QNAP Hosting Websites Part 2: Using Let's Encrypt Certbot to get a free SSL Cert for the website
ฝัง
- เผยแพร่เมื่อ 6 ก.ย. 2024
- Alright, we are back at it again, let's go through the steps to get this right
Step 1) Preparation: We are assuming that you have your domain registered, and have full access to the domain folders wherever it is being hosted if you're going to do the manual file verification method, or you can log into your domain registrar without issue to add a DNS text record to do the DNS authentication method (Easier, faster, Recommended)
Step 2) Download and install Certbot, run the command prompt as administrator and run the following command: Certbot certonly --dry-run --manual --must-staple --staple-ocsp --key-type=rsa --rsa-key-size=2048 -v
2a: IMPORTANT --> you should attempt this with the --dry-run first to make sure what your doing fully works. If you go through the full setup with it and it is successful, THEN take out the --dry-run flag out and dun it again to actually generate the certs. Certbot will lock you out for 1 hr if you get it wrong 5 times.
2b: You should attempt to use --must-staple and --staple-ocsp as they are new standards emerging, in the video, I didn't use them but plan on doing so. So if for whatever reason using them messes something up, remove them and so now all you should be running without the dry-run flag is: Certbot certonly --manual --key-type=rsa --rsa-key-size=2048 -v
Step 3) It should ask you for the domain names you are registering, enter your domain names with a comma for each, and it is also recommended that you also do a wildcard subdomain version of your domain name. So if your domain name is ImNotTHatSmart.com, you should enter: ImNotTHatSmart.com, *.ImNotTHatSmart.com
3a: Note - Certbot will default to using the file method to authenticate the website unless you use a wildcard domain, or enter a dns flag that can vary depending on what service your using to manage your dns records.
Step 4) unless your renewing (in which case, just say yes or e, whatever to continue), now you should get exact instructions for creating the dns record for authentication.
4a: Just follow the video, but it really isn't too complicated, you're just gonna create a text record for the domain name you need, if you doing multiple different domains (not just subdomains) then just pay attention to the specific challenge information your putting for each dns text you have to make and make sure they are tied to the correct domains.
Step 5) Hit enter in the command prompt when done (You should check it first via the google url certbot gives you), after that, it should generate your certificates in the cerbot folder at the root of your hard drive for windows users.
Step 6) Navigate to where your certificate files were created and copy them out to another folder like I did (For those not using admin accounts by default like good people are supposed to do).
Step 7) Sign into the QNAP server, go to control panel --> Security --> SSL and then hit the replace button.
Step 8) Select the correct certs for ALL THREE options like in the video, making sure you use the fullchain file for the intermediate option.
Step 9) Hit apply and then check your website, you should now have an https that is not slashed through and the padlock for your website =)
Little tip that file upload window supports drag and drop as well little secret do try it
I wonder, is there a reason why you did not use the certbot in QNAP with the container station?
Was my first go around with web hosting and using SSL certificates. I just started using the container station for hosting other stuff like my personal git repository. I like to try and keep customizations simple also, the built in web hosting feature makes it available to everyone, sometimes anything extra you have to install isn't available/compatible with your particular device. For example, that personal git repository site I was talking about, I had to really dig in to install and get working a super specific, customized version for my QNAP server because of the type of OLD CPU my QNAP had. It didn't support the typical instruction set of newer ones and that complicated so much for me with getting the container up and running. This is one of many experiences in my life with stuff where I always try to default to the least amount of extra stuff to install if built in stuff is already available. This may or may not be the best way, but I know it was always the most compatible way for me, especially when sharing with others.
This video is not what I need to do, but by far it's the closest solution on this Earth.
I generated my keys (and such) using some kind of script from letsencrypt.
I have 4 files, two .crt, one .key and one json.
In your video in the Import certificate window, you enter three .pem files. I believe that is not necessary and I can go with different file format.
However, the field Private Key rejects my .key file.
Would you be kind enough and tell me what is expected in this field?
And if so, please don't say keys. Tell me what form and what sort of content should it be.
Either way, thank you and have a good one!
Hi there, wish I could of gotten you sooner, but we're here now.
Upfront, your spot on with what your providing actually, I'm not 100% familiar with what your doing, what I can say though that to the best of my knowledge (which is honestly not "that" much) if it is rejecting the private key either:
1) It's complaining about the format (Possible, may not be likely, Just remember that the reason you are even able to generate a different file format for your keys instead of SSL certificates being 100% a standardize, same format is because different implementations of back-end applications process them differently. Even the intermediate certificates are not always used, so you should really take your format into consideration if you exhaust your other means. I personally never heard of your formats being an issue or that my formats being required, but I also am not that verse in that realm or familiar with what exactly your trying to do, so always consider what you can).
2) The application is having a match issue with your certificate and private key, and I don't know how many different reasons that could be, but one that CAN be hardware/software dependent *I think* is the encryption type used . Let's look at these two example commands:
Certbot certonly --dry-run --manual --must-staple --staple-ocsp --key-type=rsa --rsa-key-size=*Number, default is 2048*
Certbot certonly --dry-run --manual --key-type=ecdsa --elliptic-curve= *Number, default is secp256r1*
These are dry run, so they don't actually do anything, but think of the end product. Both generate certificates, but the certificate encryptions are completely different and there is a very strong likely hood that you could get one to work, but possibly not the other. And then in addition to that, there's different levels to the encryption since you could customize the encryption type further by specifying the rsa key size and elliptic curve used in generating your keys. Now this is where it gets kinda sucky . . . . If you can't find anybody that did exactly what you want AND on the same hardware/software you used, then all those customization points are all possible points of success. Now you could and likely will be able to narrow it down if you stick with defaults for the two types, just know that you could very well be that odd one that needed further customization vs defaults.
In my video, I had to specify the rsa key type in that way because whatever the defaults are that certbot was generating, was not working. So I eventually found this to work for me.
Again, this isn't exhaustive, and I'm not that verse in the realm of SSL certs, I just hope that whatever information you get from this and the videos, it helps make your trailblazing path a little easier. Good luck!