NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Utlover
Feb 15, 2008Aspirant
Any way to get rid of certificate error using Netgear/Jalbum
I followed the instructions from the How to section to setup my ReadyNas Nv+ to act as a webserver and it works flawlessly. So far, so good. The only problem I have is the certificate error which I cannot seem to be able to get rid off.
Is this just impossible or is there a way?
Is this just impossible or is there a way?
20 Replies
- LrdShaperAspirantwhat ip address is it displaying? is it the same as the ip address of your readynas? if it is then be sure to install the certificate permanently on the client browser. if its different then go to Sevices->Standard File Protocols->HTTPS. type your readynas' current ip address in the SSL key host field and click on generate. you'd probably want to set your readynas to have static ip instead of dhcp if you haven't already done so
- gardenphotograpAspirantThanks LrdShaper!
I had this same certificate error and your solution solved my problem. I hope this also works for Utlover. - UtloverAspirantThanks for the update! Unfortunately, this will not help you as when you follow the instruction, you create a dynamic dns entry pointing to your external ip address (the address as supplied by your ISP), whilst the ReadyNas has an internal 192.... address. To me, it appears there will be no way of solving this error. But I'm no expert.
- cyjohnsonAspirantWhere is this How to section on webserver that you are talking about?
- hanko_pankoAspirantgrrrr does not work.
But then again, maybe I should report my problem a bit more in detail.
Running Vista and alwasy getting the Certificate Error. I click "Continue to this website", login and rightclick the error in the address bar. Then I click "View certificates"and I get a dialog window reporting me with the same IP-address for "Issued to:" and and "Issued by:". I am not sure but would think "Issued to" should be the IP address of my PC (client)?
How to proceed? - CharlesLaCourAspirantThe "Issued to" and "Issued by" will be the same, it is what is known as a self signed certificate, an x509 certificate to be more precise. If you were to have a certificate that was signed by Verisign, Thawte or any other certificate authority, CA, you would see the "Issued by" list the name of the CA that signed your certificate.
I don't see a way to generate a new cert form Fronview so the only way to fix this would be ssh into the box with elevated privileges.
If any of the info below is not familiar to you I would suggest that you don't try doing any of this.
Here is a link to a description of the process foe getting a CA signed cert: Re: Can you install a trusted SSL certificate on the NAS?
If you generate a self signed certificate using a name instead of an IP address then as long as you use the name to refer to your ReadyNAS then you can import and trust that certificate and it will work regardless of the IP address associated with the ReadyNAS. The drawback is that the standard field for the name or IP address in a x509 certificate will only take a single value and if you use different names to access the ReadyNAS you will get the SSL error if you use a name that is not in the certificate.
There is a way around this, there is another field in an x509 certificate called "Subject Alternative Name" or SAN. You can generate a self signed certificate using the SAN field but it can cause it's own issues. All of the released versions of Sun Java throw an SSL Handshake error about a unsupported critical extension if there is a SAN defined and is flagged as required/critical.
Here is a URL to some info about setting the SAN in the openssl.conf file: Open SSL Subject Alternative Name - I have the exact same problem, and frankly I did not understand the answers given. Should it really be that hard...
When I click Setup in RAIDar, Firefox (default browser) throws up a "Secure Connection Failed" saying that <IP num supplied by my ISP> uses an invalide security certificate, not trusted since it is self-signed and only valid for <fixed IP num of the ReadyNAS(?)>. Then I have the option to add an exception, but FF is very harsh on this, do I really, really want...
Well, do I?
(note that FF has no option like IE to "continue to web site anyway") - CharlesLaCourAspirantWhen you add the exception to FireFox what you are doing is telling FireFox that it is OK to trust the certificate from your ReadyNAS. I would assume that you trust your ReadNAS so it is OK to add the exception.
In general FireFox is designed to be more secure than IE.
If you want to go as far as to enable ssh and enable ssh to root, which may cause Netgear to note support your device, you can replace your certificate.
First create a config file named readynas_ssl.conf with the following:
[ req ]
default_bits = 2048
default_md = sha1
#default_keyfile = key1
distinguished_name = req_distinguished_name
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = XX
localityName = XX
organizationName = XX
organizationalUnitName = XX
emailAddress = XX
commonName = NAS_FQDN
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = NAS_Name1
DNS.2 = NAS_Name2
Replace the XX values with the info you want, it really doesn't matter since you are not going to have it signed by a CA. Replace the NAS_FQDN with the fully qualified name for your ReadyNAS. If you want to have multiple names for your ReadyNAS replace the NAS_Name1 and NAS_Name2 with the namesyou want. If you are going to only use one name remove the "subjectAltName" line and all of the lines after it.
In the same directory that you just created the readynas_ssl.conf file run the following commands:
openssl genrsa 2048 > readynas.key
openssl req -new -x509 -nodes -sha1 -days 365 -key readynas.key -config readynas_ssl.conf > readynas.cert
cat readynas.cert readynas.key > readynas.pem
Now make a backup of the existing certificate file:cp /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig
Now replace the existing certificate:cp readynas.pem /etc/frontview/apache/apache.pem
Now restart Apache or just reboot the ReadyNAS. CharlesLaCour wrote: When you add the exception to FireFox what you are doing is telling FireFox that it is OK to trust the certificate from your ReadyNAS. I would assume that you trust your ReadNAS so it is OK to add the exception.
Thanks for this.
The problem with simply adding the exception is that I have to do that every time the NAS gets a new IP-num from my ISP. So I guess I'll have to replace the certificate...- CharlesLaCourAspirantThe FireFox exceptions are stored by IP address and name. If you have a name associated with the ReadyNAS and access it that way instead of the IP address you will not have to add an exception each time there is a new IP address you use to access your ReadyNAS.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!