Certificate error

Moderator: Lillian.W@AST

Post Reply
steve6443
Posts: 18
youtube meble na wymiar Warszawa
Joined: Mon Mar 15, 2021 7:38 am

Certificate error

Post by steve6443 »

Hi

I have a 5304 and wanted to install a certificate for a Google Domain using let's encrpyt. If I install the certificate without it being set to default, the installation process runs fine. If I try to install it as default, it gives an error but ends up being installed after a fashion.

If I then browse my domain - steve-paul.org - I then get the following picture:
Screenshot 2021-12-08 at 13.26.22.png
Screenshot 2021-12-08 at 13.26.22.png (1.37 MiB) Viewed 3473 times
So far, so good. If I then click on the ADM or try to navigate direct to the NAS, it gives me an error on SSL and if I grant an exception, I receive the following:
Screenshot 2021-12-08 at 13.26.50.png
Screenshot 2021-12-08 at 13.26.50.png (2.16 MiB) Viewed 3473 times
From what I can see, the system is resorting to using the Asustor certificate instead of my Let's Encrypt certificate. I've set the Let's encrypt certificate to default repeatedly but anytime I go past the home screen, it seems that that certificate is ignored....

I can't see a way of removing the Asustor certificate hence none of my Apps such as PhotoPrism will work because obviously they can't get a secured connection to the service.

Any ideas? Maybe permissions have been messed up somehow?
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Certificate error

Post by Nazar78 »

It's still using Asustor's default cert. See if your installed cert is being checked as the default. Not sure of the error you encountered but I can install mine as default with no issue although I personally don't use this method for my certs because it doesn't support wildcards.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
docmarc
Posts: 25
Joined: Fri Feb 19, 2016 2:10 am

Re: Certificate error

Post by docmarc »

For let's encrypt disable [Automatically change HTTP connections to HTTPS connections.] checkbox in [Settings] [General] [Management].

this option prevents the update of let's encrypt

Image
steve6443
Posts: 18
Joined: Mon Mar 15, 2021 7:38 am

Re: Certificate error

Post by steve6443 »

Thanks, I have now managed to get that all working, unfortunately a number of apps are only working IF I access the server via ipadress:port, instead of servername:port. An example of this is PhotoPrism or Netdata. PhotoGallery3 works fine so I'm left scratching my head.

The error message is

This site can’t provide a secure connection
domain sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I've checked all the obvious catches - time, date etc. Deleted Browser Cache, turned off the Firewall on My Mac, disabled ClamAv on the NAS. There's no proxy configured. All required ports are open. I've even tried allowing the server to be an exposed host. Nothing seems to work.Any clues or hints?
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Certificate error

Post by Nazar78 »

steve6443 wrote:Thanks, I have now managed to get that all working, unfortunately a number of apps are only working IF I access the server via ipadress:port, instead of servername:port. An example of this is PhotoPrism or Netdata. PhotoGallery3 works fine so I'm left scratching my head.

The error message is

This site can’t provide a secure connection
domain sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I've checked all the obvious catches - time, date etc. Deleted Browser Cache, turned off the Firewall on My Mac, disabled ClamAv on the NAS. There's no proxy configured. All required ports are open. I've even tried allowing the server to be an exposed host. Nothing seems to work.Any clues or hints?
Check if you accidentally try to access https over a non-https port. E.g. accessing this link will get you the same error https://www.google.com:80/

I would suggest to use an easier approach to manage which is by using reverse proxy. For myself I'm running many virtual hosts accessed via https from the frontend which reverse proxy via nginx chroot pointing to multiple non-https backend apps e.g. https://foobar.mydomain.com -> http://192.168.1.1:1234. You can also setup using docker but I prefer chroot.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
steve6443
Posts: 18
Joined: Mon Mar 15, 2021 7:38 am

Re: Certificate error

Post by steve6443 »

Nazar78 wrote:
steve6443 wrote:Thanks, I have now managed to get that all working, unfortunately a number of apps are only working IF I access the server via ipadress:port, instead of servername:port. An example of this is PhotoPrism or Netdata. PhotoGallery3 works fine so I'm left scratching my head.

The error message is

This site can’t provide a secure connection
domain sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I've checked all the obvious catches - time, date etc. Deleted Browser Cache, turned off the Firewall on My Mac, disabled ClamAv on the NAS. There's no proxy configured. All required ports are open. I've even tried allowing the server to be an exposed host. Nothing seems to work.Any clues or hints?
Check if you accidentally try to access https over a non-https port. E.g. accessing this link will get you the same error https://www.google.com:80/

I would suggest to use an easier approach to manage which is by using reverse proxy. For myself I'm running many virtual hosts accessed via https from the frontend which reverse proxy via nginx chroot pointing to multiple non-https backend apps e.g. https://foobar.mydomain.com -> http://192.168.1.1:1234. You can also setup using docker but I prefer chroot.
Thanks. I'd already tried reverse proxies and managed to get Plex working via a reverse proxy. However when I try to do the same using (e.g) PhotoPrism or NetData, when setting up the reverse proxy, it says 'hostname not found" when I test the connections. Any ideas?

Let me edit this: I have also got NetData working but PhotoPrism is a no/no. I note that this is using, according to manual connect, TCP 2342 and TCP & UDP Ports 32771. Even leaving "automatically switch HTTP to HTTPS" unchecked isn't helping.... Seems that I need to reverse proxy both ports but I don't see how.....
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Certificate error

Post by Nazar78 »

Try using local IP for the upstream and make sure the daemon you're trying to connect via the proxy is listening on the same local IP. So the flow is frontend to backend HTTPS-domain:443->reverse-proxy->non-HTTPS-local-IP:port

I'm not using those apps but I'm very sure same reverse proxy rules apply to them, which is quite straight forward albeit different daemon setup like apache, nginx, haproxy, varnish, træfɪk etc. Some details like logs or screenshot would help.

For your technical references, please do backup if you try to modify the system files:

https://docs.nginx.com/nginx/admin-guid ... rse-proxy/

https://stackoverflow.com/questions/502 ... n-upstream

Edited: replying to your edit, you can always add another port for the single domain but the Asustor reverse proxy doesn't support UDP at the moment. You can raise a request to Asustor support or you can modify the system settings and it's tough especially during firmware upgrade s. I think you're better off running/managing the reverse proxy in a separate instance like docker or chroot where you have full control. For example like myself, I have many requirements using the reverse proxy like clauses, modifying headers/contents, caching, load balancing so using the provided Asustor's implementation is a no go.
Last edited by Nazar78 on Wed Dec 29, 2021 8:48 pm, edited 1 time in total.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
steve6443
Posts: 18
Joined: Mon Mar 15, 2021 7:38 am

Re: Certificate error

Post by steve6443 »

Strangely enough I finally managed to get PhotoPrism to work by disabling port forwarding for 2342 and only 32771, then reverse proxy for that port.... at least it works....
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Certificate error

Post by Nazar78 »

See my edited reply to your edit.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Post Reply

Return to “[Official] For AS52xx/53xx/66xx Series”