(SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Got a feature request? Great! Post your ideas here!

Moderator: Lillian.W@AST

yakatape
Posts: 6
youtube meble na wymiar Warszawa
Joined: Mon Jun 27, 2016 6:39 am

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by yakatape »

orion wrote:
yakatape wrote:its working for me after many try .. and i understand how is working letsencrypt on asustor now.. but its strange :roll:
I'm curious what you mean "strange". Can you share the details?

I mean if you put some "Alternatif Subject Name" during the process of letsencrypt creation of certificat from the asustor UI who arent available or created/joinable the process will fail all time and it don't care if the "domain" itselft is joinable on the port 80.

Looks like, i need join the domain on port 80, but need to check each Alternatif subject Name .. i saw that because i was thinking create some other subdomain for my NAS so i try to put them with out created the subdomain on my registar (OVH) and all time Failed to join domain on port 80 (where the domain was 100% joinable on the port 80) when i've deleted all Alternatif Subject Name and kept only the domain its works well.

So i have created each subdomain on my registar and retry to generate a new certificat with all my Alternatif Subject Name and its was working this time.. i've try again a new certificat with some random subdomain name who doesnt exist and fail.

So the generation letsencrypt cert don't focus only the "Domain", dunno if its the normal or lil tweak from asustor dev?
itdaboyz
Posts: 141
Joined: Tue Oct 14, 2014 7:21 pm

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by itdaboyz »

I wonder why we can't do a LetsEncrypt certificate for a *.myasustor.com domain, it would be great if we could.
User avatar
orion
Posts: 3482
Joined: Wed May 29, 2013 11:09 am

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by orion »

yakatape wrote: I mean if you put some "Alternatif Subject Name" during the process of letsencrypt creation of certificat from the asustor UI who arent available or created/joinable the process will fail all time and it don't care if the "domain" itselft is joinable on the port 80.

Looks like, i need join the domain on port 80, but need to check each Alternatif subject Name .. i saw that because i was thinking create some other subdomain for my NAS so i try to put them with out created the subdomain on my registar (OVH) and all time Failed to join domain on port 80 (where the domain was 100% joinable on the port 80) when i've deleted all Alternatif Subject Name and kept only the domain its works well.

So i have created each subdomain on my registar and retry to generate a new certificat with all my Alternatif Subject Name and its was working this time.. i've try again a new certificat with some random subdomain name who doesnt exist and fail.

So the generation letsencrypt cert don't focus only the "Domain", dunno if its the normal or lil tweak from asustor dev?
Thanks for sharing. According to the description from https://community.letsencrypt.org/t/fre ... ons-faq/26, it should support Subject Alternative Name (SAN). However, I cannot try it. If you confirmed the failure, I think you'd better to report this issue to asustor through support http://support.asustor.com/

If you retried it and got successful result, that could be the same as the problem that Kapitein encountered (need several trials).
User avatar
Kapitein Haak
Posts: 333
Joined: Tue Oct 15, 2013 2:40 pm
Location: Stranded on the Dutch coast.

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by Kapitein Haak »

I do have several SANs in my certificate. The SAN domains were all configured using virtual hosts on port 80. For some reason the SAN domains won't work on HTTPS, but engineers are looking into this.

Best regards, Kapitein Haak.
"What would the world be like without Captain Hook?"
---
"Homo sapiens non urinat in ventum" (A wise man doesn't piss into the wind), only in Amsterdam:
https://www.google.nl/maps/@52.36289,4. ... 312!8i6656
yakatape
Posts: 6
Joined: Mon Jun 27, 2016 6:39 am

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by yakatape »

for my case i don't have any problem on https for my subdomain, i've put a redirect on my apache vhost in @default to https. and add in @default-ssl a vhost dedicated to my subdomain with just specific ServerName value and like that i dont need to use a specific port because we haven't the possibility from UI of asustor to create a vhost with a port who already exist because they dont take on parameter a ServerName Value who can be a really nice way in futur .

:roll:
joe
Posts: 62
Joined: Fri Feb 28, 2014 2:59 am

Re: Support for LetsEncrypt CA

Post by joe »

orion wrote:
joe wrote:I saw that ADM v2.6.2.R6L2 now has LetsEncrypt support built in so I applied the ADM update and the option is there in settings->certificate manager.

To get past stupid error #1 I had to port forward port 80 to the NAS and enable the NAS web server on port 80 in services->web server.

The next error I see when attempting to create the lets encrypt certificate is "The number of certificates issued by Let's Encrypt for your domain name has reached it's limit (Ref. 5017)" which I suspect is a rubbish error given that I've not requested any Let's Encrypt certs for this domain at any point in time ever; I have however in the past done Let's Encrypt the manual way and as a result of that manual method, I do have a LE SSL/TLS cert active right now on my NAS device for some other domain.

The Asustor press release is here: https://www.asustor.com/award/news_detail?id=12516

Fabulous well done - any further details or documentation? I certainly can't find anything here: https://www.asustor.com/online/college. So this feels like a less than sterling half baked poorly supported solution from Asustor.

I'll be sticking with doing Let's Encrypt the manual CLI way until this new 'feature' is revealed to be fabulous and working.
I did not public my NAS. So I cannot try Let's Encrypt. I think you'd better to report this issue through support ticket. http://support.asustor.com/
You're probably right, I should raise a support ticket if something doesn't work as smoothly as it ideally should work. But here's the thing - if Asustor can't be bothered to document an ADM UI feature then I'm afraid I can't really be bothered to debug it via their support channel to get it working. Call that selfish or whatever you like but life is too short for this sort of rubbish, even moreso when it's possible to just bypass this semi broken ADM UI feature with a Lets Encrypt CLI method that works well enough.
sksbir
Posts: 395
Joined: Tue Aug 25, 2015 9:23 pm

Re: Support for LetsEncrypt CA

Post by sksbir »

joe wrote:I saw that ADM v2.6.2.R6L2 now has LetsEncrypt support built in so I applied the ADM update and the option is there in settings->certificate manager.
To get past stupid error #1 I had to port forward port 80 to the NAS and enable the NAS web server on port 80 in services->web server.
I will bring a precision here : It's not enough to have web server accessible from outside on http://..80, internal port MUST be the same. Eg : configuring your router to mapp external port 80 to internal port 3080 on the NAS ( and have NAS'web server configured to listen on port 3080 ) will NOT work.

Out of that, I had configured network defender with GEOip and white list, and USA was not in it...
joe
Posts: 62
Joined: Fri Feb 28, 2014 2:59 am

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by joe »

For the record I tried this again today for a new cert for a new domain and a new cert for an existing domain that has in the past has a lets encrypt certificate generated for it and both worked first time in 3.0.1.R9J2 on my AS202-TE.

I'm not sure when this got fixed but it seems to be working here now without any issues or delays or error messages so credit where it's due. I'll report back come auto-renewal time if I see any issues.
joe
Posts: 62
Joined: Fri Feb 28, 2014 2:59 am

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by joe »

Today was auto-renewal day for this lets encrypt certificate:

Code: Select all

Issued On	Sunday, October 1, 2017 at 7:59:10 AM
Expires On	Saturday, December 30, 2017 at 6:59:10 AM
Auto-renewal came and went and whatever was done, it didn't successfully renew the certificate. I suspect it might have tried to autorenew and it failed due to port 80 being closed to the NAS. If anyone knows of any logs maintained around certificate maintenance that would be useful.
User avatar
Kapitein Haak
Posts: 333
Joined: Tue Oct 15, 2013 2:40 pm
Location: Stranded on the Dutch coast.

Re: (SOLVED in ADM 2.6.2) Support for LetsEncrypt CA

Post by Kapitein Haak »

Just upgraded to the latest firmware which had a note about the Let's Encrypt updating. After the reboot the certificate was updated (as my NAS needed a new certificate as well).
All is well again until april second :-D.
"What would the world be like without Captain Hook?"
---
"Homo sapiens non urinat in ventum" (A wise man doesn't piss into the wind), only in Amsterdam:
https://www.google.nl/maps/@52.36289,4. ... 312!8i6656
Post Reply

Return to “Feature Requests”