NAS326: install SSL certificate via scp

mahowi
mahowi Posts: 6  Freshman Member
edited March 2020 in Personal Cloud Storage
Hello,

is it possible to copy my Letsencrypt certificate via scp to my NAS326? Where are the certificates stored?

I'm currently copying my certificate via renewal-hooks to my router and a Raspberry Pi. I would like to use the same cert on my NAS and have it automatically renewed.


#NAS_Mar_2020

Accepted Solution

  • mahowi
    mahowi Posts: 6  Freshman Member
    edited March 2020 Answer ✓
    Thanks for the tip. I've already installed Tweaks but have overseen this option.

    I have written a script "/etc/letsencrypt/renewal-hooks/post/nas326-cert-update.sh"
    #!/bin/bash
    
    # parameters
    USER="root"
    LEPATH="/etc/letsencrypt"
    BATCH="nas.sftp"
    HOST=nas326
    
    sftp -b $LEPATH/$BATCH $USER@$HOST
    ssh -t $USER@$HOST "reboot"
    and the batch file for sftp "/etc/letsencrypt/nas.sftp"
    put /etc/letsencrypt/live/[your URL]/cert.pem /etc/zyxel/cert/default.cer
    put /etc/letsencrypt/live/[your URL]/privkey.pem /etc/zyxel/cert/key/default_key.cer
    Now everytime my Letsencrypt certificate gets renewed it is copied automatically to my NAS.

All Replies

  • mahowi
    mahowi Posts: 6  Freshman Member
    Ok, I've found the directory
    /etc/zyxel/cert
    There are the files 
    CA.cer
    CSR.p10
    default.cer
    and the directory "key" with 
    CA_key.cer
    CSR_key.p10
    default_key.cer

    So "CA.cer" ist the current certificate with the corresponding key "CA_key.cer". "CSR.p10" and "CSR_key.p10" belong to the Certificate Signing Request". What are "default.cer" and "default_key.cer" for?

    Can I replace CA.cer and CA_key.cer with fullchain.pem and privkey.pem form my Letsencrypt certificate? 

  • mahowi
    mahowi Posts: 6  Freshman Member
    I have found 2 HowTos on Zyxel support sites: https://support.zyxel.eu/hc/en-us/articles/360011585960-How-to-import-Let-s-Encrypt-certificate-on-NAS-series-storage and https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI.
    Both tell me to copy the certificate to /etc/zyxel/cert/default.cer and the key to /etc/zyxel/cert/key/default_key.cer.
    As scp is not available on NAS326 I used sftp to copy the files. But neither using the original files as in the first guide nor the files converted to DER format with openssl work. After rebooting my NAS the original self-signed certificate ist still used.

    BTW: Is the /root directory not persistent beween reboots? To use a script as renewal-hook I need a non-interactive login method. Therefor I copied my śsh pubkey to root account but after reboot /root is empty again. And also changes in /etc/ssh/sshd_config get reverted.
  • mahowi
    mahowi Posts: 6  Freshman Member
    Ok, I finally got my Letsencrypt cert installed.  :)
    You have to remove CA.cer then default.cer is used. Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.
  • Mijzelf
    Mijzelf Posts: 2,798  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.

    Indeed the /root directory is volatile. I wrote a package Tweaks, which can change the homedirectory for root (and admin) to a non-volatile place. You can install Tweaks by first installing MetaRepository.

  • mahowi
    mahowi Posts: 6  Freshman Member
    edited March 2020 Answer ✓
    Thanks for the tip. I've already installed Tweaks but have overseen this option.

    I have written a script "/etc/letsencrypt/renewal-hooks/post/nas326-cert-update.sh"
    #!/bin/bash
    
    # parameters
    USER="root"
    LEPATH="/etc/letsencrypt"
    BATCH="nas.sftp"
    HOST=nas326
    
    sftp -b $LEPATH/$BATCH $USER@$HOST
    ssh -t $USER@$HOST "reboot"
    and the batch file for sftp "/etc/letsencrypt/nas.sftp"
    put /etc/letsencrypt/live/[your URL]/cert.pem /etc/zyxel/cert/default.cer
    put /etc/letsencrypt/live/[your URL]/privkey.pem /etc/zyxel/cert/key/default_key.cer
    Now everytime my Letsencrypt certificate gets renewed it is copied automatically to my NAS.
  • Josathome
    Josathome Posts: 14  Freshman Member
    First Comment Second Anniversary
    Dear Mahowi,

    I created "default.cer", still have the old "ca.cer" and after reboot the NAS still uses old "ca.cer"

    You wrote: You have to remove CA.cer then default.cer is used.
    I assume you refer to the /etc/zyxel/cert/ directory. Can you confirm that it is absolutely safe to remove the old "ca.cer" certificate?

    Should I also remove the "CA_key.cer" in the /etc/zyxel/cert/key/ directory?

Consumer Product Help Center