× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

"Let's Encrypt" - has anyone tested on ReadyNAS?

WSJ
Aspirant
Aspirant

"Let's Encrypt" - has anyone tested on ReadyNAS?

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting a certificate can be. Let’s Encrypt automates away all this pain and lets site operators turn on HTTPS with a single click or shell command.

When Let’s Encrypt launches in September 2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:

$ sudo apt-get install lets-encrypt

$ lets-encrypt example.com

That’s all there is to it! https://example.com is immediately live.

The Let’s Encrypt management software will:
•Automatically prove to the Let’s Encrypt CA that you control the website
•Obtain a browser-trusted certificate and set it up on your web server
•Keep track of when your certificate is going to expire, and automatically renew it
•Help you revoke the certificate if that ever becomes necessary.

No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.


[Source: https://letsencrypt.org/howitworks/]
Message 1 of 6
StephenB
Guru

Re: "Let's Encrypt" - has anyone tested on ReadyNAS?

It's not available yet (launches in September).
Message 2 of 6
mdgm-ntgr
NETGEAR Employee Retired

Re: "Let's Encrypt" - has anyone tested on ReadyNAS?

Sounds interesting. However with things like changing I.P. addresses, accessing over the local network vs remotely, I'm not sure how practical it would be.
Message 3 of 6
StephenB
Guru

Re: "Let's Encrypt" - has anyone tested on ReadyNAS?

A CA cert is usually bound to a URL, not an IP address. In most home cases, the URL domain name is owned by a DDNS provider - I am not sure how letsencrypt would work in that case. Hopefully more information will emerge as the launch gets closer.

There are two major components to their value proposition - one is the automation of certificate installation (using a new standard protocol called ACME), the second is the offering of free certificates from their certificate authority. It's definitely worth watching, and there are some major players supporting it.
Message 4 of 6
WSJ
Aspirant
Aspirant

Re: "Let's Encrypt" - has anyone tested on ReadyNAS?

StephenB wrote:
It's not available yet (launches in September).

True, but that refers to the "productive" version (using a CA root certificate which is present in all major browsers).
For now, one can already test the mechanism using a different root certificate.

Yes, the usage of multiple hostnames (via alternative subject names of type "DNSname") would be required in a typical ReadyNAS Installation, allowing to access the NAS from inside the LAN and remotely via the internet, using https.

The cool part is the automation - not only for the Initial setup but also for updating the SSL Server certificate before it expires.
Message 5 of 6
StephenB
Guru

Re: "Let's Encrypt" - has anyone tested on ReadyNAS?

I agree its cool. FWIW, they will be an intermediate CA - the underlying root CA is IdenTrust - which already is an established root CA.

To test their client, you would need to manually integrate it into apache on the NAS. I haven't tried that. Also their client reconfigures your security settings to get an "A" on ssl-labs tests. Not sure if any of that will get in the way of the web ui or any apps.

One obvious issue for home users is that the DDNS provider owns the main domain name (and probably has a cert for it). I think the letsencrypt policies are still being worked out, but it might not be able to issue a certificate for xxx.mynetgear.com if Netgear already has a cert for mynetgear.com.

In addition, if you have more than one NAS (as I do), you likely have all of them them using the same domain name but using different ports. The deeper-dive video I watched said that they weren't sure if they could grant certs automatically to multiple servers sharing the same domain name. But you might be able to do that manually once you got a cert for the first machine. And they might be thinking about a cluster, not dedicated servers listening on different ports.

Anyway, its on my watch list, and if you know the answers on the policies/limitations please post them. My source was https://media.libreplanet.org/u/librepl ... s-encrypt/, it is about 7 weeks old.
Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 3600 views
  • 0 kudos
  • 3 in conversation
Announcements