Security error certificate issue

[brujo]

Hi Nazar78
A couple of screen shots.
I created a forward in my Asus router were port 443 in the asustore is 8443.
When I type my public IP address it displays "Web server on your ASUSTOR NAS". I assume this means port 80 is working in my NAS.
I also created the no-ip DDNS, which points to my public IP.

Dr Asustore displays all is fine with my network.

How come I am still getting "connection untrusted" when I try to connect to my NAS?
Thank You
Mario

[Nazar78]

I created a forward in my Asus router were port 443 in the asustore is 8443.

I just checked, your port forwarding differs from what you said, your router is not listening on the port 443, but instead 8443. And port 8443 is your RT-AX88U admin page (warning your router admin page is exposed to the internet).

So I took a quick look at your setup (recalled from previous checkings), the DDNS domain name (a#######.myasustor.com) is different from the cert CN (common name: i#####.asuscomm.com, cannot resolve to your IP). That's why you see the error.

Refer below, your details has been redacted for your privacy.

root@Nimbustor4:~# curl -Iv https://a#######.myasustor.com:8443
* Trying ###.##.###.##:####...
* Connected to a#######.myasustor.com (###.##.###.##:####) port 8443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
* CApath: /etc/ssl/certs/
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=i#####.asuscomm.com
* start date: Dec 7 16:57:20 2022 GMT
* expire date: Mar 7 16:57:19 2023 GMT
* subjectAltName does not match a#######.myasustor.com
* SSL: no alternative certificate subject name matches target host name 'a#######.myasustor.com'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'a#######.myasustor.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This seems you also installed the cert (or use certbot) on your router.

[brujo]

Hi Nazar78
Thank you so much, you are good, I am impressed.
I know so little, I am old, retired.
I had blueiris on 443, I just changed it to Asustore.
So I need a new certificate?
Thank you so much, happy new year to you
Mario

[Nazar78]

You can create the new certificate to match your DDNS domain.

No problem glad to help and happy new year to you too.