Beware: ABB will silently stop working if SSL certificate is changed

Currently reading
Beware: ABB will silently stop working if SSL certificate is changed

I am positing a warning for others: If the SSL certificate on your NAS is changed, all of your Active Backup for Business tasks will stop working. But it will not show up as a failure! The tasks will still show as "successful", just as of some date in the past!

This is a huge issue, as you may assume that your PCs are being backed up, and you'll still see a nice green "successful" indication, but you may have been unprotected for months.

This has happened to me 3 times now: The first time I really did change my SSL certificate. The other two times, I did not, although something must have changed. My LetsEncrypt SSL certificate is coming up for renewal soon, so I have yet to see if the renewal will break the ABB tasks again.

To get the tasks working again, you have to log in to each PC you are backing up, open the ABB agent, and Re-trust the SSL certificate. It always asks me to re-trust it twice for some reason.

Until Synology fixes this, it is a pretty valid reason for not using ABB, although I really haven't found a different solution that I like much better.

Synology knows about this issue, but they don't seem interested in fixing it. Perhaps some other people can chime in to Synology and get some action taken.
 
Last edited:
I found this too. Mentioned it part way down this thread...

The 'fix' is to use a signed SSL certificate that has either its domain, wildcard, or a subject alternative name that is the same as the domain used as the 'server address' you used when setting up the ABB agent.

If you used a server address that is not covered by the SSL certificate then, yes, you can setup the ABB agent and you will be presented with an additional pop-up window that asks you to confirm you trust the certificate. As you have experienced, once the SSL certificate is renewed then the ABB agent will silently stop connecting because it does not trust this new version of the certificate. That is no matter if the rest of the renewed certificate details are the same as the original certificate you trusted.

So what to do? If you're using Let's Encrypt signed certificates then:
  1. Don't access the NAS using the IP address: the certificate is against a domain not an IP address.
  2. Get a wildcard certificate for your DDNS 'myname.synology.me' and include '*.myname.synology.me'. Then setup ABB agent using a <something>.myname.synology.me for the server address.
  3. If you use a personal domain then create the certificate for the domain and connect ABB agent to that domain, i.e. mydomain.com
  4. If you use a personal domain and want to use a sub-domain then:
    1. create the certificate for the domain and include the sub-domain in the subject alternative name list.
    2. connect ABB agent to that sub-domain, i.e. abb.mydomain.com
Within DSM's Control Panel within Security / Certificate page you click the Configure button. Now find the service 'Active Backup for Business' and assign the correct certificate that aligns with the ABB agent's server address.

There is a second ABB service which is the web portal and that also can have its SSL certificate assigned. But the ABB agent connection is not connecting to this web portal, only the main ABB service.

If you've done this correctly then you'll have fixed the silent disconnect when the SSL certificate renews. Also, if you do fix it with a properly align certificate to the agent's server address then the agents will start to connect again and you don't have to go round correcting each PC. I know because it's what I did too.
 
Last edited:
The 'fix' is to use a signed SSL certificate that has either its domain, wildcard, or a subject alternative name that is the same as the domain used as the 'server address' you used when setting up the ABB agent.
In my case, the server address used by my ABB agents is just a local IP address. How would I get that to work with a SSL certificate?

Or, am I supposed to give the external address of the server, even if it is accessed locally? If I do so, will it effectively be sending my backup data out to the internet, and then back in again?
 
How would I get that to work with a SSL certificate?
You would have add your local subnet as a SAN value inside a valid FQDN SSL cert. Not clean but it can work.

Or, am I supposed to give the external address of the server, even if it is accessed locally? If I do so, will it effectively be sending my backup data out to the internet, and then back in again?
If your router supports NAT loopback then you will be able to use your public FQDN address inside your LAN and still keep traffic inside without going around the internet and back. Also, you could set up a local DNS zone for your domain to keep things "in house" in case your router does not support loopback.
 
You would have add your local subnet as a SAN value inside a valid FQDN SSL cert. Not clean but it can work.
You could create a separate certificate for this purpose so that the LAN subnet isn't visible to Internet accessible services: i.e. assign just to the ABB server service.


Or you could run a local DNS server and resolve LAN IP to your domain.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Just keeping the convo fully informed, so we don't retread old ground.
Replies
5
Views
620
That's it failing again, just like it did before I threw it away and started again. It's a -1 error so...
Replies
19
Views
1,159
  • Question
Well, I hope another solution will be a better fit for you. The silver lining about the extra drive is...
Replies
10
Views
1,207

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top