Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Firefox - on the security exceptions - self-signed certificates
  • From: Vojtěch Zeisek <vojtech.zeisek@xxxxxxxxxxxx>
  • Date: Sun, 08 May 2016 10:22:34 +0200
  • Message-id: <2050623.QH6bJp8Eti@veles>
Dne neděle 8. května 2016 10:19:59 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the
web interface. It has self-signed certificate, but as it is only
for internal purposes, it is not any problem.

Well, current browsers do not like self-signed certificates. So, I
would suggest that you create your own CA, deploy its certificate on
all of the internal clients, create a certificate for your NAS with
matching SANs, and sign it with your own CA certificate.
This will be pretty efficient if you want to secure multiple internal
servers because you only have to deploy exactly one certificate to
get rid off all the browser warnings. I did this for my NAS, printer,
and router. If you need any help, I will be happy to provide openssl
configuration files and the corresponding commands to create all of
the above.

However, if "internal purposes" means that only a limited set of
people should access the Web Server of your NAS via a regular domain
name then

Yes, it is the case, so that I think own CA is too much work...

upgrade to DSM 6 and use Let's Encrypt to remove the necessity of
creating and deploying any CA certificate at all. I cannot do it this
way because my NAS is accessible only via VPN, intentionally.

I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I
wonder why it needs port 80 opened...

That's how it communicates with the core server.

So could I allow connection on port 80 only from certain IP?

--
Vojtěch Zeisek

Komunita openSUSE GNU/Linuxu
Community of the openSUSE GNU/Linux

https://www.opensuse.org/
https://trapa.cz/
< Previous Next >
Follow Ups