LE certificate chaos

[Telos]

I've been troubleshooting recent caldav sync issues between the NAS and Thuderbird and my "smarts" landed me in a mess.

I happened to notice that on my Win10 laptop, there was no apparent cert for the NAS. First, I attempted to download the LE cert from the NAS, thinking I could import it into Windows. However, the download is apparently only for the Synology NAS as the cert file extensions weren't recognized by Windows cert import.

So I tried another approach... I logged onto the NAS via my Synology DDNS using a browser. From the browser "view site information" padlock, I opened and downloaded the cert and it came in a format that Windows cert import could use.

I imported the downloaded cert into Windows using all the basic defaults and it located itself in an "Other" tab. So I figured how smart I am.

I rebooted the PC, opened the browser and attempted to log in, BUT... the browser informed me that my cert was odd and there was a 3rd party compromise suspected, and the browser would not give me the login screen (using the DDNS). I tried an alternate DDNS with the same result.

Next, I removed the cert I imported, rebooted... and the same issue. No access.

I just now reimaged my machine back 24 hours, and all is well. When I enter the DDNS I'm taken immediately to the DSM log in.

What did I do wrong? I'm flummoxed.

 

[Rusty]

Just so I'm not offering a wrong solution, wanna be sure. What are you traying to do here exactly?

 

[fredbert]

traying

Is that a tea tray or a tray bake?

@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

If you have an unsigned certificate then you could install the server certificate and say it's trusted, but this is something I haven't done for 19 years so memory is hazy.

 

[Telos]

Just so I'm not offering a wrong solution, wanna be sure. What are you traying to do here exactly?

@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

When I sync Thuderbird CalDAV calendars (with my DDNS links) I occasionally get a popup about a certificate issue. The "View" certificate button doesn't open anything, and the "Allow" button is grayed out.

So I figured I would manually load the LE cert into Thunderbird to keep this from happening. As I wrote... this backfired and only made everything worse.

FWIW I also get a message to the effect that 'calendar "name here" is not presently available' when opening Thunderbird. Last night I rolled back the default calendar addon "Lightning" and these messages have stopped (temporarily?). I couldn't find any discussion of this on the Mozilla forums, so I started tweaking my Windows cert repository.