LE cert error via webdav, https is fine

Currently reading
LE cert error via webdav, https is fine

M

makon

Hi

i do have strange behaviour with my DS218j running DSM7, maybe someone has a clue whats going on.
The nas is reachable by ddns and a LE cert. Connecting through https works fine, but webdav keeps telling the cert is not valid.It worked fine for a long time, but since LE changed their cert structure (?) things became nasty.

So did a ssl check.

https:

MOD > removed the image because it contained the FQDN of your domain.

webdav:

webdav.png


I dont get it, since its the same cert.
 
M

makon

1.png

It s all the same. I tried ftps with the same result as webdav "unknown certificate".
Even renewing the certificate didnt help.
 
M

makon

How do i purge cache on the diskstation?
It has to be a server-side problem as all clients show the error.
 
M

makon

you were right it just appears using android (11). Thanks for the hint.
Do you have clue how to clear cache in andoid. Seems to be an android thing because it affects differnet apps using androids ssl layer.
 
M

makon

Tried it but no effect. Nevertheless i tried another android device with the same result...
So i guess its android related as windows has no problems.

a.png


I cant image android having such an issue...
Does anybody else have a similiar setup (android=>webdav=>LE=>synology)?
 
I doubt that android in general has problems with letsencrypt.

Usualy a "certificate" commes with privatekey.pem, certificate.pem, chain.pem and fullchain.pem.

The privatekey.pem is the privatekey used by the https service to establish transport security.
The certifcate.pem is the public key, served by the https service and is used to identify and trust the private key of the https service.
The chain.pem is the public key of all intermediary CA's between your certificate.pem and the root CA.
The fullchain.pem is the combination of certificate.pem and chain.pem - typicaly you want to use this instead of the certificate.pem.

Some https server applications require certificate.pem and chain.pem to be configured individual, some only allow one certificate and expect the fullchain.pem to be used.

Why do we need the chain.pem at all? It is the "missing link" in the chain of trust. If you client just knows the root CA, and does not know required intermediate CA's, the chain of trust is broken and no https context will be created.

I can only imagine that your webdav service lacks the chain.pem, as in used the cert.pem where it should have used the fullchain.pem.

This is how https works in genererell, regardless of which protocol is embedded in it.
 
M

makon

Completely forgot to ask what files were used with this LE cert.
i use the built-in function in DSM to get the certificate. There was nothing more to do and everything worked fine, since LE is using an intermidiate certificate.
Usualy a "certificate" commes with privatekey.pem, certificate.pem, chain.pem and fullchain.pem.
i downloaded and installed chain.pem to my android device and now everything works fine. But afaik the intermediate certificate has to be on server side, not on the client.
In my opinion android cant handle the intermediate cert or DSM 7 failes to serve it...

Am i the only one facing this problem? Would be very strange since android => webdav (LE cert) => DSM 7 shouldnt be that uncommon
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

wildcard cert always, just use the Search tool on this forum regarding LE cert issues, and you will get...
Replies
7
Views
345
  • Question
Methinks I've found an issue with the DDNS. Still can't explain the odd error with the Synology wildcard...
Replies
6
Views
1,138
  • Question
When you login to the NAS and experience this issue of the certificate, check what is reported as the...
Replies
13
Views
1,227
Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence...
Replies
23
Views
2,850
Okeedokee... I guess it's off to explore Google Domains...
Replies
6
Views
1,940
I had disabled my admin account but that broke cloudsync, so I restored it and put in a wild/crazy/long PW...
Replies
0
Views
701
That's one way I suppose. For now, I just have a literally empty index.html file. As in NOTHING in it.
Replies
4
Views
1,359

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top