Loading Now
Security , , , , ,

How to install Let’s Encrypt on QNAP/NAS

Install Instructions

Method 1- QNAP/NAS Setup

  1. Login to your QNAP/NAS and make sure the following Apps are installed:
  2. Make sure your QNAP/NAS is reachable on the internet under the domain you want to get a certificate for on port 80 or 443.
  3. Create a folder to store qnap-letsencrypt in under /share/YOUR_DRIVE/.

Setting up a valid ca-bundle and cloning this repo (imp)

There is no CA-bundle (bundle of root certificates which we should trust) installed by default. Therefore, we will have to download the certificate before installing it manually.

On your local PC/MAC with an intact certificate store, run

curl -s https://curl.haxx.se/ca/cacert.pem | sha1sum

2. On your QNAP/NAS, in the directory you want to install QNAP-letsencrypt in, run

wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem
sha1sum cacert.pem

3. Compare the hashes obtained in steps 1 and 2; they must match.

4. Go back to the QNap/Nas directory you were in before

git config --system http.sslVerify true
git config --system http.sslCAinfo `pwd`/cacert.pem
git clone https://github.com/Yannik/qnap-letsencrypt.git
mv cacert.pem qnap-letsencrypt
cd qnap-letsencrypt
git config --system http.sslCAinfo `pwd`/cacert.pem

Setting up qnap-letsencrypt

  1. Run init.sh
  2. Create a Certificate Signing Request(csr): single domain cert: (replace nas.xxx.de with your domain name)
    cd letsencrypt 
openssl req -new -sha256 -key keys/domain.key -subj "/CN=nas.xxx.de" > domain.csr

    Multiple domain cert: (replace nas.xxx.de and nas.xxx.com with your domain names)

    cd letsencypt 
cp ../openssl.cnf openssl-csr-config.cnf 
printf "subjectAltName=DNS:nas.xxx.de,DNS:nas.xxx.com" >> openssl-csr-config.cnf 
openssl req -new -sha256 -key keys/domain.key -subj "/" -reqexts SAN -config openssl-csr-config.cnf > domain.csr
  3. mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig (backup)
  4. Run renew_certificate.sh
  5. account.key, domain.key and even the csr (according to acme-tiny readme) can be reused, so create a cronjob to run renew_certificate.sh every night, which will renew your certificate if it has less than 30 days leftAdd this to /etc/config/crontab:
    30 3 * * * cd /share/CE_CACHEDEV1_DATA/qnap-letsencrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1

    Then run:

    crontab /etc/config/crontab 
/etc/init.d/crond.sh restart

Method 2- FREE SSL:

  1. Access the website: https://www.sslforfree.com/ OR https://qureshi.me/freessl/index.html.
  2. Confirm your domain; for QNAP, use DNS verification. After verification, copy and paste all certificate keys into the QNAP. That’s all!

More useful guides: Github and Digitalberg 

  1. https://letsencrypt.readthedocs.io/en/latest/using.html#certbot-commands
  2. https://qureshi.me/freessl/index.html – free and credit go to gethttpsforfree.
  3. https://forum.qnap.com/viewtopic.php?t=132479
  4. https://www.forum-nas.fr/viewtopic.php?t=4300 (With QPKG file)
  5. https://www.sslforfree.com/ ( simple and good solution )
  6. https://gethttpsforfree.com/ – Free to install – This website is static, so it can be saved and loaded locally. Just right-click and “Save Page As..”!
  7. https://www.qnap.com/en-uk/product_x_down/ (download latest firmware)

Share this content:

Discover more from Qureshi

Subscribe to get the latest posts sent to your email.

Tag

Related Posts

Post Comment

Discover more from Qureshi

Subscribe now to keep reading and get access to the full archive.

Continue reading