon Apr 28, 2014 3:13 am

I'm pretty confident that I had the decrypted private key file set properly. I generated one using OpenSSL and also created one using the Decrypt function in StartSSL. I compared them directly, and they were identical, including the right header and footer in each.

Once I regain my strength again, I may do more experimenting. I may just generate another certificate using my wife's info, now that I'm more conversant with the ins and outs of this mess. I may have messed up some selection in that process.

I did use that reference doc from Synology the first time around. It was generally helpful, except for the suggestion to enable the redirect, with no warning of the possible consequences. It is also not really current in displaying the screens that are currently in Synology for importing the credential.

User avatar
amgatx
Student
Student
Posts: 65
Joined: Mon Jan 27, 2014 11:41 pm
Location: Austin, TX

Re: SSL private key and certificate do not match

Unread post by amgatx » Mon Apr 28, 2014 3:19 am

We need to figure out what the cause is, improve that documentation, and prevent other people from falling into this trap! Hopefully Synology can shed some light on the situation. Maybe all this talk about it will keep someone else from falling into the same trap. Good luck to you! :D

Post Reply

Return to “Security/Secured Mods”