Start a New Discussion
Cost effective network deployment for small business #Webinar 11/6
New Managed M4300 Fiber and PoE Switches #Webinar
Let us help with AV-over-IP ProAV.EngineeringServices@NETGEAR.com Learn More:
Evolution of PoE #NowAtNETGEAR
Insight 5.7 Features #Webinar
NETGEAR Business Produces and Services @ IFA2019 Berlin
Insight 5.7 Update Now Available
Ethernet Splitter Vs. Ethernet Switch
New Small Remote Managed PoE Switches GC108P & GC108PP
NETGEAR Insight Pro Network Management System enables higher profitability for Resellers
All in subject.
Thank you for contributing to the community. It would be much better if your request will be more detailed so it can get more attention and kudos from other community members.
NETGEAR Community Team
Install letsencrypt/certbot on Readynas OS 6.5.0 (Debian Wheezy):docs and inspiration from:https://certbot.eff.org/docs/using.html#https://community.netgear.com/t5/Using-your-ReadyNAS/Any-way-to-get-rid-of-certificate-error-using-N...https://community.netgear.com/t5/New-to-ReadyNAS/Can-you-install-a-trusted-SSL-certificate-on-the-NA...apt-get install nano (or any other editor you like)cd /optmkdir letsencryptcd letsencryptwget https://dl.eff.org/certbot-autochmod a+x certbot-auto./certbot-auto --help allapt-get install libaugeas-dev(to prevent error: Unable to import libaugeas!)service apache2 stop./certbot-auto certonly --standalone-supported-challenges tls-sni-01 -d yourdomain.com(to use port 443)2 Automatically use a temporary ...- Enter your email address- Read terms of servicecd /etc/frontview/apachecp apache2.pem apache2.pem.orignano apache2.pem1. replace the PRIVATE KEY with the content from:cat /etc/letsencrypt/keys/0000_key-certbot.pem2. replace the CERTIFICATE with the content from:cat /etc/letsencrypt/archive/yourdomain.com/cert1.pem3. keep DH PARAMETERS unmodifiedsave apache2.pemservice apache2 startDisadvantage: The key is only valid for 3 months and an automatic renewal is somehow complicated.Maybe a script can help :-)
Since I can't edit my post above I'll post a corrected one:# cd /opt# mkdir letsencrypt# cd letsencrypt# wget https://dl.eff.org/certbot-auto# chmod a+x certbot-auto# ./certbot-auto --help all# apt-get install libaugeas-dev(to prevent error: Unable to import libaugeas!)# service apache2 stop# ./certbot-auto certonly --standalone-supported-challenges tls-sni-01 -d fqdn.yourdomain.com(to use port 443)3 Automatically use a temporary ...- Enter your email address- Read terms of service# cd /etc/frontview/apache# cp apache2.pem apache2.pem.orig# cp ssl.conf ssl.conf.orig# nano ssl.confadd the line"SSLCertificateChainFile /etc/frontview/apache/chain.pem"below line"SSLCertificateFile /etc/frontview/apache/apache2.pem"save ssl.conf# rm apache2.pem# cat /etc/letsencrypt/live/fqdn.yourdomain.com/privkey.pem >> apache2.pem# cat /etc/letsencrypt/live/fqdn.yourdomain.com/cert.pem >> apache2.pem# cp /etc/letsencrypt/live/fqdn.yourdomain.com/chain.pem chain.pem# service apache2 startDisadvantage: The key is only valid for 3 months and an automatic renewal is somehow complicated.Maybe a script can help :-)Test with:https://www.ssllabs.com/ssltest/index.htmlhttps://www.sslshopper.com/ssl-checker.html
@b19upd12 - I don't know for sure how big the user set is, but certainly that would include all users who enable https for adminstrative access of the NAS.
BTW, this applies to DDNS names (noip, dyndns) as well as regular DNS names.
I agree that it doesn't apply to everyone, but I would find it useful to have this built in, and I suspect I'm not alone.
+1. Also usefull if it can be setup for application driven websites like Koken and other CMS. See https://fotografeer.nl/index.php?/categories/blog/essays/koken-cms-on-https/ .
+1 trying to getting my owncloud visible from outside my network
I personally use LetsEncrypt for everything but from a security standpoint, if someone MITM'd you or malciously accessed your box and redirected you somewhere else (maybe generated a certificate with the same name), you would likely not even notice and would still be vulnerable to other attacks. I don't think we would implement LetsEncrypt specifically but we are working on ways to implement other valid SSL certificates in lieu of self signed certificates.
There is a related issue here, which is getting rid of the security exceptions when you access the web interface of the NAS. They are annoying at least, and we regularly need to address those exceptions here in the forum.
There needs to be a way to use https to access the NAS without the pain of getting/installing your own cert (or the similar pain of putting self-signed certs into the root store of every device that accesses the NAS web ui).
I made a suggestion that was more general for exactly the reasons @StephenB listed. This turns out to be a more widespread problem, though. While the authors of browsers are constantly making it more onerous to access sites with self-signed certificates, it seems nobody is working on the issue of providing a secure certificate (or certificate-like) mechanism for local HTTPS servers like NASes, security cameras, etc. Public SSL certificates are only issued to domain names, not IP addresses, and certainly not private IP addresses that are duplicated all over. Since Nov 2015, you can't even get a certificate for a private domain name from any public CA. Running a private CA in a home environment using the likes of TinyCA is a bit much, but may be the only solution. Utilizing another mechanism (like ReadyCloud) is another way, but that's not really a solution, it's a work-around and it adds the need for access to an external server.
I've +1'ed this because I do have the need for external secure access, do have a domain name, and would like to see Netgear partner with somebody to provide an easy, free or very inexpensive way to install an SSL certificate on the ReadyNAS. But the other problem also needs to be addressed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.