(SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

[Kapitein Haak]

Hello,

I would like to request support for LetsEncrypt (https://letsencrypt.org/). Having my NAS automatically request and renew a free certificate would be great.

Best regards,
Kapitein Haak.

[Kapitein Haak]

I have tried to start the enrollment for a certificate:
Downloaded the letsencrypt agent (check!)
Installed the toolchain for the AS-304T (check!)
Added the path to the compiler to the PATH variable (check!)
Started the autoenrollment verbose (FAIL!)

Code: Select all

    i686-asustor-linux-gnu-gcc -fno-strict-aliasing -I/asustor/trunk_2015_08_19/x86/x86/staging/usr/include -I/asustor/trunk_2015_08_19/x86/x86/staging/usr/builtin/include -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -DUSE__THREAD -I/usr/include/ffi -I/usr/include/libffi -I/usr/local/AppCentral/python/include/python2.7 -c c/_cffi_backend.c -o build/temp.linux-i686-2.7/c/_cffi_backend.o
    c/_cffi_backend.c:13:17: fatal error: ffi.h: No such file or directory
    compilation terminated.
    error: command 'i686-asustor-linux-gnu-gcc' failed with exit status 1

    ----------------------------------------
Command "/home/admin/.local/share/letsencrypt/bin/python2.7 -c "import setuptools, tokenize;__file__='/tmp/pip-build-J_XKZZ/cffi/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-KQAzlB-record/install-record.txt --single-version-externally-managed --compile --install-headers /home/admin/.local/share/letsencrypt/include/site/python2.7/cffi" failed with error code 1 in /tmp/pip-build-J_XKZZ/cffi

Does anybody know how I can get libffi-dev on the NAS?

Best regards,
Kapitein Haak.

[Kapitein Haak]

@Shawn@AST,

http://www.nextinpact.com/news/98199-le ... nology.htm, check the last lines where they ask themselves which NAS vendors will follow. SSL will become the preferred way and HTTP will vanish... It would be nice if Asustor supported a free CA before that time.

Best regards,
Kapitein Haak.

[MikeG.6.5]

I would love to look at this in depth, but I don't understand the language the site is written in. Ah well... They really need to have the site in both the native and in English, if they want a larger audience. Perhaps you can suggest that, Kapitein?

[Kapitein Haak]

Passing the website through Google translate seems problematic, but with some high level copy and paste skills:

Let's encrypt and DSM 6.0: How to create and install a certificate on your Synology NAS
The hard part is not what one believes.
Now you can get and just let's encrypt enable a certificate for your Synology NAS. To do this, simply use the version 6.0 beta 2 of DSM and follow a few steps.

Yesterday, Synology has released the second beta of its DSM 6.0. Awaited by all fans of the brand, it incorporates many new products announced during the presentation (see our analysis), but above all, it introduces support for let's encrypt.

Synology offers basic support let's encrypt
This feature is important because it can generate a free certificate and recognized by all browsers to have HTTPS access to the NAS interface from outside. You can connect to it without the password travels unencrypted (see a previous article on the subject) and more generally encrypt all exchanges between the NAS and your machine.

Until now, the only proposed solution was to generate a self-signed certificate (and therefore not recognized within browsers add it manually) or install a certificate generated by a recognized certification authority.

Synology let's encrypt
With a self-signed certificate is insured error
Here, the goal is to have a free and easy way to set up for all. So we tested this feature to see if this promise was kept.
First you should know that SSL / TLS certificate (X.509) as used here, is generated to ensure the ownership of a domain, and possibly subdomains. So you can only use it if you access your NAS via a specific URL, and not its IP address.

Configure your router for external access
To do this, you must redirect one domain to the IP of your NAS but also ensure that the necessary ports are opened and forwarded to your NAS via your router. If you yourself are hosting your NAS you will have the manual manipulation based on your local network.
Synology offers a router configuration tool to simplify the procedure available in the Control Panel in the External access section. If you have opted for NAS services like hosted by Infomaniak for example, everything is already in place.
By default, the HTTPS access to your Synology NAS is on port 5001, but you can change this choice by security. It will also consider doing the same for the different services you want to use. Attention to the addition of a let's encrypt certificate works, port 80 must be opened and redirected to your NAS.

Access your NAS from outside: some things to check
Be careful though: allowing access from the outside to a NAS to access your data is not trivial. Remember to enable the different options in the Security section of the Control Panel: the firewall, automatic locking when using a wrong password repeatedly, protection against denial of service the integration ban in iFrame, etc.
You can also choose to activate the connection with two-step verification (2FA) in the advanced settings of the User section. This will allow you to add an extra layer of security with the use of an application that will generate a random code needed to connect.
Synology releases its side while a set of recommendations that can help you.

Redirect one domain to NAS
In terms of obtaining and redirecting a domain name, you have two options. Either you already have an available and you ask your provider to set up a redirect to the IP of your NAS. It's quite simple general, simplified forms for you to manage such a request automatically with the hosts and other registrars.
If you do not have a domain name, you do not want to pay, or your connection has a dynamic IP you also have the option to use a DDNS (Dynamic DNS). DSM Synology manages a lot, but in our example we decided to opt for the one proposed by the company: Synology.me.

Synology let's encrypt
To take advantage, you simply have a Synology account you can create directly from the DSM interface with an email address and a password. Once confirmed your email, and if your NAS and router have been configured, you can access your interface from an address type:
http://nom-choisi.synology.me

Creating a certificate let's encrypt a few clicks
Once this step, move on to what specifically interests us today: the creation of let's encrypt certificate. This happens in the Security section of the Control Panel in the Certificate tab. Select Add, and then you can create a new certificate or replace an existing then. You can also specify whether this is the one to use by default or not.

In any case, a new option will appear afterwards: Obtain a certificate from let's encrypt. You must then specify the access area of ​​your NAS (testletsencrypt.synology.me in our example), e-mail contact, and possible alternative names. These help manage alias domains to access your NAS in the same way as your primary domain. They must be separated by "; ".

Synology Let's let's encrypt EncryptSynology
Once done, your certificate will be activated and valid for three months. For now, Synology does not seem to offer renewal solution, and does not specify whether it is automatic. This should however be clarified and / or implemented by the next beta or the final version expected in March. We will have the opportunity to return.

Enable HTTPS access and configure the cipher suite
To use HTTPS access, we must of course consider it active. This happens in the DSM settings in the Network section of the Control Panel. Here you can choose the access ports enable automatic redirection to the HTTPS version and activate HTTP / 2.
Note that in the advanced settings of the Security section, you also have the option of changing the cipher suites SSL / TLS you want to use. The "Modern" version will be the most restrictive, but will likely be a problem if your browser is outdated. It is nevertheless one we recommend you to use.

Synology let's encrypt
Successful integration, but dispersed options
In the end, the method implemented by Synology seems simple enough. For now, the more complex for the uninitiated remain in effect set up access to the NAS from outside via a specific URL. We can still regret that the HTTPS access to the related options are sometimes available in scattered sections of the Control Panel rather than being fully consolidated.
It remains to see how it evolves and whether Synology is still a difference by the final version of its DSM 6.0, particularly on the issue of renewal of the certificate.
It will also be interesting to see if competitors like ASUSTOR and QNAP decided to do the same in the coming weeks, giving a little more weight let's encrypt which is already offered by some hosting providers like Gandi or Infomaniak, OVH having no the moment still not implemented the announced support.

It now seems pretty straight forward to get a signed certificate for your synology with just a few clicks. Certainly less trouble then the (also free) startssl alternative.

I'm looking forward to an Asustor implementation

Best regards,
Kapitein Haak.

[joe]

I saw that ADM v2.6.2.R6L2 now has LetsEncrypt support built in so I applied the ADM update and the option is there in settings->certificate manager.

To get past stupid error #1 I had to port forward port 80 to the NAS and enable the NAS web server on port 80 in services->web server.

The next error I see when attempting to create the lets encrypt certificate is "The number of certificates issued by Let's Encrypt for your domain name has reached it's limit (Ref. 5017)" which I suspect is a rubbish error given that I've not requested any Let's Encrypt certs for this domain at any point in time ever; I have however in the past done Let's Encrypt the manual way and as a result of that manual method, I do have a LE SSL/TLS cert active right now on my NAS device for some other domain.

The Asustor press release is here: https://www.asustor.com/award/news_detail?id=12516

Fabulous well done - any further details or documentation? I certainly can't find anything here: https://www.asustor.com/online/college. So this feels like a less than sterling half baked poorly supported solution from Asustor.

I'll be sticking with doing Let's Encrypt the manual CLI way until this new 'feature' is revealed to be fabulous and working.

[orion]

I saw that ADM v2.6.2.R6L2 now has LetsEncrypt support built in so I applied the ADM update and the option is there in settings->certificate manager.

To get past stupid error #1 I had to port forward port 80 to the NAS and enable the NAS web server on port 80 in services->web server.

The next error I see when attempting to create the lets encrypt certificate is "The number of certificates issued by Let's Encrypt for your domain name has reached it's limit (Ref. 5017)" which I suspect is a rubbish error given that I've not requested any Let's Encrypt certs for this domain at any point in time ever; I have however in the past done Let's Encrypt the manual way and as a result of that manual method, I do have a LE SSL/TLS cert active right now on my NAS device for some other domain.

The Asustor press release is here: https://www.asustor.com/award/news_detail?id=12516

Fabulous well done - any further details or documentation? I certainly can't find anything here: https://www.asustor.com/online/college. So this feels like a less than sterling half baked poorly supported solution from Asustor.

I'll be sticking with doing Let's Encrypt the manual CLI way until this new 'feature' is revealed to be fabulous and working.

I did not public my NAS. So I cannot try Let's Encrypt. I think you'd better to report this issue through support ticket. http://support.asustor.com/

[yakatape]

its working for me after many try .. and i understand how is working letsencrypt on asustor now.. but its strange

[orion]

its working for me after many try .. and i understand how is working letsencrypt on asustor now.. but its strange

I'm curious what you mean "strange". Can you share the details?

[Kapitein Haak]

I had the same issue, it will fail to request the certificate and suddenly it will accept and install the certificate. It took me four tries to get the certificate installed (YMMV).

Best regards,
Kapitein Haak.