NAS326: install SSL certificate via scp

mahowi

Hello,

is it possible to copy my Letsencrypt certificate via scp to my NAS326? Where are the certificates stored?

I'm currently copying my certificate via renewal-hooks to my router and a Raspberry Pi. I would like to use the same cert on my NAS and have it automatically renewed.


#NAS_Mar_2020

mahowi

Thanks for the tip. I've already installed Tweaks but have overseen this option.

I have written a script "/etc/letsencrypt/renewal-hooks/post/nas326-cert-update.sh"

#!/bin/bash

# parameters
USER="root"
LEPATH="/etc/letsencrypt"
BATCH="nas.sftp"
HOST=nas326

sftp -b $LEPATH/$BATCH [email protected]$HOST
ssh -t [email protected]$HOST "reboot"

and the batch file for sftp "/etc/letsencrypt/nas.sftp"

put /etc/letsencrypt/live/[your URL]/cert.pem /etc/zyxel/cert/default.cer
put /etc/letsencrypt/live/[your URL]/privkey.pem /etc/zyxel/cert/key/default_key.cer

Now everytime my Letsencrypt certificate gets renewed it is copied automatically to my NAS.

mahowi

Ok, I've found the directory

/etc/zyxel/cert

There are the files 

CA.cer
CSR.p10
default.cer

and the directory "key" with 

CA_key.cer
CSR_key.p10
default_key.cer

So "CA.cer" ist the current certificate with the corresponding key "CA_key.cer". "CSR.p10" and "CSR_key.p10" belong to the Certificate Signing Request". What are "default.cer" and "default_key.cer" for?

Can I replace CA.cer and CA_key.cer with fullchain.pem and privkey.pem form my Letsencrypt certificate? 

mahowi

I have found 2 HowTos on Zyxel support sites: https://support.zyxel.eu/hc/en-us/articles/360011585960-How-to-import-Let-s-Encrypt-certificate-on-NAS-series-storage and https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI.
Both tell me to copy the certificate to /etc/zyxel/cert/default.cer and the key to /etc/zyxel/cert/key/default_key.cer.
As scp is not available on NAS326 I used sftp to copy the files. But neither using the original files as in the first guide nor the files converted to DER format with openssl work. After rebooting my NAS the original self-signed certificate ist still used.

BTW: Is the /root directory not persistent beween reboots? To use a script as renewal-hook I need a non-interactive login method. Therefor I copied my śsh pubkey to root account but after reboot /root is empty again. And also changes in /etc/ssh/sshd_config get reverted.

mahowi

Ok, I finally got my Letsencrypt cert installed. 
You have to remove CA.cer then default.cer is used. Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.

Mijzelf

Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.

Indeed the /root directory is volatile. I wrote a package Tweaks, which can change the homedirectory for root (and admin) to a non-volatile place. You can install Tweaks by first installing MetaRepository.

Josathome

Dear Mahowi,

I have the same problem re expiring certificate after following the steps in https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI

I created "default.cer", still have the old "ca.cer" and after reboot the NAS still uses old "ca.cer"

You wrote: You have to remove CA.cer then default.cer is used.

I assume you refer to the /etc/zyxel/cert/ directory. Can you confirm that it is absolutely safe to remove the old "ca.cer" certificate?

Should I also remove the "CA_key.cer" in the /etc/zyxel/cert/key/ directory?