ZyXEL NAS 326 - cannot install new SSL certificate for https

Mijzelf

why would httpd not restart?

I did some tests on my NAS520. A restart simply works. When I stop it, and only execute the 'payload' of the start

/usr/sbin/httpd -f /etc/service_conf/httpd.conf

it also starts. When I try to start it a 2nd time, I get

(98)Address already in use: make_sock: could not bind to address [::]:80

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80

no listening sockets available, shutting down

Unable to open logs

That makes sense. When I edit CA_key.cer (by just adding some characters to the end of the base64 string) httpd failes to start silently. I did not manage to get an error message. Commandline options like -X and -DNO_DETACH -DFOREGROUND are not supported, it seems.

Does an httpd restart also fail when you use the generated self-signed key?

dave08

Thanks for the reply. Apparently it does not fail when using the self generated certificate (4096bits)

After stopping/restarting with /etc/init.d/httpd.sh I get 3 more lines like the following /usr/sbin/httpd -f /etc/service_conf/httpd.conf

/etc/zyxel/cert # ps | grep http
1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
12047 root 9892 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12048 nobody 22420 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12049 nobody 22164 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12050 nobody 11552 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12059 nobody 22412 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12060 nobody 11552 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
12504 root 2656 S grep http

After I stop it I get:

/etc/zyxel/cert # /etc/init.d/httpd.sh stop
/etc/zyxel/cert # ps | grep htt
1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
13120 root 2656 S grep htt

But a few seconds later:
/etc/zyxel/cert # ps | grep http
1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
13127 root 2648 S N sh -c /etc/init.d/httpd.sh start
13128 root 2648 S N {httpd.sh} /bin/sh /etc/init.d/httpd.sh start
13135 root 9868 R N /usr/sbin/httpd -f /etc/service_conf/httpd.conf

dave08

After installing a working certificate for another server in this NAS, the restart also won't work anymore. I could not find logs anywhere, so far.

dave08

Modifying the last byte of the self generated certificate and restarting with /etc/init.d/httpd.sh also works. After stopping, a few seconds later it starts again by its own.

Mijzelf

It seems to me there is something with your new certificate. httpd doesn't start with it, and I suppose zyshd detects that on boot (by looking if there is a valid certificate) and generates a self signed one.

I looked if there is a way to look what's inside the certificate, and there is:

admin@NAS520: $ openssl x509 -in /etc/service_conf/CA.cer -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

fd:82:c0:19:5b:28:ce:4d

Signature Algorithm: sha256WithRSAEncryption

Issuer: O=ZyXEL, CN=NAS520

Validity

Not Before: Sep 30 19:00:17 2016 GMT

Not After : Sep 30 19:00:17 2019 GMT

Subject: O=ZyXEL, CN=NAS520

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

00:d6:e9:4c:27:97:c9:9f:1b:0e:77:0c:e7:bc:b5:

16:52:ce:6a:fc:a8:db:cd:39:12:1a:12:fb:bf:70:

f5:64:f2:76:25:42:e9:fb:fb:50:2a:42:97:5e:5c:

43:54:0d:ce:f6:1d:ae:df:61:35:78:15:c7:85:ec:

bf:9a:73:ed:fc:15:ed:4f:82:7e:19:5c:a0:78:cc:

2c:7d:9c:53:eb:71:d9:c7:7f:25:76:c6:6c:29:7f:

b5:7a:82:f2:54:b8:09:9a:51:43:9f:64:3f:2b:84:

fb:3d:63:c0:83:40:12:10:d3:28:e1:8a:82:58:c9:

09:ca:12:37:fb:16:1e:41:19

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

2E:EA:F4:A1:C2:F6:A6:11:B9:98:77:D5:6A:15:29:73:D3:2F:88:1C

X509v3 Authority Key Identifier:

keyid:2E:EA:F4:A1:C2:F6:A6:11:B9:98:77:D5:6A:15:29:73:D3:2F:88:1C

DirName:/O=ZyXEL/CN=NAS520

serial:FD:82:C0:19:5B:28:CE:4D
        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     92:f0:ac:f0:cb:65:d1:fd:99:2b:99:9e:b8:5d:6e:1e:88:ae:
     00:7a:43:9c:9a:76:a8:8c:08:cb:54:d0:bb:9b:e5:fa:43:0b:
     0b:2e:b0:52:2c:c2:11:73:36:5b:fc:93:80:aa:00:4c:d1:eb:
     df:32:7c:44:f5:7d:b6:03:b5:4a:ea:6e:29:38:3f:29:a1:f6:
     10:c2:2c:62:97:4f:5e:fe:6b:e2:5e:16:92:fd:60:9d:96:de:
     31:50:7e:21:9a:13:03:96:d4:a8:84:72:37:11:d2:3d:2f:5c:
     33:de:1f:f2:ce:2d:cc:59:14:a8:8a:59:10:0d:1f:31:e6:d4:
     98:62

You can try that with your certificate. Of course it's possible the openssl on the box can't show that, then you'll need a newer version to look at the content.

dave08

Thanks, Yes, I've been "looking into it", actually using the same command.

My approved certificate shows the correct CN field. Isn't it strange that another approved certificate (installed on another server) causes the NAs to regenerate another self signed one?

dave08

I've created a new Certificate request via web interface. Got it signed by Sectigo, installed the new certificate and key as before and rebooted.

The NAS keeps generating a new self signed request. Maybe the firmware upgrade broke something, I don't know.

dave08

By importing the certificate via browser, it was finally identified as valid after a reboot.

It got copied automatically to /etc/service_conf. Nevertheless, I new default.cer and default_key.cer were generated after the reboot, so I get the usual "http 500 error" problem when accessing the SSL options in the control panel.

After removing all files in /etc/zyxel/cert except default.cer and key, rebooted, and a new certificate is generated in /etc/service_conf/ invalidating my previous effort.

dave08

Ok, so I have a solution but it won't allow me to access SSL configurations through Control Panel.

I had to copy my CSR.p10 again to /etc/zyxel/cert. I had removed it from there because last year I had to erase all files except default.cer and default_key.cer (under the folder named "key").

Then I can access the SSL web interface and import the signed certificate. The NAS then restarts the network and in the meantime I could confirm the new CA.cer and CA_key.cer in /etc/service_conf/ are my certificates. Now I have valid certificates, the only problem is I can't acces SSL configurations in Control Panel. I had this problem last year and solved it by removing all files under /etc/zyxel/cert and leaving just my certificate and key renamed to default.cer and default_key.cer.

I've also tried this, but If i do, after a reboot the certificates are generated again under /etc/service_conf and /etc/zyxel/cert.

So, if no one has a better idea, I'll leave it for now.

Regards.