LE certificate chaos

Currently reading
LE certificate chaos

4,027
1,378
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
I've been troubleshooting recent caldav sync issues between the NAS and Thuderbird and my "smarts" landed me in a mess.

I happened to notice that on my Win10 laptop, there was no apparent cert for the NAS. First, I attempted to download the LE cert from the NAS, thinking I could import it into Windows. However, the download is apparently only for the Synology NAS as the cert file extensions weren't recognized by Windows cert import.

So I tried another approach... I logged onto the NAS via my Synology DDNS using a browser. From the browser "view site information" padlock, I opened and downloaded the cert and it came in a format that Windows cert import could use.

I imported the downloaded cert into Windows using all the basic defaults and it located itself in an "Other" tab. So I figured how smart I am.

I rebooted the PC, opened the browser and attempted to log in, BUT... the browser informed me that my cert was odd and there was a 3rd party compromise suspected, and the browser would not give me the login screen (using the DDNS). I tried an alternate DDNS with the same result.

Next, I removed the cert I imported, rebooted... and the same issue. No access.

I just now reimaged my machine back 24 hours, and all is well. When I enter the DDNS I'm taken immediately to the DSM log in.

What did I do wrong? I'm flummoxed.
 
Is that a tea tray or a tray bake? ;)

@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

If you have an unsigned certificate then you could install the server certificate and say it's trusted, but this is something I haven't done for 19 years so memory is hazy.
 
Just so I'm not offering a wrong solution, wanna be sure. What are you traying to do here exactly?
@Telos If you have a LE certificate then you shouldn't need to install any certificate on the PC. If the LE certificate doesn't list the domain or subject alternate name of the URL that you used to connect then you can add an exception for that specific connection on that browser ... it's the same that happens when an unsigned cert is used for and URL by all browsers.

When I sync Thuderbird CalDAV calendars (with my DDNS links) I occasionally get a popup about a certificate issue. The "View" certificate button doesn't open anything, and the "Allow" button is grayed out.

So I figured I would manually load the LE cert into Thunderbird to keep this from happening. As I wrote... this backfired and only made everything worse.

FWIW I also get a message to the effect that 'calendar "name here" is not presently available' when opening Thunderbird. Last night I rolled back the default calendar addon "Lightning" and these messages have stopped (temporarily?). I couldn't find any discussion of this on the Mozilla forums, so I started tweaking my Windows cert repository.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
544
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
934
  • Question
Thanks for the input Telos. Yes I have had that on my mind for some time. Found some potential guides on...
Replies
2
Views
1,067
  • Question
The whole world agrees that https is the right and secure way to access web applications. The question is...
Replies
1
Views
2,359
If a answer is still needed! You should import the cloudflare orgin server RSA PEM see doc. Origin CA...
Replies
1
Views
4,361
Replies
2
Views
3,086

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top