× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973

Re: 6.4.2 and SSL/TLS certificates

GH
Aspirant
Aspirant

6.4.2 and SSL/TLS certificates

 

Will beta 6.4.2 have an option to import SSL/TLS certificates ?

It's easy to get free certificates (letsencrypt.org) now.

Message 1 of 12
StephenB
Guru

Re: 6.4.2 and SSL/TLS certificates

It would be good to post support for letsencrypt in the idea forum.

 

Not only does it provide free certs, it also can install them automatically (with the appropriate package installed for the web server).

Message 2 of 12
Equinox1
Guide

Re: 6.4.2 and SSL/TLS certificates

Besides the obvious security benefits, I would say this would be a great increase in convenience for the average user. Chrome is getting more and more picky with https.
Message 3 of 12
mdgm-ntgr
NETGEAR Employee Retired

Re: 6.4.2 and SSL/TLS certificates

Unfortunately Let's Encrypt does not do what we would want.

Message 4 of 12
Equinox1
Guide

Re: 6.4.2 and SSL/TLS certificates

Hi mdgm,

Happy New Year!

Can you please clarify what you mean?

Message 5 of 12
StephenB
Guru

Re: 6.4.2 and SSL/TLS certificates


@mdgm wrote:

Unfortunately Let's Encrypt does not do what we would want.

I find that analysis surprising, and would like to hear details on what gaps you see.

 

I've talked with some of the folks developing it, and it sounds like it would be exactly what home and small business NAS owners would need - it would completely eliminate the need for self-signed certs.

-it is supposed to work with ddns domain names

-it can automatically obtain and install a CA cert on the NAS if the ACME apache package is installed

 

https://community.letsencrypt.org/t/quick-start-guide/1631

 

Message 6 of 12
kohdee
NETGEAR Expert

Re: 6.4.2 and SSL/TLS certificates


@mdgm wrote:

Unfortunately Let's Encrypt does not do what we would want.



Using letsencrypt, could generate an SSL certificate and symlink the files from /etc/letsencrypt/live to the location where apache2 pulls its security, then restart apache2 every 90 days. I'm using a letsencrypt solution at home for my entire network. The only problem I see is that people need to open 443 to their ReadyNAS and have their own domain setup. For more advanced users, this is plausible; for home users, probably not. 

 

Message 7 of 12
StephenB
Guru

Re: 6.4.2 and SSL/TLS certificates


@kohdee wrote:

@mdgm wrote:

Unfortunately Let's Encrypt does not do what we would want.



Using letsencrypt, could generate an SSL certificate and symlink the files from /etc/letsencrypt/live to the location where apache2 pulls its security, then restart apache2 every 90 days. I'm using a letsencrypt solution at home for my entire network. The only problem I see is that people need to open 443 to their ReadyNAS and have their own domain setup. For more advanced users, this is plausible; for home users, probably not. 

 


Opening 443 isn't difficult, and many NAS users are already allowing https admin access remotely.  

 

I was told by one of the architects that it supposed to work with ddns (so a DNS setup is not needed). Do you know (either way)?

Message 8 of 12
kohdee
NETGEAR Expert

Re: 6.4.2 and SSL/TLS certificates


@StephenB wrote:


Opening 443 isn't difficult, and many NAS users are already allowing https admin access remotely.  

 

I was told by one of the architects that it supposed to work with ddns (so a DNS setup is not needed). Do you know (either way)?


Hmm...

I only use 1 host with DynDNS, but I use Namecheap A + Dynamic DNS and cname record my subdomains to it, seems to work great.

Let me try it real quick with my teamspeak server. 

 

 

Edit: I don't see WHY it wouldn't work. I'm having some issues because I host my teamspeak server on a web server host so nginx already listening to port 80/443.

 

Message 9 of 12
kohdee
NETGEAR Expert

Re: 6.4.2 and SSL/TLS certificates

 

root@hosting:/opt/letsencrypt# ./letsencrypt-auto certonly -d bsr.game-server.cc
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -d bsr.game-server.cc

                                                                                 lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                                                                                 x How would you like to authenticate with the Let's Encrypt CA?        x
                                                                                 x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
                                                                                 x x     1  Apache Web Server - Alpha (apache)                        x x
                                                                                 x x     2  Automatically use a temporary webserver (standalone)      x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x x                                                                  x x
                                                                                 x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
                                                                                 tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
                                                                                 x           <   OK    >      < Cancel  >      <More Info>              x
                                                                                 mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/bsr.game-server.cc/fullchain.pem. Your cert
   will expire on 2016-05-03. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@hosting:/opt/letsencrypt#

 

Message 10 of 12
StephenB
Guru

Re: 6.4.2 and SSL/TLS certificates


@kohdee wrote:

Edit: I don't see WHY it wouldn't work. I'm having some issues because I host my teamspeak server on a web server host so nginx already listening to port 80/443.

 


My original concern was that the domain itself was owned by the DDNS provider, who might well have their own cert on the domain.  So it wasn't a technical issue really, more of a question of whether the policy of the CA would allow it. I was told that it would, and I'm glad you are confirming.

 

Working with ddns makes prefect sense, because the goal is to make security ubiquitous - and they've invested a lot of energy in automating the entire cert process.  Also, part of the install is to upgrade the security of the website so that it passes all the tests at https://www.ssllabs.com/ssltest/

 

It'd be good if someone (maybe someone at Netgear) can try installing this on the NAS, and see if there are any negative side effects.  I think this is a nice uplift from self-signed certs.

Message 11 of 12
kohdee
NETGEAR Expert

Re: 6.4.2 and SSL/TLS certificates

I believe that it is totally do-able on a ReadyNAS -- the only problem is making sure you can access (locally) your ReadyNAS at that same domain name  (not all routers support LAN>WAN>LAN access). 

Maybe I'll try on my RN716X later (super busy now).

Message 12 of 12
Discussion stats
  • 11 replies
  • 6742 views
  • 0 kudos
  • 5 in conversation
Announcements