Free website SSL for my NAS

  Apache, NAS, vi

I own a couple of NAS boxes and I’m using 1 of them right now. My StartCom certificate was nearly about to expire, so I had to generate another CSR for the new certificate. In fact on Apache you can just use the same one I believe, but I wanted to ensure I used the newer 2048 encryption type. In order to do this on a ReadyNAS, you need to generate the CSR and I like to keep things neat, so firstly let’s create a directory for the year –

mkdir /etc/ssl/2016 && cd /etc/ssl/2016

We should the export the private key and generate the certificate signing request –

openssl genrsa -des3 -out mynas.mydomain.com.key 2048

openssl req -new -key mynas.mydomain.com.key -out mynas.mydomain.com.csr

You then use the CSR to create your free certificate, or any authority you like. I used the free one with StartCom and I got mine for a 3 year expiry, which is handy!

Once we get the pem file back, we need to remove the password you set on the private key –

openssl rsa -in mynas.mydomain.com.key -out NOPASS.mynas.mydomain.key

You can then upload it to the nas or copy and paste the certificate and then add it into the same directory to file mynas.mydomain.com.pem. You need to edit a few settings in the /etc/ssl/openssl.cnf file. I changed –

dir = /etc/ssl

certificate = $dir/2016/mynas.mydomain.pem    # The CA certificate

private = = $dir/2016/NOPASS.mynas.mydomain.key # The private key

I’m not sure of a good way to link the apache config to use this new certificate, so what I did was just edit file – /etc/frontview/apache/apache.pem (copy it to /etc/frontview/apache/apache.pem.old first) and then delete the contents and paste in the private key and also the certificate pem file. You could do this –

cp /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.old && cat /etc/ssl/2016/NOPASS.mynas.mydomain.key > /etc/frontview/apache/apache.pem && cat /etc/ssl/2016/mynas.mydomain.pem >> /etc/frontview/apache/apache.pem

You need to also ensure the files are owned by root:root and security is set properly –

chown root:root /etc/ssl/2016/*

chmod 600 /etc/ssl/2016/*

Once that’s all done, just kill apache and start it again.

killall apache-ssl
/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf

 

LEAVE A COMMENT