ZyXEL NAS 326 - cannot install new SSL certificate for https

2»

All Replies

  • Mijzelf
    Mijzelf Posts: 2,787  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    why would httpd not restart?

    I did some tests on my NAS520. A restart simply works. When I stop it, and only execute the 'payload' of the start

    /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    

    it also starts. When I try to start it a 2nd time, I get

    (98)Address already in use: make_sock: could not bind to address [::]:80
    (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
    no listening sockets available, shutting down
    Unable to open logs

    That makes sense. When I edit CA_key.cer (by just adding some characters to the end of the base64 string) httpd failes to start silently. I did not manage to get an error message. Commandline options like -X and -DNO_DETACH -DFOREGROUND are not supported, it seems.

    Does an httpd restart also fail when you use the generated self-signed key?

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment
    edited April 5

    Thanks for the reply. Apparently it does not fail when using the self generated certificate (4096bits)

    After stopping/restarting with /etc/init.d/httpd.sh I get 3 more lines like the following /usr/sbin/httpd -f /etc/service_conf/httpd.conf

    /etc/zyxel/cert # ps | grep http
    1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    12047 root 9892 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12048 nobody 22420 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12049 nobody 22164 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12050 nobody 11552 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12059 nobody 22412 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12060 nobody 11552 S /usr/sbin/httpd -f /etc/service_conf/httpd.conf
    12504 root 2656 S grep http

    After I stop it I get:

    /etc/zyxel/cert # /etc/init.d/httpd.sh stop
    /etc/zyxel/cert # ps | grep htt
    1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    13120 root 2656 S grep htt

    But a few seconds later:
    /etc/zyxel/cert # ps | grep http
    1989 root 9888 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2330 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    2331 nobody 11404 S /i-data/.system/zy-pkgs/pkg_httpd -f /etc/pkg_service_conf/httpd2.conf
    3368 root 10416 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3452 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    3453 root 12056 S /sbin/DAV_httpd -f /etc/service_conf/httpd_dav.conf
    13127 root 2648 S N sh -c /etc/init.d/httpd.sh start
    13128 root 2648 S N {httpd.sh} /bin/sh /etc/init.d/httpd.sh start
    13135 root 9868 R N /usr/sbin/httpd -f /etc/service_conf/httpd.conf

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment

    After installing a working certificate for another server in this NAS, the restart also won't work anymore. I could not find logs anywhere, so far.

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment

    Modifying the last byte of the self generated certificate and restarting with /etc/init.d/httpd.sh also works. After stopping, a few seconds later it starts again by its own.

  • Mijzelf
    Mijzelf Posts: 2,787  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    It seems to me there is something with your new certificate. httpd doesn't start with it, and I suppose zyshd detects that on boot (by looking if there is a valid certificate) and generates a self signed one.

    I looked if there is a way to look what's inside the certificate, and there is:

    admin@NAS520: $ openssl x509 -in /etc/service_conf/CA.cer -noout -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    fd:82:c0:19:5b:28:ce:4d
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: O=ZyXEL, CN=NAS520
    Validity
    Not Before: Sep 30 19:00:17 2016 GMT
    Not After : Sep 30 19:00:17 2019 GMT
    Subject: O=ZyXEL, CN=NAS520
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (1024 bit)
    Modulus:
    00:d6:e9:4c:27:97:c9:9f:1b:0e:77:0c:e7:bc:b5:
    16:52:ce:6a:fc:a8:db:cd:39:12:1a:12:fb:bf:70:
    f5:64:f2:76:25:42:e9:fb:fb:50:2a:42:97:5e:5c:
    43:54:0d:ce:f6:1d:ae:df:61:35:78:15:c7:85:ec:
    bf:9a:73:ed:fc:15:ed:4f:82:7e:19:5c:a0:78:cc:
    2c:7d:9c:53:eb:71:d9:c7:7f:25:76:c6:6c:29:7f:
    b5:7a:82:f2:54:b8:09:9a:51:43:9f:64:3f:2b:84:
    fb:3d:63:c0:83:40:12:10:d3:28:e1:8a:82:58:c9:
    09:ca:12:37:fb:16:1e:41:19
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Key Identifier:
    2E:EA:F4:A1:C2:F6:A6:11:B9:98:77:D5:6A:15:29:73:D3:2F:88:1C
    X509v3 Authority Key Identifier:
    keyid:2E:EA:F4:A1:C2:F6:A6:11:B9:98:77:D5:6A:15:29:73:D3:2F:88:1C
    DirName:/O=ZyXEL/CN=NAS520
    serial:FD:82:C0:19:5B:28:CE:4D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 92:f0:ac:f0:cb:65:d1:fd:99:2b:99:9e:b8:5d:6e:1e:88:ae: 00:7a:43:9c:9a:76:a8:8c:08:cb:54:d0:bb:9b:e5:fa:43:0b: 0b:2e:b0:52:2c:c2:11:73:36:5b:fc:93:80:aa:00:4c:d1:eb: df:32:7c:44:f5:7d:b6:03:b5:4a:ea:6e:29:38:3f:29:a1:f6: 10:c2:2c:62:97:4f:5e:fe:6b:e2:5e:16:92:fd:60:9d:96:de: 31:50:7e:21:9a:13:03:96:d4:a8:84:72:37:11:d2:3d:2f:5c: 33:de:1f:f2:ce:2d:cc:59:14:a8:8a:59:10:0d:1f:31:e6:d4: 98:62

    You can try that with your certificate. Of course it's possible the openssl on the box can't show that, then you'll need a newer version to look at the content.

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment

    Thanks, Yes, I've been "looking into it", actually using the same command.

    My approved certificate shows the correct CN field. Isn't it strange that another approved certificate (installed on another server) causes the NAs to regenerate another self signed one?

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment

    I've created a new Certificate request via web interface. Got it signed by Sectigo, installed the new certificate and key as before and rebooted.

    The NAS keeps generating a new self signed request. Maybe the firmware upgrade broke something, I don't know.

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment
    edited April 9

    By importing the certificate via browser, it was finally identified as valid after a reboot.

    It got copied automatically to /etc/service_conf. Nevertheless, I new default.cer and default_key.cer were generated after the reboot, so I get the usual "http 500 error" problem when accessing the SSL options in the control panel.

    After removing all files in /etc/zyxel/cert except default.cer and key, rebooted, and a new certificate is generated in /etc/service_conf/ invalidating my previous effort.

  • dave08
    dave08 Posts: 15  Freshman Member
    First Comment
    Answer ✓

    Ok, so I have a solution but it won't allow me to access SSL configurations through Control Panel.

    I had to copy my CSR.p10 again to /etc/zyxel/cert. I had removed it from there because last year I had to erase all files except default.cer and default_key.cer (under the folder named "key").

    Then I can access the SSL web interface and import the signed certificate. The NAS then restarts the network and in the meantime I could confirm the new CA.cer and CA_key.cer in /etc/service_conf/ are my certificates. Now I have valid certificates, the only problem is I can't acces SSL configurations in Control Panel. I had this problem last year and solved it by removing all files under /etc/zyxel/cert and leaving just my certificate and key renamed to default.cer and default_key.cer.

    I've also tried this, but If i do, after a reboot the certificates are generated again under /etc/service_conf and /etc/zyxel/cert.

    So, if no one has a better idea, I'll leave it for now.

    Regards.

Consumer Product Help Center