Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Firefox - on the security exceptions - self-signed certificates
  • From: Vojtěch Zeisek <vojtech.zeisek@xxxxxxxxxxxx>
  • Date: Sun, 08 May 2016 10:05:15 +0200
  • Message-id: <7137126.oOzx7rXFCQ@veles>
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web
interface. It has self-signed certificate, but as it is only for internal
purposes, it is not any problem.

Well, current browsers do not like self-signed certificates. So, I would
suggest that you create your own CA, deploy its certificate on all of the
internal clients, create a certificate for your NAS with matching SANs, and
sign it with your own CA certificate.
This will be pretty efficient if you want to secure multiple internal
servers because you only have to deploy exactly one certificate to get rid
off all the browser warnings. I did this for my NAS, printer, and router.
If you need any help, I will be happy to provide openssl configuration
files and the corresponding commands to create all of the above.

However, if "internal purposes" means that only a limited set of people
should access the Web Server of your NAS via a regular domain name then

Yes, it is the case, so that I think own CA is too much work...

upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating
and deploying any CA certificate at all. I cannot do it this way because my
NAS is accessible only via VPN, intentionally.

I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder
why it needs port 80 opened...

--
Vojtěch Zeisek

Komunita openSUSE GNU/Linuxu
Community of the openSUSE GNU/Linux

https://www.opensuse.org/
https://trapa.cz/
< Previous Next >