sa2000 729 Posted April 30 Posted April 30 Could you send me by private message a copy of this file - i want to see what to look for as initial check /etc/config/uLinux.conf So I intend to give you a script with improved search to avoide the "@Recycle" directory and when you run it and give me the resulting check-p12.log content then i will see if i can modify the script further to look for the configured certificate before attempting the filesystem search
sa2000 729 Posted April 30 Posted April 30 (edited) 31 minutes ago, sa2000 said: It is going wrong when encountering the recycle bin. I will look into it and update the script Try this modified script and let me know the outcome - together with what gets logged into the check-p12.log when the certificate key does not change and when it does change (if you can) #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="YourPFXPassword" # Output file PFX_FILE="/share/HDA_DATA/Public/Scripts/emby.p12" # Log file PFX_Log="/share/HDA_DATA/Public/Scripts/check-p12.log" # Automatically locate the active certificate CERT_DIR=$(getcfg System "Web Certificate" -f /etc/config/uLinux.conf 2>/dev/null) if [ -n "$CERT_DIR" ] && [ -f "$CERT_DIR/SSLcertificate.crt" ] && [ -f "$CERT_DIR/SSLprivatekey.key" ]; then CRT_FILE="$CERT_DIR/SSLcertificate.crt" KEY_FILE="$CERT_DIR/SSLprivatekey.key" else echo "$now - Configured certificate not found, searching for newest certificate..." >> $PFX_Log CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi If this works, then i will look into the check on /etc/config/uLinux.conf Thanks Edited April 30 by sa2000
renefw 5 Posted May 2 Posted May 2 (edited) I have now adjusted the script as follows: #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my customized password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Automatically locate the active certificate CERT_DIR=$(getcfg System "Web Certificate" -f /etc/config/uLinux.conf 2>/dev/null) if [ -n "$CERT_DIR" ] && [ -f "$CERT_DIR/SSLcertificate.crt" ] && [ -f "$CERT_DIR/SSLprivatekey.key" ]; then CRT_FILE="$CERT_DIR/SSLcertificate.crt" KEY_FILE="$CERT_DIR/SSLprivatekey.key" else echo "$now - Configured certificate not found, searching for newest certificate..." >> $PFX_Log CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi If I execute this, the following message appears in the check-p12.log Sat May 2 12:00:030 PM CEST 2026 - Configured certificate not found, searching for newest certificate... Sat May 2 12:00:00 PM CEST 2026 - No certificate file found. I don't really understand this. If I understand the script correctly, the first three items (# Password for exported PFX, # Output file, and # Log file) contain variables that are set there. This means that the script then uses the password and other paths set there. Is that correct? Since these values and the certificate files are also located in the SSL certificate subdirectory, the script should be able to find them there, shouldn't it? Or do I need to specify my path somewhere for it to work? If that's the case, please send me the script with my adjusted paths. Thank you! I've sent you the requested uLinux.conf file as a private message. The certificate key has not changed. Edited May 2 by renefw
sa2000 729 Posted Monday at 11:08 AM Posted Monday at 11:08 AM On 02/05/2026 at 11:41, renefw said: I've sent you the requested uLinux.conf file as a private messag Thanks. The "/etc/config/uLinux.conf" file does not appear to have any certificate details - so I am removing that part of the script On 02/05/2026 at 11:41, renefw said: Sat May 2 12:00:00 PM CEST 2026 - No certificate file found. The script was attempting to search the whole filesystem for file named "SSLcertificate" starting from "/mnt" and it failed to find the file Was the file present at the time of running the script? If you run this manually in a putty SSH session, what does it return? find /mnt -type f -name "SSLcertificate.crt" The updated script below - just removing the checks on uLinux.conf Update to your adapted version #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my customized password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Search filesystem for latest SSLcertificate.crt file CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file f ound." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi and this is without your changes #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="YourPFXPassword" # Output file PFX_FILE="/share/HDA_DATA/Public/Scripts/emby.p12" # Log file PFX_Log="/share/HDA_DATA/Public/Scripts/check-p12.log" # Search filesystem for latest SSLcertificate.crt file CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi If you run the script (with your changed lines) manually in putty SSH, what do you get added to the "check-p12.log" file? On 02/05/2026 at 11:41, renefw said: the first three items (# Password for exported PFX, # Output file, and # Log file) contain variables that are set there. This means that the script then uses the password and other paths set there. Is that correct? Since these values and the certificate files are also located in the SSL certificate subdirectory, the script should be able to find them there, shouldn't it? Or do I need to specify my path somewhere for it to work? The script is supposed to search the whole filesystem for the SSLcertificate.crt - may be the starting point on the "find" command of path "/mnt" is not right for QuTS. Will see what you get back from the manual execution of the "find" command mentioned above
renefw 5 Posted Monday at 08:31 PM Posted Monday at 08:31 PM The certificate file has been continuously located in the directory /share/SSL-Certificate since March 26, 2026. Therefore, it was also in that directory when the script was executed. If I enter the following in Putty: find /mnt -type f -name "SSLcertificate.crt" Then the cursor appears immediately without any output, as if I hadn't entered anything. Does it make sense for the search to start in the /mnt directory even though I always manually copy the certificate to /share/SSL-Certificate? If the search starts in /mnt, will it also search the /share/SSL-Certificate directory, where it's located? Share and mnt are in the QNAP's main directory. Do you want to use the script to locate the SSL certificate file on the QNAP, since QNAP support informed me that the path will change regularly in the future, ensuring the file can always be found regardless of its location and without requiring me to copy it via Control Panel/Security/SSL Certificate & Private Key to Share/SSL Certificate? The following appears in the check-p12.log file: Mon May 4 10:00:00 PM CEST 2026 - Configured certificate not found, searching for newest certificate... Mon May 4 10:00:00 PM CEST 2026 - No certificate file found. The fact is that the /mnt folder exists on QuTS hero. It is located in the QNAP's root directory. According to QNAP support, the main difference between QuTS hero and QTS is the file system type. Otherwise, the two systems are said to be identical.
renefw 5 Posted Monday at 09:28 PM Posted Monday at 09:28 PM I ran a test using WinSCP and searched for the SSLcertificate.crt file. It searched all subfolders. After almost 8 minutes, it finished and found no path. Then I tried it with the old name, "cert," which I hadn't exported via the Control Panel. After a few seconds, it showed me the path ./ext/opt/QcloudSSLCertificate/cert/, and after about 2 minutes, it also showed ./sync/.config/QcloudSSLCertificate/cert/. Both showed a modified date of March 26, 2026, at 9:50:38 PM. Based on the date and time, it appears to be the current certificate. After about 8 minutes, it also finished scanning and found nothing further. Afterward, I searched for the key file. He found these in the directories .ext/opt/QCloudSSLCertificate/cert/ and ./sync/.configQcloudSSLCertificate/cert/. Both show a modification date of March 26, 2026, at 9:50:03 PM. Within the specified ../cert/ folder, there is a subfolder named /account/ related to the key. This subfolder appears to still contain the key from the previous certificate. The dates January 19, 2026, at 8:50:03 PM and January 19, 2026, at 8:52:01 PM, respectively, match this. Oddly, the /account/ folder only contains the key from January 19, 2026. The certificate itself is nowhere to be found. After that, I changed the script as follows: #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my Password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Automatically locate the active certificate CERT_DIR=$(getcfg System "Web Certificate" -f /etc/config/uLinux.conf 2>/dev/null) if [ -n "$CERT_DIR" ] && [ -f "$CERT_DIR/cert" ] && [ -f "$CERT_DIR/key" ]; then CRT_FILE="$CERT_DIR/cert" KEY_FILE="$CERT_DIR/key" else echo "$now - Configured certificate not found, searching for newest certificate..." >> $PFX_Log CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi The following now appears in the check-p12.log file: CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key Mon May 4 11:19:24 PM CEST 2026 - Certificate key has not changed Mon May 4 11:22:24 PM CEST 2026 - Configured certificate not found, searching for newest certificate... CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key Mon May 4 11:22:24 PM CEST 2026 - Certificate key has not changed
renefw 5 Posted Monday at 09:29 PM Posted Monday at 09:29 PM I have the feeling that we are now on the safe side and have almost made it....
sa2000 729 Posted Tuesday at 08:19 AM Posted Tuesday at 08:19 AM (edited) 10 hours ago, renefw said: CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key So these are files named "cert" and "key" under directory "/mnt/sync/.config/QcloudSSLCertificate/cert/" If they are the actual files and will always be named that, then changing the find search for files named "cert" instead of searching for "SSLcertificate.crt" and changing the key file from SSLprivatekey.key to key should work then This is updated script with your customization removing the uLinux.conf check which is unnecessary #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Search filesystem for latest QNAP cert file CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi Thanks for your tests Edited Tuesday at 08:21 AM by sa2000
renefw 5 Posted Tuesday at 12:05 PM Posted Tuesday at 12:05 PM Thank you for your feedback: I've now tried it. It seems to be working without an error message. Unfortunately, the same issue occurs as with the old script. The message "The certificate key has not changed" appears. Therefore, I downloaded the certificate from /mnt/sync/.config/QcloudSSLCertificate/cert and examined it. It is the current certificate, as I suspected from the date. Here is a screenshot. I have obscured the sensitive data with a red box. The domain is also correct. What is the problem with the old script and now with this one that, on the one hand, it doesn't recognize that the certificate and key have changed, and therefore the emby.p12 file isn't updated? Tue May 5 01:00:00 PM CEST 2026 - Certificate key has not changed CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key Tue May 5 01:00:00 PM CEST 2026 - Certificate key has not changed If you would like it and it would be helpful, I can also send you the certificate file as a private message.
sa2000 729 Posted Tuesday at 12:25 PM Posted Tuesday at 12:25 PM 9 minutes ago, renefw said: The message "The certificate key has not changed" appears The "-mtime -1" check in the script looks for file changed in last 24 hours and would display the message if this is not the case you can add this line before this line and then rerun it and see what is in the logfile So we have the lines like this stat "$CRT_FILE" >> $PFX_Log if ! find "$CRT_FILE" -mtime -1 | grep -q .; You could also check this manually in a putty session stat /mnt/sync/.config/QcloudSSLCertificate/cert I believe the relevant field for the "-mtime -1" check is "Modify:" date and time and relative to the time when the script is run
renefw 5 Posted Tuesday at 12:38 PM Posted Tuesday at 12:38 PM I just sent you a private message with the emby.p12 file (and an expired certificate) and the current certificate.
renefw 5 Posted Tuesday at 12:51 PM Posted Tuesday at 12:51 PM I inserted the specified line before the one described. I added the page to the check-p12.log file and ran the script. The log file still contains exactly the same information as before. No new entries were added. The following was displayed via Putty: File: /mnt/sync/.config/QcloudSSLCertificate/cert Size: 12 Blocks: 17 IO Block: 4096 directory Device: 1fh/31d Inode: 423 Links: 4 Access: (0777/drwxrwxrwx) Uid: ( 0/ admin) Gid: ( 0/administrators) Access: 2026-05-05 12:00:01.000000000 Modify: 2026-05-05 11:37:00.000000000 Change: 2026-05-05 11:37:00.000000000
sa2000 729 Posted Tuesday at 12:57 PM Posted Tuesday at 12:57 PM (edited) Sorry, I missed to add the actual file for the putty test it should be stat /mnt/sync/.config/QcloudSSLCertificate/cert/cert Edited Tuesday at 12:58 PM by sa2000
sa2000 729 Posted Tuesday at 12:59 PM Posted Tuesday at 12:59 PM and can you also do ls -ail /mnt/sync/.config/QcloudSSLCertificate/cert
renefw 5 Posted Tuesday at 01:09 PM Posted Tuesday at 01:09 PM I assume both are done via Putty, right?
sa2000 729 Posted Tuesday at 01:11 PM Posted Tuesday at 01:11 PM 1 minute ago, renefw said: I assume both are done via Putty, right? yes
renefw 5 Posted Tuesday at 01:15 PM Posted Tuesday at 01:15 PM [~] # stat /mnt/sync/.config/QcloudSSLCertificate/cert/cert File: /mnt/sync/.config/QcloudSSLCertificate/cert/cert Size: 1822 Blocks: 9 IO Block: 2048 regular file Device: 1fh/31d Inode: 2112 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ admin) Gid: ( 0/administrators) Access: 2026-05-04 22:08:00.000000000 Modify: 2026-03-26 21:50:38.000000000 Change: 2026-03-26 21:50:38.000000000 [~] # ls -ail /mnt/sync/.config/QcloudSSLCertificate/cert total 78 423 drwxrwxrwx 4 admin administrators 12 2026-05-05 11:37 ./ 421 drwxrwxrwx 4 admin administrators 4 2026-01-10 18:11 ../ 1272 drwxr-xr-x 2 admin administrators 3 2026-01-19 20:51 account/ 2112 -rw-r--r-- 1 admin administrators 1822 2026-03-26 21:50 cert 2113 -rw-r--r-- 1 admin administrators 1801 2026-03-26 21:50 chain 1700 -rw-r--r-- 1 admin administrators 3522 2026-05-05 11:37 combine 1598 -rw-rw-rw- 1 admin administrators 956 2026-03-26 21:50 csr 1275 -rwxr--r-- 1 admin administrators 7521 2026-03-26 21:50 csr.cnf* 1607 -rw-rw-rw- 1 admin administrators 3000 2026-03-26 21:50 intermediate.pem 2110 -rw------- 1 admin administrators 1700 2026-03-26 21:50 key 1635 -rw-rw-rw- 1 admin administrators 7104 2026-03-26 21:50 local_post_content 1270 drwxr-xr-x 3 admin administrators 3 2026-01-15 20:05 .well-known/ I inserted a space before /mnt/.. because otherwise an error message would be displayed. [~] # stat/mnt/sync/.config/QcloudSSLCertificate/cert/cert -sh: stat/mnt/sync/.config/QcloudSSLCertificate/cert/cert: No such file or directory [~] # ls -ail/mnt/sync/.config/QcloudSSLCertificate/cert /bin/ls: invalid option -- '/' Try `/bin/ls --help' for more information.
sa2000 729 Posted Tuesday at 01:35 PM Posted Tuesday at 01:35 PM 4 minutes ago, renefw said: I inserted a space before /mnt/.. because otherwise an error message would be displayed. I did have a space on the command line between "stat" and "/mnt" 4 minutes ago, renefw said: Modify: 2026-03-26 21:50:38.000000000 Change: 2026-03-26 21:50:38.000000000 5 minutes ago, renefw said: 2112 -rw-r--r-- 1 admin administrators 1822 2026-03-26 21:50 cert 2113 -rw-r--r-- 1 admin administrators 1801 2026-03-26 21:50 chain 1700 -rw-r--r-- 1 admin administrators 3522 2026-05-05 11:37 combine 1598 -rw-rw-rw- 1 admin administrators 956 2026-03-26 21:50 csr 1275 -rwxr--r-- 1 admin administrators 7521 2026-03-26 21:50 csr.cnf* 1607 -rw-rw-rw- 1 admin administrators 3000 2026-03-26 21:50 intermediate.pem 2110 -rw------- 1 admin administrators 1700 2026-03-26 21:50 key 1635 -rw-rw-rw- 1 admin administrators 7104 2026-03-26 21:50 local_post_content 1270 drwxr-xr-x 3 admin administrators 3 2026-01-15 20:05 .well-known/ interesting - all files except the "combine" file have 26th March as last modified date -so that is the issue You are sure the cert and key files are new ? They have last modified date and time for 26 March We can check for the combine file change in the script #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Search filesystem for latest QNAP cert file CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi COMBINE_FILE="$CERT_DIR/combine" if ! find "$CERT_FILE" -mtime -1 | grep -q .; then if ! find "$COMBINE_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate & Combine files have not changed" >>$PFX_Log exit 1 else echo "$now - Certificate combine file has changed - will pick the cert and key files" >>$PFX_Log fi echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log echo "$now - combine file: $COMBINE_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi
renefw 5 Posted Tuesday at 02:02 PM Posted Tuesday at 02:02 PM The spacebar wasn't visible to me. I'm certain that the certificate and key are valid from March 26, 2026. As you can see from the screenshot in my message from an hour ago, it's valid from March 26, 2026, 8:52:05 PM to June 24, 2026, 9:52:04 PM. You can also verify this yourself, as I sent you the certificate as a private message. The certificate in the emby.p12 file (which I also sent you privately) was created on January 22, 2026, expired after 90 days, and is therefore no longer valid. How can this problem be resolved? I updated the script as sent. The following was displayed in the check-p12.log: CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key Tue May 5 03:44:05 PM CEST 2026 - Certificate combine file has changed - will pick the cert and key files Tue May 5 03:44:05 PM CEST 2026 - Using certificate directory: /mnt/sync/.config/QcloudSSLCertificate/cert Tue May 5 03:44:05 PM CEST 2026 - Certificate: /mnt/sync/.config/QcloudSSLCertificate/cert/cert Tue May 5 03:44:05 PM CEST 2026 - Private Key: /mnt/sync/.config/QcloudSSLCertificate/cert/key Tue May 5 03:44:05 PM CEST 2026 - combine file: /mnt/sync/.config/QcloudSSLCertificate/cert/combine Tue May 5 03:44:05 PM CEST 2026 - PFX successfully created: /share/cmd/SSL-Certificate/emby.p12 CERT_DIR: /mnt/sync/.config/QcloudSSLCertificate/cert CRT_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/cert KEY_FILE: /mnt/sync/.config/QcloudSSLCertificate/cert/key Tue May 5 04:00:00 PM CEST 2026 - Certificate combine file has changed - will pick the cert and key files Tue May 5 04:00:00 PM CEST 2026 - Using certificate directory: /mnt/sync/.config/QcloudSSLCertificate/cert Tue May 5 04:00:00 PM CEST 2026 - Certificate: /mnt/sync/.config/QcloudSSLCertificate/cert/cert Tue May 5 04:00:00 PM CEST 2026 - Private Key: /mnt/sync/.config/QcloudSSLCertificate/cert/key Tue May 5 04:00:00 PM CEST 2026 - combine file: /mnt/sync/.config/QcloudSSLCertificate/cert/combine Tue May 5 04:00:00 PM CEST 2026 - PFX successfully created: /share/cmd/SSL-Certificate/emby.p12 The last line is what puzzles me. Why does it say that the PFX file was created successfully? The file already existed. The entry was simply added to it.
renefw 5 Posted Tuesday at 02:13 PM Posted Tuesday at 02:13 PM I just noticed that the key in the emby.p12 file was updated at 3:44 PM and again at 4:00 PM. In both cases, it says that it has changed. Regarding the 3:44 PM update, I would understand, as it was indeed no longer up-to-date. However, regarding the 4:00 PM update, I have the feeling that it's now updating it with every execution of the cron job. It shouldn't have updated it at 4:00 PM, as it had been up-to-date since 3:44 PM.
renefw 5 Posted Tuesday at 02:18 PM Posted Tuesday at 02:18 PM Vorerst lasse ich es so, wie es ist, damit wir sehen können, ob es auch nach einer weiteren Änderung am Skript so weitergeht. Wenn es nicht mehr funktioniert, habe ich eine emby.p12-Datei mit einem abgelaufenen Schlüssel vom 22. Januar 2026, sodass wir versuchen können, sie einmal zu aktualisieren, um sicherzustellen, dass der Schlüssel wieder aktuell ist.
sa2000 729 Posted Tuesday at 02:46 PM Posted Tuesday at 02:46 PM Lets recap so I understand 18 minutes ago, renefw said: I just noticed that the key in the emby.p12 file was updated at 3:44 PM and again at 4:00 PM. In both cases, it says that it has changed The script we are basing all this on is one that looks for a QNAP certificate that was obtained within the last 24 hours and if it thinks this is true every time you run the script then it will recreate the emby.p12 pfx file each time - so basically the script is expected to be run once only every day and if you run it more than once then this will arise 32 minutes ago, renefw said: I'm certain that the certificate and key are valid from March 26, 2026. OK - since this is an old certificate obtained in March. I misunderstood and thought that the QNAP had a new certiifcate obtained today. So the script was correct before i made the change to check the "combine" file - so i will remove that and go back to what we had before So we go back to this for you to use #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Search filesystem for latest QNAP cert file CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi if ! find "$CRT_FILE" -mtime -1 | grep -q .; then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi and I expect it to only succeed on the next QNAP certificate renewall which will be in June So between now and June, you need to do it manually to get the emby.p12 file updated and we wait till June 24 / 23 - I don't know how early QNAP would renew The cron job that you run should be to run the script once a day - it was renewd at 8:52 PM so run it at 11 pm daily to check For now the script cannot automatically pick the certificate and update the pfx file because it is old - from march 2026 So you will need in terminal to run this temporary script - you should only need to run it the once (assuming it does work) #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="my password" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Search filesystem for latest QNAP cert file CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \ | while read -r file; do stat -c "%Y %n" "$file" done \ | sort -nr \ | head -n 1 \ | cut -d' ' -f2-) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi
renefw 5 Posted Tuesday at 03:26 PM Posted Tuesday at 03:26 PM Let's see if I've understood you correctly from the translation: The script is programmed to check if the QNAP certificate has been renewed within the last 24 hours. If so, the emby.p12 file is updated. If I leave the cron job, which currently runs hourly, as it is, it will report that the certificate has changed 23 or 24 times. If I change the cron job to once a day, it will only appear once in the check-p12.log file. Is that correct? Would it perhaps also be possible to change the script from 24 hours to 6 or at least 12 hours, i.e., twice a day? No, the certificate was automatically generated by the QNAP approximately 30 days before the old one expired. Let's Encrypt SSL certificates always have a validity period of 90 days. To prevent outages due to an expired certificate, QNAP automatically renews it about 30 days before it expires. Have I understood correctly that if "cert" and "key" remain the same names for the certificates and the key, but the directory structure where the QNAP certificate is stored changes, then this script should still find and automatically update it, provided the certificate has changed and is now located in a new path? Currently, I cannot generate a new Let's Encrypt SSL certificate for my QNAP systems. This will be possible from approximately May 25, 2026, when it is automatically generated by the QNAP. So, if I understand you correctly, the script should now work once the certificate is automatically updated at the end of this month. That means as soon as it's updated and the cron job runs, the certificate in the emby.p12 file will also be updated automatically? Is that correct, even though the path to the cert or ley file has changed? Does emby on the QNAP also need to be restarted to transfer the updated emby.p12 file to your app, or is simply updating the emby.p12 file sufficient? What do you mean by: "From now until June, you'll have to update the emby.p12 file manually, and we'll wait until June 23rd/24th - I don't know how soon QNAP would renew"? The certificate in emby.p12 is up to date now. Do I understand correctly that I don't need to do anything now? ``` What happens if, for example, the certificate is automatically updated on May 27, 2026, on one of my QNAP systems that doesn't run 24 hours a day, and the cron job isn't executed until the next day or the day after, i.e., 25 or 49 hours later because the NAS was off in the meantime? Will it then no longer be updated automatically, meaning I would have to do it manually?
renefw 5 Posted Tuesday at 03:33 PM Posted Tuesday at 03:33 PM Do I no longer need to run the second script, the one you mentioned needing to be executed once in the terminal, since the certificate in emby.p12 is up to date? If the script is currently programmed to be no more than 24 hours old after the cron job runs, would it be possible to set the cron job to run every 6 hours and have it updated only once, or even run one to three days later if the system was shut down in the meantime and therefore couldn't run yet?
sa2000 729 Posted Tuesday at 03:52 PM Posted Tuesday at 03:52 PM First I want you to get rid of the version of the script that has checks on the combine file So the script that has this line in it "COMBINE_FILE="$CERT_DIR/combine"" - please destroy / bin / do not run anymore or ever - that was created in error becuase there was a misunderstanding and I thought you had a new QNAP certificate renewed today and it was not gettting picked up. 3 minutes ago, renefw said: If the script is currently programmed to be no more than 24 hours old after the cron job runs, would it be possible to set the cron job to run every 6 hours and have it updated only once, or even run one to three days later if the system was shut down in the meantime and therefore couldn't run yet? I am sure you can make the script more complicated but I am not going to do that. It is not necessary. You can start to use services like chatGPT to experiment and discuss such changes. Once a day should be sufficient and if you ever miss the 24 hour window that you have to pick the new QNAP certificate, you can always run the temporary once only to run script that gets the QNAP certificate and converts it to the emby.p12 file 14 minutes ago, renefw said: Have I understood correctly that if "cert" and "key" remain the same names for the certificates and the key, but the directory structure where the QNAP certificate is stored changes, then this script should still find and automatically update it, provided the certificate has changed and is now located in a new path? Yes 14 minutes ago, renefw said: Currently, I cannot generate a new Let's Encrypt SSL certificate for my QNAP systems. This will be possible from approximately May 25, 2026, when it is automatically generated by the QNAP. Ok - so we wait till then and not June to see if the script is working 16 minutes ago, renefw said: Does emby on the QNAP also need to be restarted to transfer the updated emby.p12 file to your app, or is simply updating the emby.p12 file sufficient? I have not tried it. You can let me know the outcome on next auto renewal and if the new certificate got used without a server restart 21 minutes ago, renefw said: What do you mean by: "From now until June, you'll have to update the emby.p12 file manually, and we'll wait until June 23rd/24th - I don't know how soon QNAP would renew"? The certificate in emby.p12 is up to date now. Do I understand correctly that I don't need to do anything now? Ok - so your emby.p12 was manually updated by you and is one that expires in June 2026. If this is the case then you do not need to do anything now to update it 23 minutes ago, renefw said: What happens if, for example, the certificate is automatically updated on May 27, 2026, on one of my QNAP systems that doesn't run 24 hours a day, and the cron job isn't executed until the next day or the day after, i.e., 25 or 49 hours later because the NAS was off in the meantime? Will it then no longer be updated automatically, meaning I would have to do it manually? Yes I am sure with much more complex scripts it may be possible to do it completely differently - comparing certificate expiry dates and updating the emby pfx file if it is behind - you can start a dialogue with chatGPT and explore that idea
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now