NAS540 Certificate Problem

69clkxhw69 · September 10

Hi

I have a NAS 540

I can no longer log into it via its web console.

I get a connection refused message

I believe this to be a certificate error (I tried to renew the certificate the last time I DID manage to log into the NAS by the Web Browser interface)

I found this article …

https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI

Regenerating Self-Signed Certificate

If the built-in self-signed certificate has expired or you wish to customize the certificate the NAS uses, please do the following.

Open SSH client
SSH into NAS (e.g. ssh root@nas_ip_or_hostname)
Type the following command to generate a certificate and key: openssl req -newkey rsa:2048 -nodes -keyout /etc/zyxel/cert/key/default_key.cer -x509 -days 3650 -out /etc/zyxel/cert/default.cer
Provide info needed to generate the certificate
Verify the certificate details with the following command: openssl x509 -text -noout -in /etc/zyxel/cert/default.cer
Reboot the NAS

Use Custom Signed Certificate

If you have obtained a certificate from a CA to use with the NAS, please do the following to replace the certificate on the NAS with your signed cert.

Make sure the certificate is using the correct extension required by NAS, CER.
- CRT and CER are interchangeable, rename the cert file "default.cer".
- If cert is using other extension check with your CA to see if they offer CRT/CER.
- Use openssl to convert your certificate to CER format. (e.g. openssl x509 -outform DER -in cert.pem -out default.cer)
Make sure the certificate key is using the correct extension, CER. (e.g. openssl rsa -in private.key -outform DER -out default_key.cer)
Use a transfer client, such as WinSCP/SFTP, to overwrite default.cer and default_key.cer on the NAS.
- Place the default.cer file in the /etc/zyxel/cert/ directory. (e.g. "sftp>put source_directory/default.cer /etc/zyxel/cert/", Windows users can drag and drop files using WinSCP)
- Place the default_key.cer file in the /ect/zyxel/cert/key directory. (e.g. "sftp>put source_directory/default_key.cer /etc/zyxel/cert/key/", Windows users can drag and drop files using WinSCP)
Reboot the NAS

I think I need to regenerate the self-signed certificate (so the first block of instructions)

I can ssh into the NAS no problem, generate the cert, verify the cert, reboot the NAS but still get the same issue

ANy further suggestions please

Thanks

ikubuf · September 10

Does it mean you not able to login web GUI or what message does it show on the browser?

69clkxhw69 · September 10

Hi

Thanks for reply

Yes.

I cant log in via web browser

I browse to the IP address and get an error message that varies by different browsers that I try but all basically are saying the logon fails because the secure connection and certificate are wrong and different to what is expected Have also deleted all browsing data and certificates from browsers but that makes no difference either

Mijzelf · September 10

Is the clock of the NAS way off? In that case it can generate a certificate which is already expired (of not yet valid). Further in the handshake there is also something with time. A client with a diverging clock can't connect to a https server, so I support a diverging server will generate the same problem.

You can check the clock with the 'date' command.

69clkxhw69 · September 10

Hi

Many thanks for the response

The date and time on the NAS and the various devices I am trying to log in from using a variety of different web browsers are all the same dates and times

Regards

69clkxhw69 · September 10

Hi

Thanks for the replies

FIxed it now

Very odd but in the certs and keys directorys there were two with the same name

Deleted one of them, worked again

Thanks

NAS540 Certificate Problem

All Replies

Categories

Consumer Product Help Center