How to install Let’s Encrypt on QNAP/NAS

Install Instructions

Method 1- QNAP/NAS Setup

  1. Login to your QNAP/NAS and make sure the following Apps are installed:
  2. Make sure your QNAP/NAS is reachable on the internet under the domain you want to get a certificate for on port 80 or 443.
  3. Create a folder to store qnap-letsencrypt in under /share/YOUR_DRIVE/.

Setting up a valid ca-bundle and cloning this repo (imp)

There is no ca-bundle (bundle of root certificates which we should trust) installed by default. Therefore we will have to download before install certificate manually.

On your local PC/MAC with an intact certificate store, run

curl -s https://curl.haxx.se/ca/cacert.pem | sha1sum

2.On your Qnap/Nas, in the directory you want to install qnap-letsencrypt in, run

wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem
sha1sum cacert.pem

3.Compare the hashes obtained in step 1 and 2, they must match.

4.Go back to QNap/Nas directory you were before

git config --system http.sslVerify true
git config --system http.sslCAinfo `pwd`/cacert.pem
git clone https://github.com/Yannik/qnap-letsencrypt.git
mv cacert.pem qnap-letsencrypt
cd qnap-letsencrypt
git config --system http.sslCAinfo `pwd`/cacert.pem

Setting up qnap-letsencrypt

  1. Run init.sh
  2. Create a Certificate Signing Request(csr): single domain cert: (replace nas.xxx.de with your domain name)
    cd letsencrypt 
    openssl req -new -sha256 -key keys/domain.key -subj "/CN=nas.xxx.de" > domain.csr

    multiple domain cert: (replace nas.xxx.de and nas.xxx.com with your domain names)

    cd letsencypt 
    cp ../openssl.cnf openssl-csr-config.cnf 
    printf "subjectAltName=DNS:nas.xxx.de,DNS:nas.xxx.com" >> openssl-csr-config.cnf 
    openssl req -new -sha256 -key keys/domain.key -subj "/" -reqexts SAN -config openssl-csr-config.cnf > domain.csr
  3. mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig (backup)
  4. Run renew_certificate.sh
  5. account.key, domain.key and even the csr (according to acme-tiny readme) can be reused, so create a cronjob to run renew_certificate.sh every night, which will renew your certificate if it has less than 30 days leftAdd this to /etc/config/crontab:
    30 3 * * * cd /share/CE_CACHEDEV1_DATA/qnap-letsencrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1

    Then run:

    crontab /etc/config/crontab 
    /etc/init.d/crond.sh restart
    

Method 2- FREE SSL:

  1. Go to the URL: https://www.sslforfree.com/  OR  https://qureshi.me/freessl/index.html
  2. Verify your domain, in QNAP case, use DNS verification, once verified copy and paste all certificate keys to the Qnap. that all!

More useful guides: Github and Digitalberg 

  1. https://letsencrypt.readthedocs.io/en/latest/using.html#certbot-commands
  2. https://qureshi.me/freessl/index.html – free and credit go to gethttpsforfree.
  3. https://forum.qnap.com/viewtopic.php?t=132479
  4. https://www.forum-nas.fr/viewtopic.php?t=4300 (With QPKG file)
  5. https://www.sslforfree.com/ ( simple and good solution )
  6. https://gethttpsforfree.com/ – Free to install – This website is static, so it can be saved and loaded locally. Just right-click and “Save Page As..”!
  7. https://www.qnap.com/en-uk/product_x_down/ (download latest firmware)
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *