Loading Now
Security , , , , ,

How to install Let’s Encrypt on QNAP/NAS

Install Instructions

Method 1- QNAP/NAS Setup

  1. Login to your QNAP/NAS and make sure the following Apps are installed:
  2. Make sure your QNAP/NAS is reachable on the internet under the domain you want to get a certificate for on port 80 or 443.
  3. Create a folder to store qnap-letsencrypt in under /share/YOUR_DRIVE/.

Setting up a valid ca-bundle and cloning this repo (imp)

There is no CA-bundle (bundle of root certificates which we should trust) installed by default. Therefore, we will have to download the certificate before installing it manually.

On your local PC/MAC with an intact certificate store, run

curl -s https://curl.haxx.se/ca/cacert.pem | sha1sum

2. On your QNAP/NAS, in the directory you want to install QNAP-letsencrypt in, run

wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem
sha1sum cacert.pem

3. Compare the hashes obtained in steps 1 and 2; they must match.

4. Go back to the QNap/Nas directory you were in before

git config --system http.sslVerify true
git config --system http.sslCAinfo `pwd`/cacert.pem
git clone https://github.com/Yannik/qnap-letsencrypt.git
mv cacert.pem qnap-letsencrypt
cd qnap-letsencrypt
git config --system http.sslCAinfo `pwd`/cacert.pem

Setting up qnap-letsencrypt

  1. Run init.sh
  2. Create a Certificate Signing Request(csr): single domain cert: (replace nas.xxx.de with your domain name) 
    cd letsencrypt 
openssl req -new -sha256 -key keys/domain.key -subj "/CN=nas.xxx.de" > domain.csr

    Multiple domain cert: (replace nas.xxx.de and nas.xxx.com with your domain names)

    cd letsencypt 
cp ../openssl.cnf openssl-csr-config.cnf 
printf "subjectAltName=DNS:nas.xxx.de,DNS:nas.xxx.com" >> openssl-csr-config.cnf 
openssl req -new -sha256 -key keys/domain.key -subj "/" -reqexts SAN -config openssl-csr-config.cnf > domain.csr
  3. mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig (backup)
  4. Run renew_certificate.sh
  5. account.key, domain.key and even the csr (according to acme-tiny readme) can be reused, so create a cronjob to run renew_certificate.sh every night, which will renew your certificate if it has less than 30 days leftAdd this to /etc/config/crontab: 
    30 3 * * * cd /share/CE_CACHEDEV1_DATA/qnap-letsencrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1

    Then run:

    crontab /etc/config/crontab 
/etc/init.d/crond.sh restart

Method 2- FREE SSL:

  1. Access the website: https://www.sslforfree.com/ OR https://qureshi.me/freessl/index.html.
  2. Confirm your domain; for QNAP, use DNS verification. After verification, copy and paste all certificate keys into the QNAP. That’s all!

More useful guides: Github and Digitalberg 

  1. https://letsencrypt.readthedocs.io/en/latest/using.html#certbot-commands
  2. https://qureshi.me/freessl/index.html – free and credit go to gethttpsforfree.
  3. https://forum.qnap.com/viewtopic.php?t=132479
  4. https://www.forum-nas.fr/viewtopic.php?t=4300 (With QPKG file)
  5. https://www.sslforfree.com/ ( simple and good solution )
  6. https://gethttpsforfree.com/ – Free to install – This website is static, so it can be saved and loaded locally. Just right-click and “Save Page As..”!
  7. https://www.qnap.com/en-uk/product_x_down/ (download latest firmware)
Tag

Related Posts

Post Comment