Besides the obvious security benefits, I would say this would be a great increase in convenience for the average user. Chrome is getting more and more picky with https.
Unfortunately Let's Encrypt does not do what we would want.
I find that analysis surprising, and would like to hear details on what gaps you see.
I've talked with some of the folks developing it, and it sounds like it would be exactly what home and small business NAS owners would need - it would completely eliminate the need for self-signed certs.
-it is supposed to work with ddns domain names
-it can automatically obtain and install a CA cert on the NAS if the ACME apache package is installed
Unfortunately Let's Encrypt does not do what we would want.
Using letsencrypt, could generate an SSL certificate and symlink the files from /etc/letsencrypt/live to the location where apache2 pulls its security, then restart apache2 every 90 days. I'm using a letsencrypt solution at home for my entire network. The only problem I see is that people need to open 443 to their ReadyNAS and have their own domain setup. For more advanced users, this is plausible; for home users, probably not.
Unfortunately Let's Encrypt does not do what we would want.
Using letsencrypt, could generate an SSL certificate and symlink the files from /etc/letsencrypt/live to the location where apache2 pulls its security, then restart apache2 every 90 days. I'm using a letsencrypt solution at home for my entire network. The only problem I see is that people need to open 443 to their ReadyNAS and have their own domain setup. For more advanced users, this is plausible; for home users, probably not.
Opening 443 isn't difficult, and many NAS users are already allowing https admin access remotely.
I was told by one of the architects that it supposed to work with ddns (so a DNS setup is not needed). Do you know (either way)?
Opening 443 isn't difficult, and many NAS users are already allowing https admin access remotely.
I was told by one of the architects that it supposed to work with ddns (so a DNS setup is not needed). Do you know (either way)?
Hmm...
I only use 1 host with DynDNS, but I use Namecheap A + Dynamic DNS and cname record my subdomains to it, seems to work great.
Let me try it real quick with my teamspeak server.
Edit: I don't see WHY it wouldn't work. I'm having some issues because I host my teamspeak server on a web server host so nginx already listening to port 80/443.
root@hosting:/opt/letsencrypt# ./letsencrypt-auto certonly -d bsr.game-server.cc
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly -d bsr.game-server.cc
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x How would you like to authenticate with the Let's Encrypt CA? x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x 1 Apache Web Server - Alpha (apache) x x
x x 2 Automatically use a temporary webserver (standalone) x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x x x x
x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x < OK > < Cancel > <More Info> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/bsr.game-server.cc/fullchain.pem. Your cert
will expire on 2016-05-03. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@hosting:/opt/letsencrypt#
Edit: I don't see WHY it wouldn't work. I'm having some issues because I host my teamspeak server on a web server host so nginx already listening to port 80/443.
My original concern was that the domain itself was owned by the DDNS provider, who might well have their own cert on the domain. So it wasn't a technical issue really, more of a question of whether the policy of the CA would allow it. I was told that it would, and I'm glad you are confirming.
Working with ddns makes prefect sense, because the goal is to make security ubiquitous - and they've invested a lot of energy in automating the entire cert process. Also, part of the install is to upgrade the security of the website so that it passes all the tests at https://www.ssllabs.com/ssltest/
It'd be good if someone (maybe someone at Netgear) can try installing this on the NAS, and see if there are any negative side effects. I think this is a nice uplift from self-signed certs.
I believe that it is totally do-able on a ReadyNAS -- the only problem is making sure you can access (locally) your ReadyNAS at that same domain name (not all routers support LAN>WAN>LAN access).
Maybe I'll try on my RN716X later (super busy now).
