Beware: ABB will silently stop working if SSL certificate is changed

[pMetal]

I am positing a warning for others: If the SSL certificate on your NAS is changed, all of your Active Backup for Business tasks will stop working. But it will not show up as a failure! The tasks will still show as "successful", just as of some date in the past!

This is a huge issue, as you may assume that your PCs are being backed up, and you'll still see a nice green "successful" indication, but you may have been unprotected for months.

This has happened to me 3 times now: The first time I really did change my SSL certificate. The other two times, I did not, although something must have changed. My LetsEncrypt SSL certificate is coming up for renewal soon, so I have yet to see if the renewal will break the ABB tasks again.

To get the tasks working again, you have to log in to each PC you are backing up, open the ABB agent, and Re-trust the SSL certificate. It always asks me to re-trust it twice for some reason.

Until Synology fixes this, it is a pretty valid reason for not using ABB, although I really haven't found a different solution that I like much better.

Synology knows about this issue, but they don't seem interested in fixing it. Perhaps some other people can chime in to Synology and get some action taken.

 

[fredbert]

I found this too. Mentioned it part way down this thread...

ABB agent on Windows 10 not running after reboot

Being a Mac person but using a PC for work for years so this may be very simple: I had assumed that the ABB agent would be automatically launched on each PC reboot. I've other applications on the PC that run automatically but ABB has no preferences so there's no way I see to enable this. Is it...

www.synoforum.com

The 'fix' is to use a signed SSL certificate that has either its domain, wildcard, or a subject alternative name that is the same as the domain used as the 'server address' you used when setting up the ABB agent.

If you used a server address that is not covered by the SSL certificate then, yes, you can setup the ABB agent and you will be presented with an additional pop-up window that asks you to confirm you trust the certificate. As you have experienced, once the SSL certificate is renewed then the ABB agent will silently stop connecting because it does not trust this new version of the certificate. That is no matter if the rest of the renewed certificate details are the same as the original certificate you trusted.

So what to do? If you're using Let's Encrypt signed certificates then:

1. Don't access the NAS using the IP address: the certificate is against a domain not an IP address.
2. Get a wildcard certificate for your DDNS 'myname.synology.me' and include '*.myname.synology.me'. Then setup ABB agent using a <something>.myname.synology.me for the server address.
3. If you use a personal domain then create the certificate for the domain and connect ABB agent to that domain, i.e. mydomain.com
4. If you use a personal domain and want to use a sub-domain then:
   1. create the certificate for the domain and include the sub-domain in the subject alternative name list.
   2. connect ABB agent to that sub-domain, i.e. abb.mydomain.com

Within DSM's Control Panel within Security / Certificate page you click the Configure button. Now find the service 'Active Backup for Business' and assign the correct certificate that aligns with the ABB agent's server address.

There is a second ABB service which is the web portal and that also can have its SSL certificate assigned. But the ABB agent connection is not connecting to this web portal, only the main ABB service.

If you've done this correctly then you'll have fixed the silent disconnect when the SSL certificate renews. Also, if you do fix it with a properly align certificate to the agent's server address then the agents will start to connect again and you don't have to go round correcting each PC. I know because it's what I did too.

 

[pMetal]

Hi Fredbert - awesome post and thank you for the info on using appropriate certificates!

 

[fredbert]

I had thought about adding this fix to that other thread but then assumed it would get buried and no-one would see it. But your thread title should help others search for this issue and so my fix will be easier to find.

 

[pMetal]

The 'fix' is to use a signed SSL certificate that has either its domain, wildcard, or a subject alternative name that is the same as the domain used as the 'server address' you used when setting up the ABB agent.

In my case, the server address used by my ABB agents is just a local IP address. How would I get that to work with a SSL certificate?

Or, am I supposed to give the external address of the server, even if it is accessed locally? If I do so, will it effectively be sending my backup data out to the internet, and then back in again?

 

[Rusty]

How would I get that to work with a SSL certificate?

You would have add your local subnet as a SAN value inside a valid FQDN SSL cert. Not clean but it can work.

Or, am I supposed to give the external address of the server, even if it is accessed locally? If I do so, will it effectively be sending my backup data out to the internet, and then back in again?

If your router supports NAT loopback then you will be able to use your public FQDN address inside your LAN and still keep traffic inside without going around the internet and back. Also, you could set up a local DNS zone for your domain to keep things "in house" in case your router does not support loopback.

 

[fredbert]

You would have add your local subnet as a SAN value inside a valid FQDN SSL cert. Not clean but it can work.

You could create a separate certificate for this purpose so that the LAN subnet isn't visible to Internet accessible services: i.e. assign just to the ABB server service.


Or you could run a local DNS server and resolve LAN IP to your domain.