Inspired by Yannik's project and http://banduccm.blogspot.co.uk/.
Use this to create an ssl certificate for your custom domain, so you can securely access your QNAP NAS from the internet. Once that is done, you can create a cronjob to automatically renew the certificate before it expires.
- Your NAS is expected to be on firmware 4.3.0 or later.
- Login to your NAS and make sure Git is installed.
- ssh is also required.
- Add the qnapclub.eu repo to the App Center. You can find the instructions here
- Go into the new Qnapclub.eu repo, and install QPython2.
- Make sure your NAS is reachable from the public internet under the domain you want to get a certificate for on port 80.
- Create a folder to store qnap-letsencrypt in under
/share/YOUR_DRIVE/
. Do not create it directly in/share/
, as it will be lost after a reboot!
By default, there is no ca-bundle (bundle of root certificates which we should trust) installed. Therefore we will have to download one manually.
-
On your local pc with an intact certificate store, run
curl -s https://curl.haxx.se/ca/cacert.pem | sha1sum
-
On your nas, in the directory you want to install qnap-letsencrypt in, run
wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem sha1sum cacert.pem
-
Compare the hashes obtained in step 1 and 2, they must match.
-
On your nas, in the directory you were in before
git config --system http.sslVerify true git config --system http.sslCAinfo cacert.pem git clone https://github.com/szech/qnap-letsencrypt.git mv cacert.pem qnap-letsencrypt cd qnap-letsencrypt git config --system http.sslCAinfo cacert.pem
-
Edit
renew_certificate
and put your own values in theVARIABLES
section -
mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig
(backup, though we can always recover through the web gui) -
Run
renew_certificate.sh
-
Create a cronjob to run
renew_certificate.sh
every night, which will renew your certificate if it has less than 10 days leftAdd this to
/etc/config/crontab
:30 3 * * * cd /share/YOUR_INSTALL_LOCATION/qnap-letsencrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1
Then run:
crontab /etc/config/crontab /etc/init.d/crond.sh restart
I am just running the default Qnap web server on a custom domain. I had some problems getting the python web server working in Yannik's project, so i decided to fork and pursue a different approach.
we install a custom QNAP-compatible LetsEncrypt package so we can run the letsencrypt client natively. This means we don't run the Python web server, or the acme-tiny client.
QPython2 is a convenient source for the letsencrypt client which does not run natively on qnap OS. QPython is sourced from here.
only support for one domain; you are welcome to fork and figure out your own approach ;-)
That package is not compiled for x64 and isn't working with firmware 4.3.0+
I'm no expert in linux, nas or encryption, so please respond if you have some feedback for me. This is just a hobby project for my own education, and peace of mind :)
Please open a pull request!
GPLv2