NAS326: install SSL certificate via scp
mahowi
Posts: 6 Freshman Member
Hello,
is it possible to copy my Letsencrypt certificate via scp to my NAS326? Where are the certificates stored?
I'm currently copying my certificate via renewal-hooks to my router and a Raspberry Pi. I would like to use the same cert on my NAS and have it automatically renewed.
#NAS_Mar_2020
is it possible to copy my Letsencrypt certificate via scp to my NAS326? Where are the certificates stored?
I'm currently copying my certificate via renewal-hooks to my router and a Raspberry Pi. I would like to use the same cert on my NAS and have it automatically renewed.
#NAS_Mar_2020
0
Accepted Solution
-
Thanks for the tip. I've already installed Tweaks but have overseen this option.
I have written a script "/etc/letsencrypt/renewal-hooks/post/nas326-cert-update.sh"#!/bin/bash # parameters USER="root" LEPATH="/etc/letsencrypt" BATCH="nas.sftp" HOST=nas326 sftp -b $LEPATH/$BATCH $USER@$HOST ssh -t $USER@$HOST "reboot"
and the batch file for sftp "/etc/letsencrypt/nas.sftp"put /etc/letsencrypt/live/[your URL]/cert.pem /etc/zyxel/cert/default.cer put /etc/letsencrypt/live/[your URL]/privkey.pem /etc/zyxel/cert/key/default_key.cer
Now everytime my Letsencrypt certificate gets renewed it is copied automatically to my NAS.0
All Replies
-
Ok, I've found the directory
/etc/zyxel/cert
There are the filesCA.cer CSR.p10 default.cer
and the directory "key" withCA_key.cer CSR_key.p10 default_key.cer
So "CA.cer" ist the current certificate with the corresponding key "CA_key.cer". "CSR.p10" and "CSR_key.p10" belong to the Certificate Signing Request". What are "default.cer" and "default_key.cer" for?
Can I replace CA.cer and CA_key.cer with fullchain.pem and privkey.pem form my Letsencrypt certificate?
0 -
I have found 2 HowTos on Zyxel support sites: https://support.zyxel.eu/hc/en-us/articles/360011585960-How-to-import-Let-s-Encrypt-certificate-on-NAS-series-storage and https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI.
Both tell me to copy the certificate to /etc/zyxel/cert/default.cer and the key to /etc/zyxel/cert/key/default_key.cer.
As scp is not available on NAS326 I used sftp to copy the files. But neither using the original files as in the first guide nor the files converted to DER format with openssl work. After rebooting my NAS the original self-signed certificate ist still used.
BTW: Is the /root directory not persistent beween reboots? To use a script as renewal-hook I need a non-interactive login method. Therefor I copied my śsh pubkey to root account but after reboot /root is empty again. And also changes in /etc/ssh/sshd_config get reverted.0 -
Ok, I finally got my Letsencrypt cert installed.
You have to remove CA.cer then default.cer is used. Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.0 -
Now I have to find a way to get ssh work with public key login so I can write a script to automate the renewal.
Indeed the /root directory is volatile. I wrote a package Tweaks, which can change the homedirectory for root (and admin) to a non-volatile place. You can install Tweaks by first installing MetaRepository.
1 -
Thanks for the tip. I've already installed Tweaks but have overseen this option.
I have written a script "/etc/letsencrypt/renewal-hooks/post/nas326-cert-update.sh"#!/bin/bash # parameters USER="root" LEPATH="/etc/letsencrypt" BATCH="nas.sftp" HOST=nas326 sftp -b $LEPATH/$BATCH $USER@$HOST ssh -t $USER@$HOST "reboot"
and the batch file for sftp "/etc/letsencrypt/nas.sftp"put /etc/letsencrypt/live/[your URL]/cert.pem /etc/zyxel/cert/default.cer put /etc/letsencrypt/live/[your URL]/privkey.pem /etc/zyxel/cert/key/default_key.cer
Now everytime my Letsencrypt certificate gets renewed it is copied automatically to my NAS.0 -
Dear Mahowi,I have the same problem re expiring certificate after following the steps in https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUII created "default.cer", still have the old "ca.cer" and after reboot the NAS still uses old "ca.cer"You wrote: You have to remove CA.cer then default.cer is used.I assume you refer to the /etc/zyxel/cert/ directory. Can you confirm that it is absolutely safe to remove the old "ca.cer" certificate?Should I also remove the "CA_key.cer" in the /etc/zyxel/cert/key/ directory?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 264 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight