ZyXEL NAS 326 - cannot install new SSL certificate for https
Freshman Member
Hello. Last year, following the instructions at https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI
I was able to install a certificate to my NAS. I have a public IP address with a DNS record which then I forward to an internal IP. It worked perfectly after removing everything at /etc/zyxel/cert except for the new certificate renamed to default.cer and key/default_key.cer.
Being almost expired, I renew the certificate and follow the same procedure as last year. The problem is that the certificate and key file are rewritten every reboot, and the NAS keeps using a new self signed certificate each time. I may have upgraded the firmware during last year (currently running V5.21(AAZF.15).
Was there any change in the procedure to install a certificate?
Also, I was trying to manual upgrade to latest V5.21(AAZF.16)C0, and after 2 reboots, it still shows the previous firmware version ?!
Thanks and regards.
Accepted Solution
-
Ok, so I have a solution but it won't allow me to access SSL configurations through Control Panel.
I had to copy my CSR.p10 again to /etc/zyxel/cert. I had removed it from there because last year I had to erase all files except default.cer and default_key.cer (under the folder named "key").
Then I can access the SSL web interface and import the signed certificate. The NAS then restarts the network and in the meantime I could confirm the new CA.cer and CA_key.cer in /etc/service_conf/ are my certificates. Now I have valid certificates, the only problem is I can't acces SSL configurations in Control Panel. I had this problem last year and solved it by removing all files under /etc/zyxel/cert and leaving just my certificate and key renamed to default.cer and default_key.cer.
I've also tried this, but If i do, after a reboot the certificates are generated again under /etc/service_conf and /etc/zyxel/cert.
So, if no one has a better idea, I'll leave it for now.
Regards.
0
All Replies
-
Long shot. Do you still have the old certificate, and can you compare it with the new one? I wonder if some new Signature Algorithm or something like that is used, which is not supported by the aging webserver on the box.
1 -
Thanks for the reply. Unfortunately, the new one is the same type and size.
0 -
Checking /etc/init.d/httpd.sh I found the script checks for existing /etc/service_conf/CA.cer and CA_key.cer. If they do not exist, it copies them from /etc/zyxel/cert.
I overwrote both certificate and key at these two locations, rebooted, but nevertheless they are rewritten upon reboot.
Any ideas, please?
0 -
When you copy the files to /etc/zyxel/cert/, can you run dmesg after that to see if there are filesystem errors on that flash partition?
1 -
I'm sorry, but didn't find anything related in dmesg after copying the certificate and key.
Nevertheless, I've found:
EXT4-fs (md2): error count: 208
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711109576: htree_dirblock_to_tree:920: inode 156311586: block 1250431372
EXT4-fs error (device md2): htree_dirblock_to_tree:920: inode #156872721: block 1254626161: comm python: bad entry in directory: rec_len is smaller than minimal - offset=2664(10856), inode=0, rec_len=0, name_len=0
EXT4-fs (md2): error count: 209
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711622074: htree_dirblock_to_tree:920: inode 156872721: block 1254626161
EXT4-fs (md2): error count: 209
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711622074: htree_dirblock_to_tree:920: inode 156872721: block 1254626161
EXT4-fs (md2): error count: 209
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711622074: htree_dirblock_to_tree:920: inode 156872721: block 1254626161
EXT4-fs (md2): error count: 209
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711622074: htree_dirblock_to_tree:920: inode 156872721: block 1254626161But I'm not sure if this was after I copied the file.
0 -
But I'm not sure if this was after I copied the file.
Yeah. It's nice that the kernel is compiled to not use timestamps here. I don't think this has to do with your problem. /dev/md2 is the data partition, that shouldn't be involved in certificate actions. Yet it's not a good idea to have filesystem errors there, of course.
I did a grep on my 520. The file /sbin/zyshd seems responsible for generating the new certificate:
/etc/zyxel/cert/
CA.cer
/etc/zyxel/cert/key/
CA_key.cer
CSR_key.p10
default.cer
default_key.cer
/etc/service_conf/
%s x509 -inform %s -in %s -outform PEM -out %s
/usr/bin/openssl
%s "%s" "%s"zyshd is the binary which is responsible for all nas management in background. It generates and edits configuration files in /etc (which is on a ramdrive, and thus volatile). So apparently something triggers it to generate a new certificate on boot.
the new one is the same type and size.
Did you actually look inside the file? An x509 certificate is a textfile.
Have you checked if the webserver actually can use your new certificate by manually restarting it after copying the files to /etc/service_conf/? If yes, a work around could be possible by automatically copying the files from elsewhere and restarting the webserver.
1 -
Run e2fsck -n /dev/md2 and rebooted.
Now dmesg only shows:
EXT4-fs (md2): error count: 209
EXT4-fs (md2): initial error at 1574712239: ext4_mb_generate_buddy:755
EXT4-fs (md2): last error at 1711622074: htree_dirblock_to_tree:920: inode 156872721: block 1254626161after the reboot, both certificates at /etc/zyxel/cert and /etc/service_conf were recreated :(
0 -
Thanks for the reply. My NAS326 doesn't have a /sbin/zyshd . I didn't know /etc/zyxel was volatile…interesting.
As for the certificates, they are exactly as they intended: I had checked them already with
openssl x509 -in…The DNS name is ok, it is the same type as the self generated but 2048 bits instead of 4096 as the self generated( I wrote this wrongly on a previous post). The previous I used last year was also 2048, so I don't think this should be an issue. The problem is that there are several /etc/init.d/ http related scripts. After I kill them all I wasn't able to successfully start http again.
0 -
After stopping httpd with /etc/init.d/httpd.sh stop I can't start it again. Also tried to stop pkghttpd.sh and davhttpd.sh and then httpd.sh but still no result. Couldn't find documentation yet about starting these processes manually.
0 -
Http related processes before trying a /etc/init.d/httpd.sh restart
/etc/zyxel/cert # ps | grep http
2533 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2637 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2638 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
3404 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3495 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3496 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3701 root 9892 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
3789 nobody 22436 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
5666 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
5675 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
5713 nobody 22424 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
7432 nobody 22412 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
10393 nobody 22412 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
11631 nobody 11412 S N /usr/sbin/httpd -f /etc/service_conf/httpd.conf
13299 root 2656 S grep httpAfter the restart, I get fewer processess. Admin page not working but /MyWeb/shares do:
/etc/init.d/httpd.sh restart
killall: httpd: no process killed
/etc/zyxel/cert # ps | grep http
2533 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2637 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
2638 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
3404 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3495 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
3496 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
5666 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
5675 nobody 11544 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
13392 root 2656 S grep httpwhy would httpd not restart? I've tried running manually the commands that are in httpd.sh.
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 155 Nebula Ideas
- 105 Nebula Status and Incidents
- 5.9K Security
- 320 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 256 Service & License
- 399 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight
