NAS540 Certificate Problem

69clkxhw69
69clkxhw69 Posts: 5  Freshman Member
First Comment

Hi

I have a NAS 540

I can no longer log into it via its web console.

I get a connection refused message

I believe this to be a certificate error (I tried to renew the certificate the last time I DID manage to log into the NAS by the Web Browser interface)

I found this article …

https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI

Regenerating Self-Signed Certificate

If the built-in self-signed certificate has expired or you wish to customize the certificate the NAS uses, please do the following.

  1. Open SSH client
  2. SSH into NAS (e.g. ssh root@nas_ip_or_hostname)
  3. Type the following command to generate a certificate and key: openssl req -newkey rsa:2048 -nodes -keyout /etc/zyxel/cert/key/default_key.cer -x509 -days 3650 -out /etc/zyxel/cert/default.cer
  4. Provide info needed to generate the certificate
  5. Verify the certificate details with the following command: openssl x509 -text -noout -in /etc/zyxel/cert/default.cer
  6. Reboot the NAS
Use Custom Signed Certificate

If you have obtained a certificate from a CA to use with the NAS, please do the following to replace the certificate on the NAS with your signed cert.

  1. Make sure the certificate is using the correct extension required by NAS, CER.
    • CRT and CER are interchangeable, rename the cert file "default.cer".
    • If cert is using other extension check with your CA to see if they offer CRT/CER.
    • Use openssl to convert your certificate to CER format.  (e.g. openssl x509 -outform DER -in cert.pem -out default.cer)
  2. Make sure the certificate key is using the correct extension, CER.  (e.g. openssl rsa -in private.key -outform DER -out default_key.cer)
  3. Use a transfer client, such as WinSCP/SFTP, to overwrite default.cer and default_key.cer on the NAS.
    • Place the default.cer file in the /etc/zyxel/cert/ directory.  (e.g. "sftp>put source_directory/default.cer /etc/zyxel/cert/", Windows users can drag and drop files using WinSCP)
    • Place the default_key.cer file in the /ect/zyxel/cert/key directory.  (e.g. "sftp>put source_directory/default_key.cer /etc/zyxel/cert/key/", Windows users can drag and drop files using WinSCP)
  4. Reboot the NAS

I think I need to regenerate the self-signed certificate (so the first block of instructions)

I can ssh into the NAS no problem, generate the cert, verify the cert, reboot the NAS but still get the same issue

ANy further suggestions please

Thanks

All Replies

  • ikubuf
    ikubuf Posts: 142  Ally Member
    5 Answers First Comment Friend Collector Second Anniversary

    Does it mean you not able to login web GUI or what message does it show on the browser?

  • 69clkxhw69
    69clkxhw69 Posts: 5  Freshman Member
    First Comment

    Hi

    Thanks for reply

    Yes.

    I cant log in via web browser

    I browse to the IP address and get an error message that varies by different browsers that I try but all basically are saying the logon fails because the secure connection and certificate are wrong and different to what is expected Have also deleted all browsing data and certificates from browsers but that makes no difference either

  • Mijzelf
    Mijzelf Posts: 2,790  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    Is the clock of the NAS way off? In that case it can generate a certificate which is already expired (of not yet valid). Further in the handshake there is also something with time. A client with a diverging clock can't connect to a https server, so I support a diverging server will generate the same problem.

    You can check the clock with the 'date' command.

  • 69clkxhw69
    69clkxhw69 Posts: 5  Freshman Member
    First Comment

    Hi

    Many thanks for the response

    The date and time on the NAS and the various devices I am trying to log in from using a variety of different web browsers are all the same dates and times

    Regards

  • 69clkxhw69
    69clkxhw69 Posts: 5  Freshman Member
    First Comment

    Hi

    Thanks for the replies

    FIxed it now

    Very odd but in the certs and keys directorys there were two with the same name

    Deleted one of them, worked again

    Thanks

Consumer Product Help Center