ade05fr 0 Posted January 5, 2019 Posted January 5, 2019 Hi i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ? i tried to put the path of the cert certificate but its not working. here is what i have Custom SSL certificate path: /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert error after restarting EmbyServer 2019-01-05 12:05:44.470 Info AuthenticationRepository: PRAGMA synchronous=1 2019-01-05 12:05:44.526 Error App: No private key included in SSL cert /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert. 2019-01-05 12:05:44.737 Info ActivityRepository: Default journal_mode for /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata/data/activitylog.db is wal and in my web page Secure Connection Failed The connection to xxxxxxxxxxxxxxx.myqnapcloud.com:yyyyyy was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. thanks for your help ade05fr
PenkethBoy 2066 Posted January 5, 2019 Posted January 5, 2019 @@Luke Sorry no not tried this as do not have any external access setup in Emby as i don't need it
jillybean 2 Posted January 6, 2019 Posted January 6, 2019 (edited) Hi i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ? i tried to put the path of the cert certificate but its not working. ade05fr Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems). I am no expert, but I used the info here https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ to create the necessary file and it seems to be working. Edited January 6, 2019 by jillybean
ade05fr 0 Posted January 7, 2019 Author Posted January 7, 2019 (edited) Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems). I am no expert, but I used the info here https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ to create the necessary file and it seems to be working.I followed this and it worked!Here the command that I used openssl pkcs12 -export -out certificate.pfx -inke key -in crt Now next step is to create a crontab job to be sure that the renewal of the certificate is taking account. Thanks a lot Sent from my LEX820 using Tapatalk Edited January 7, 2019 by ade05fr
Jibest 26 Posted January 21, 2019 Posted January 21, 2019 @@PenkethBoy I just noticed "Let's Encrypt" & had the same idea. I've a few questions though. It requests a password when exporting the key, how have you automated this so Crontab can do this without input? How often did you set yours to re-create the PFX? As the cert lasts about 90 days and the app says it will attempt to renew when 30 days remain what would happen if it renewed before you then re-create the PFX for example would everything still work for the last 30 days before the current cert expires? Also there was a couple of typos in your cmd but the following worked: openssl pkcs12 -export -out certificate.pfx -inkey key -in cert
Jibest 26 Posted January 21, 2019 Posted January 21, 2019 I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd. To have no password add the following: openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass if you want a password then use openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab: 0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh Touch wood this will now take care if itself.
jillybean 2 Posted January 22, 2019 Posted January 22, 2019 (edited) I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd. To have no password add the following: openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass if you want a password then use openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab: 0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh Touch wood this will now take care if itself. Check your cron entry. I think what you have above will run at 00:00 (midnight) on the 15th of each month, but only if it is a Saturday. I use https://crontab.guru/ to check my cron entries as I can never remember how they work. I also think that the key file may change when the certificate renews, and if so you could have up to 2 weeks without secure access before the .pfx with the new key is created with your approach. I have the script below that checks the date/time of the key file and recreates the .pfx if the key file is less than 60 minutes old (hopefully). My cron job runs the script every 30 minutes. The script worked in testing on a dummy file but my certificate doesn't renew again until April so it hasn't been tested "in anger" - use at your own risk #!/bin/sh now="$(date)" cd /path/to/certificate/folder [[ -z `find key -mmin -60` ]] if [ $? -eq 0 ] then echo "Certificate key has not changed - $now" > /path/to/logfile/location/check-pfx.log else /usr/bin/openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout pass:mypassword echo "Created new certificate.pfx at $now" > /path/to/logfile/location/create-pfx.log fi Edited January 22, 2019 by jillybean
Jibest 26 Posted January 22, 2019 Posted January 22, 2019 (edited) Hi Jillybean. You're bang on about the crontab (last time I just trust google with Crontab!). Thats a great site you've listed, definitely bookmarking that. I did fear something might break when the certifcate renewed. I've just done the following test: Backed up the PFX Released "Let's Encrypt" This removed all cert files including the PFX Re-installed "Lets Encrypt" & moved the old PFX back Restarted Emby Surprisingly everything still works fine so the Key file may not be an issue after all. Think i'll change the crontab to 0 0 14,29 * * to generate on the 14th & 29th of each month & wait and see what happens in April. Edited January 22, 2019 by Jibest
jillybean 2 Posted January 22, 2019 Posted January 22, 2019 (edited) I guess to test it you could perform a release on the Let's Encrypt app and then re-install it? Assuming that then generates a fresh cert we would be able to tell if it broke? Would probably need to backup the pfx first to copy back across to the dir when the new cert is generated just in case it gets deleted. Yep, releasing the current cert and getting a new one would test it. I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help. If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script. You could just have cron job running your script more often than you had planned. I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach. Edit: Looks like you tested while I was composing my reply. Nice! Edited January 22, 2019 by jillybean
Jibest 26 Posted January 22, 2019 Posted January 22, 2019 Yep, releasing the current cert and getting a new one would test it. I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help. If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script. You could just have cron job running your script more often than you had planned. I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach. See above (edited the last post with new info)
schogobong 3 Posted March 23, 2021 Posted March 23, 2021 @jillybean I just added my QNAP Let's Encrypt certificate to Emby and am thus in need of a cron job to automate the re-creation of the pkcs12 file. You mentioned in your post that you weren't sure if your script was going to work beyond the dummy - can you confirm that it works "in the wild"? If so: I have never set up a cron job, so I have no idea what to do with that script after I SSHd into my NAS. Would you mind giving me a quick rundown? My level of experience: assume I'm a two year old kid with a Fisher Price Doodle as a laptop and a blindfold on... Your help would be much appreciated
jillybean 2 Posted March 24, 2021 Posted March 24, 2021 @shogobong I no longer have my QNAP exposed to the web so haven't used this for some time. It did work while I had it running but I don't know whether any firmware updates will have changed that. The basic process is: 1 Create your script and save it making sure is it executable (permissions 0755 maybe). 2 SSH to your QNAP (I use PuTTy) and use a text editor (I use nano) to edit crontab to set up the script to run. A good starting place for how to do this is https://wiki.qnap.com/wiki/Add_items_to_crontab The line you add will look something like */30 * * * * /bin/sh /path/to/your/script (this would run the script every 30 minutes for example) You will probably need to have Entware installed to be able to install nano. If you don't already have Entware this is a good starting place https://forum.qnap.com/viewtopic.php?f=320&t=132373&hilit=sherpa.
schogobong 3 Posted March 24, 2021 Posted March 24, 2021 Thanks for the info @jillybean! I installed Entware directly through the QNAP Community store as I didn't want the other things included into sherpa. However, even after doing a quick google search, I can't seem to figure out how to install nano. All I can find are forum entries from 2009, 2013 and similar. I tried to follow this: https://forum.qnap.com/viewtopic.php?t=116284, but I just get the following message: -sh: opkg: command not found any hints?
jillybean 2 Posted March 24, 2021 Posted March 24, 2021 @schogobong That Entware qpkg is the same one as sherpa installs I think so in PuTTY you should just need to use 'opkg install nano'. This is what I get when I do that. [~] # opkg install nano Package nano (5.3-1) installed in root is up to date. [~] # The other possibility is that the location of opkg is not in your PATH. You could try using the full path for opkg - on my system that is /share/CACHEDEV1_DATA/.qpkg/Entware/bin/opkg but yours may be different. [~] # /share/CACHEDEV1_DATA/.qpkg/Entware/bin/opkg install nano Package nano (5.3-1) installed in root is up to date. [~] #
schogobong 3 Posted March 25, 2021 Posted March 25, 2021 (edited) Allright - so I got nano running, thanks for the explanation @jillybean nano is running I have added the following script (see explanation below): now="$(date)" cd /etc/config/QcloudSSLCertificate/cert [[ -z `find key -mmin -60` ]] if [ $? -eq 0 ] then echo "Certificate key has not changed - $now" > /share/CustomScripts/check-pfx.log else /etc/config/QcloudSSLCertificate/cert openssl pkcs12 -export -out emby.p12 -inkey key -in cert -passout pass:mypassword echo "Created new certificate.pfx at $now" > /share/CustomScripts/check-pfx.log fi I have run chmod +x /share/CustomScripts/CertRenewPKSC12.sh based on this site you linked to: https://wiki.qnap.com/wiki/Add_items_to_crontab I have added the following cron job and then restarted cron tab: */30 * * * * /bin/sh /share/CustomScripts/CertRenewPKSC12.sh Explanation regarding script: I have a different else statement, as I followed this guide to create my initial certificate, which seems to have worked fine: My current issue: When running the script using the following command (same as in cron job), I get the following errors: [/] # /bin/sh /share/CustomScripts/CertRenewPKSC12.sh : No such file or directorynewPKSC12: line 2: cd: /etc/config/QcloudSSLCertificate/cert /share/CustomScripts/CertRenewPKSC12: line 3: syntax error in conditional expression 'share/CustomScripts/CertRenewPKSC12: line 3: syntax error near `]] 'share/CustomScripts/CertRenewPKSC12: line 3: `[[ -z `find key -mmin -60` ]] Any idea why this is the case? Directly entering cd /etc/config/QcloudSSLCertificate/cert works without any issues Edited March 25, 2021 by schogobong
jillybean 2 Posted March 25, 2021 Posted March 25, 2021 The only thing I can suggest is to check the ownership of CertRenewPKSC12.sh. Cron jobs run as admin so If the owner is not 'admin' then you may need to change the ownership (or set the cron job to use whoever the owner is). Otherwise just search for something like 'bash script runs manually but not in cron' and work your way through the answers - you are not alone in having this problem.
schogobong 3 Posted March 26, 2021 Posted March 26, 2021 The thing is, I was running the script manually with this command: /bin/sh /share/CustomScripts/CertRenewPKSC12.sh So it doesn't seem to be an issue with the cron job but rather with executing the script itself. File owner is admin and I ssh into the NAS as admin to run the command above.
jillybean 2 Posted March 27, 2021 Posted March 27, 2021 14 hours ago, schogobong said: The thing is, I was running the script manually with this command: /bin/sh /share/CustomScripts/CertRenewPKSC12.sh So it doesn't seem to be an issue with the cron job but rather with executing the script itself. File owner is admin and I ssh into the NAS as admin to run the command above. Cron runs in a very sparse environment so it looks like there are variables available when you run the script manually that are not available when it runs from cron. : No such file or directorynewPKSC12: line 2: cd: /etc/config/QcloudSSLCertificate/cert This is the problem from cron - it can't find that folder. In the script try it with the full path for the cd command (on my system it would be cd /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert) rather than the one dependent on a link that you are using. If that doesn't work maybe ask on the QNAP forum as I don't have any other suggestions.
schogobong 3 Posted April 2, 2021 Posted April 2, 2021 Allright, so my issue was related to Unix/Dos file endings. I created my script using the built-in Qnap text editor, which has different line endings than unix. I noticed this when running cat -A /share/CustomScripts/CertRenewPKSC12.sh running the following command resolves this issue: dos2unix /share/CustomScripts/CertRenewPKSC12.sh The script now runs, if the cron-job and certificate-renewal work remains to be seen Thanks for your support @jillybean - wouldn't have gotten here without your help
schogobong 3 Posted April 2, 2021 Posted April 2, 2021 (edited) had a question, resolved question, can't delete this post..so here we are - sorry for that Edited April 2, 2021 by schogobong question resolved itself
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now