Any way to get rid of certificate error using Netgear/Jalbum

Utlover · ‎2008-02-15

I followed the instructions from the How to section to setup my ReadyNas Nv+ to act as a webserver and it works flawlessly. So far, so good. The only problem I have is the certificate error which I cannot seem to be able to get rid off.
Is this just impossible or is there a way?

LrdShaper · ‎2008-02-15

what ip address is it displaying? is it the same as the ip address of your readynas? if it is then be sure to install the certificate permanently on the client browser. if its different then go to Sevices->Standard File Protocols->HTTPS. type your readynas' current ip address in the SSL key host field and click on generate. you'd probably want to set your readynas to have static ip instead of dhcp if you haven't already done so

gardenphotograp · ‎2008-02-16

Thanks LrdShaper!

I had this same certificate error and your solution solved my problem. I hope this also works for Utlover.

NAS#1: ReadyNAS NV+ RND4250 (2 x Seagate ST3500630NS 500GB), Firmware v4.01c1-p6 4.1.7 [1.00a043], 256MB DIMM.
NAS#2: ReadyNAS NV+ RND4250 (2 x Seagate ST3500630NS 500GB), Firmware v4.01c1-p6 4.1.7 [1.00a043], 256MB DIMM.
NAS#3: ReadyNAS NVX RNDX4210-100 (2 x 1TB), Firmware 4.2.17
iMac 2 GHz Intel Core 2 Duo, 2GB SDRAM, OS X 10.6.7
iMac 2.8 GHz Intel Core 2 Duo, 2GB SDRAM, OS X 10.6.5
Mac Mini 1.25GHz G4, 512MB RAM, OS X 10.5.4
Dell AMD Athlon64/3200+ 2Ghz, 512MB RAM, WinXP Home SP2.
Switch: Netgear GS608v2, 10/100/1000 w/8-Port.
Switch: Netgear GS605, 10/100/1000 w/5-Port.
Router: Linksys BEFSR41 10/100 w/4-Port
Cable: Cat6.

Utlover · ‎2008-02-17

Thanks for the update! Unfortunately, this will not help you as when you follow the instruction, you create a dynamic dns entry pointing to your external ip address (the address as supplied by your ISP), whilst the ReadyNas has an internal 192.... address. To me, it appears there will be no way of solving this error. But I'm no expert.

cyjohnson · ‎2008-08-20

Where is this How to section on webserver that you are talking about?

hanko_panko · ‎2008-10-30

grrrr does not work.

But then again, maybe I should report my problem a bit more in detail.

Running Vista and alwasy getting the Certificate Error. I click "Continue to this website", login and rightclick the error in the address bar. Then I click "View certificates"and I get a dialog window reporting me with the same IP-address for "Issued to:" and and "Issued by:". I am not sure but would think "Issued to" should be the IP address of my PC (client)?

How to proceed?

CharlesLaCour · ‎2008-12-26

The "Issued to" and "Issued by" will be the same, it is what is known as a self signed certificate, an x509 certificate to be more precise. If you were to have a certificate that was signed by Verisign, Thawte or any other certificate authority, CA, you would see the "Issued by" list the name of the CA that signed your certificate.

I don't see a way to generate a new cert form Fronview so the only way to fix this would be ssh into the box with elevated privileges.

If any of the info below is not familiar to you I would suggest that you don't try doing any of this.

Here is a link to a description of the process foe getting a CA signed cert: Re: Can you install a trusted SSL certificate on the NAS?

If you generate a self signed certificate using a name instead of an IP address then as long as you use the name to refer to your ReadyNAS then you can import and trust that certificate and it will work regardless of the IP address associated with the ReadyNAS. The drawback is that the standard field for the name or IP address in a x509 certificate will only take a single value and if you use different names to access the ReadyNAS you will get the SSL error if you use a name that is not in the certificate.

There is a way around this, there is another field in an x509 certificate called "Subject Alternative Name" or SAN. You can generate a self signed certificate using the SAN field but it can cause it's own issues. All of the released versions of Sun Java throw an SSL Handshake error about a unsupported critical extension if there is a SAN defined and is flagged as required/critical.

Here is a URL to some info about setting the SAN in the openssl.conf file: Open SSL Subject Alternative Name

Charles LaCour
clacour_AT_gmail.com

OppfinnarJocke · ‎2008-12-27

I have the exact same problem, and frankly I did not understand the answers given. Should it really be that hard...

When I click Setup in RAIDar, Firefox (default browser) throws up a "Secure Connection Failed" saying that <IP num supplied by my ISP> uses an invalide security certificate, not trusted since it is self-signed and only valid for <fixed IP num of the ReadyNAS(?)>. Then I have the option to add an exception, but FF is very harsh on this, do I really, really want...

Well, do I?

(note that FF has no option like IE to "continue to web site anyway")

CharlesLaCour · ‎2008-12-27

When you add the exception to FireFox what you are doing is telling FireFox that it is OK to trust the certificate from your ReadyNAS. I would assume that you trust your ReadNAS so it is OK to add the exception.

In general FireFox is designed to be more secure than IE.

If you want to go as far as to enable ssh and enable ssh to root, which may cause Netgear to note support your device, you can replace your certificate.

First create a config file named readynas_ssl.conf with the following:


[ req ]
default_bits            = 2048
default_md              = sha1
#default_keyfile         = key1
distinguished_name      = req_distinguished_name
prompt                  = no
string_mask             = nombstr
req_extensions          = v3_req

[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = XX
localityName            = XX
organizationName        = XX
organizationalUnitName  = XX
emailAddress            = XX
commonName              = NAS_FQDN

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
subjectAltName          = @alt_names

[ alt_names ]
DNS.1 = NAS_Name1
DNS.2 = NAS_Name2

Replace the XX values with the info you want, it really doesn't matter since you are not going to have it signed by a CA. Replace the NAS_FQDN with the fully qualified name for your ReadyNAS. If you want to have multiple names for your ReadyNAS replace the NAS_Name1 and NAS_Name2 with the namesyou want. If you are going to only use one name remove the "subjectAltName" line and all of the lines after it.

In the same directory that you just created the readynas_ssl.conf file run the following commands:


openssl genrsa 2048 > readynas.key
openssl req -new -x509 -nodes -sha1 -days 365 -key readynas.key -config readynas_ssl.conf > readynas.cert
cat readynas.cert readynas.key > readynas.pem

Now make a backup of the existing certificate file:

cp /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig

Now replace the existing certificate:

cp readynas.pem /etc/frontview/apache/apache.pem

Now restart Apache or just reboot the ReadyNAS.

Charles LaCour
clacour_AT_gmail.com

OppfinnarJocke · ‎2008-12-28

CharlesLaCour wrote:
When you add the exception to FireFox what you are doing is telling FireFox that it is OK to trust the certificate from your ReadyNAS. I would assume that you trust your ReadNAS so it is OK to add the exception.

Thanks for this.
The problem with simply adding the exception is that I have to do that every time the NAS gets a new IP-num from my ISP. So I guess I'll have to replace the certificate...

CharlesLaCour · ‎2008-12-28

The FireFox exceptions are stored by IP address and name. If you have a name associated with the ReadyNAS and access it that way instead of the IP address you will not have to add an exception each time there is a new IP address you use to access your ReadyNAS.

Charles LaCour
clacour_AT_gmail.com

gooberschnot · ‎2008-12-30

This thread has not been helpful to me thus far. I have simple questions that need simple answers (please help!)

1. Is there a way I can implement Jalbum without using https? (like use http only?)

2. What settings are required to make this happen? For both the router and NAS?

I don't know to to SSH nor do I want to risk trying. I just want to rid these certificate errors and the "secure and nonsecure item" prompt each time I go through a photo.

Thanks in advance! Happy Holidays and Happy New Year Everyone!

hybern8 · ‎2009-01-14

1. Generate the certificate to the same name as you are accessing your ReadyNAS as a website.
2. From IE7 take Tools -> Internet Options -> Security Tab -> Trusted Sites -> Sites and add the full URL to you ReadyNAS as a website.
3. Exit out of the administration tool and the log back in.
4. Right click on the <Certificate Error> usually in red at the top of the browser.
5. Take View Certificate
6. Take Install Certificate. Follow the instructions but be sure to place the certificates in "Trusted Certificates" foulder. By default it will try to place the certificate in the personal folder... to not allow this to happen, you must manually force it into the trusted certificates folder.
7. Exit and then go back in. You should go directly to a login-prompt with no certificate errors.

8)

prchrist · ‎2009-06-20

Hi; very new to this, I've tried all of the fixes described in previous posts, but continue to get the certificate error in IE7.
My issue is on an NV+ and a Windows XP Pro machine, not sure of what Jalbum is or if my issue is unrelated to the one described.
Any guidance would be appreciated.

CharlesLaCour · ‎2009-06-22

Are you using a name or IP address to access the NAS?

What is the exact error that IE is giving you? Is it saying that the certificate is invalid or the wrong name or not trusted?

Charles LaCour
clacour_AT_gmail.com

prchrist · ‎2009-06-23

Thanks; I'm using https://hostname/user.
The error is 'Mismatched Address'. Currently the certificate is being 'Issued by' and 'Issued to' with the IP for the ReadyNAS.
I.ve tried changing this to both the IP for the PC as well as the IP for the the internet connection from my gateway. I got different errors on one of these indicating that the certificate was invalid as it was 'self-signed'.
When I look in IE7 Security setting I can see the certificate in the 'Trusted Root Certifcates', but continue to get the error.

CharlesLaCour · ‎2009-06-23

If you are accessing the NAS via a name and the certificate is generated based on the IP there will be a name mismatch. If you go into Frontview and go into "Standard File Protocols" under services. Under the HTTPS section place the name you are using to access the NAS in the "SSL key host" and click on the "Generate New Key". When you next access the web interface accept the certificate and trust it and you should be good to go.

Charles LaCour
clacour_AT_gmail.com

prchrist · ‎2009-06-23

Charles, THANK YOU.
Your direction has resolved my problem.

Your assistance is greatly appreciated.

Take Care; PRC.

ourdave · ‎2010-02-17

hybern8 wrote:
1. Generate the certificate to the same name as you are accessing your ReadyNAS as a website.
2. From IE7 take Tools -> Internet Options -> Security Tab -> Trusted Sites -> Sites and add the full URL to you ReadyNAS as a website.
3. Exit out of the administration tool and the log back in.
4. Right click on the <Certificate Error> usually in red at the top of the browser.
5. Take View Certificate
6. Take Install Certificate. Follow the instructions but be sure to place the certificates in "Trusted Certificates" foulder. By default it will try to place the certificate in the personal folder... to not allow this to happen, you must manually force it into the trusted certificates folder.
7. Exit and then go back in. You should go directly to a login-prompt with no certificate errors.

8)

this works fine for me - great stuff, much appreciated, it's been bugging me for months.

mike1234i · ‎2012-01-20

I realize that this post is almost 2 years old, but I could not find any newer topics on this subject. I was unable to create a certificate with alternative names using the provided instructions.

In order to generate a certificate with subject alternative names I had to first create a CSR (certificate signing request):

apache-ssl -f /etc/frontview/apache/httpd.conf

Then I could self sign the CSR:

openssl x509 -req -days 7200 -in readynas.csr -signkey readynas.key -out readynas.crt -extensions v3_req -extfile readynas.cnf

You do not need to restart the NAS, you just need to restart apache:

killall apache-ssl
apache-ssl -f /etc/frontview/apache/httpd.conf

cybermonk · ‎2013-11-19

Re: Any way to get rid of certificate error using Netgear/Jalbum

by hybern8 » Thu Jan 15, 2009 7:23 am

1. Generate the certificate to the same name as you are accessing your ReadyNAS as a website.
2. From IE7 take Tools -> Internet Options -> Security Tab -> Trusted Sites -> Sites and add the full URL to you ReadyNAS as a website.
3. Exit out of the administration tool and the log back in.
4. Right click on the <Certificate Error> usually in red at the top of the browser.
5. Take View Certificate
6. Take Install Certificate. Follow the instructions but be sure to place the certificates in "Trusted Certificates" foulder. By default it will try to place the certificate in the personal folder... to not allow this to happen, you must manually force it into the trusted certificates folder.
7. Exit and then go back in. You should go directly to a login-prompt with no certificate errors.

Thanks, This answer helped me with this specific problem