LE certificate chaos

Currently reading
LE certificate chaos

3,972
1,367
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
I've been troubleshooting recent caldav sync issues between the NAS and Thuderbird and my "smarts" landed me in a mess.

I happened to notice that on my Win10 laptop, there was no apparent cert for the NAS. First, I attempted to download the LE cert from the NAS, thinking I could import it into Windows. However, the download is apparently only for the Synology NAS as the cert file extensions weren't recognized by Windows cert import.

So I tried another approach... I logged onto the NAS via my Synology DDNS using a browser. From the browser "view site information" padlock, I opened and downloaded the cert and it came in a format that Windows cert import could use.

I imported the downloaded cert into Windows using all the basic defaults and it located itself in an "Other" tab. So I figured how smart I am.

I rebooted the PC, opened the browser and attempted to log in, BUT... the browser informed me that my cert was odd and there was a 3rd party compromise suspected, and the browser would not give me the login screen (using the DDNS). I tried an alternate DDNS with the same result.

Next, I removed the cert I imported, rebooted... and the same issue. No access.

I just now reimaged my machine back 24 hours, and all is well. When I enter the DDNS I'm taken immediately to the DSM log in.

What did I do wrong? I'm flummoxed.
 
Is that a tea tray or a tray bake? ;)

@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

If you have an unsigned certificate then you could install the server certificate and say it's trusted, but this is something I haven't done for 19 years so memory is hazy.
 
Just so I'm not offering a wrong solution, wanna be sure. What are you traying to do here exactly?
@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

When I sync Thuderbird CalDAV calendars (with my DDNS links) I occasionally get a popup about a certificate issue. The "View" certificate button doesn't open anything, and the "Allow" button is grayed out.

So I figured I would manually load the LE cert into Thunderbird to keep this from happening. As I wrote... this backfired and only made everything worse.

FWIW I also get a message to the effect that 'calendar "name here" is not presently available' when opening Thunderbird. Last night I rolled back the default calendar addon "Lightning" and these messages have stopped (temporarily?). I couldn't find any discussion of this on the Mozilla forums, so I started tweaking my Windows cert repository.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
512
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
792
  • Question
Thanks for the input Telos. Yes I have had that on my mind for some time. Found some potential guides on...
Replies
2
Views
931
  • Question
The whole world agrees that https is the right and secure way to access web applications. The question is...
Replies
1
Views
2,210
If a answer is still needed! You should import the cloudflare orgin server RSA PEM see doc. Origin CA...
Replies
1
Views
4,189
Replies
2
Views
3,000

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top