Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Firefox - on the security exceptions - self-signed certificates
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Sun, 08 May 2016 10:51:30 +0200
  • Message-id: <ngmumi$34t$1@saturn.local.net>
Vojtěch Zeisek wrote:

Dne neděle 8. května 2016 10:19:59 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for
the web interface. It has self-signed certificate, but as it is
only for internal purposes, it is not any problem.

Well, current browsers do not like self-signed certificates. So, I
would suggest that you create your own CA, deploy its certificate
on all of the internal clients, create a certificate for your NAS
with matching SANs, and sign it with your own CA certificate.
This will be pretty efficient if you want to secure multiple
internal servers because you only have to deploy exactly one
certificate to get rid off all the browser warnings. I did this
for my NAS, printer, and router. If you need any help, I will be
happy to provide openssl configuration files and the corresponding
commands to create all of the above.

However, if "internal purposes" means that only a limited set of
people should access the Web Server of your NAS via a regular
domain name then

Yes, it is the case, so that I think own CA is too much work...

upgrade to DSM 6 and use Let's Encrypt to remove the necessity of
creating and deploying any CA certificate at all. I cannot do it
this way because my NAS is accessible only via VPN, intentionally.

I did upgrade to DSM 6. Do You have experience with Let's Encrypt?
I wonder why it needs port 80 opened...

That's how it communicates with the core server.

So could I allow connection on port 80 only from certain IP?

Well, Let's Encrypt in the default/automatic mode assumes you are
running a webserver on the same machine. To carry out the domain
validation, Let's Encrypt needs to access your webserver. I would
presume multiple possible source IPs, but I don't know.



--
Per Jessen, Zürich (16.5°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >