SSL on synology

Hello,

I have a synology NAS that has an ssl certificate already installed.
Is it possible that virtualhere server reads it and auto configures?

From a super happy virtualhere user.

Cheers,

Andreas

#2

No it wont find the local synology certificate. However you can just export the certificate. And use those pem files when configuring virtualhere. However the built-in synology certificate is not particularly useful because its not issued by a proper certificate authority.

#3

i see.

i have installed a certificate from a proper certificate authority.
it would be nice if virtualhere reads it and auto configures.

i'll do it manually as in FAQ

Thanks a lot

Andreas

#4

I am in the same situation as cls123 and trying to get SSL working on a Synology Dickstation DS415+.
As cls123 I do have an official certificate for my server from letsencrypt. Also, I have purchased a license for virtualhere.

I followed the instructions here (https://www.virtualhere.com/ssl_setup) and followed the following steps:
1. I stoped the virtualhere package
2. I edited the file /volume1/@appstore/VirtualHere/config.ini and added the following line
sslCert=/usr/syno/etc/certificate/system/default/fullchain.pem
Note: There are the following files in the synology certificate folder: cert.pem, chain.pem, fullchain.pem, privkey.pem
The fullchain.pem is a combination of the cert.pem and chain.pem. I tested both, "cert.pem" and "fullchain.pem".
3. I started the virtualhere package again
4. On the Windows 7 client, I downloaded the "Let’s Encrypt Authority X3 (IdenTrust cross-signed)" from here (https://letsencrypt.org/certificates/) and stored it on the local hard drive (C:/Temp/letsencrypt_cert.pem). Is this the requested "server certificate CA file" for letsencrypt?
5. I set the "Certificate Authority File" in the advanced setting menu to the file letsencrypt_cert.pem (Note: The "Client Certificate File" is empty)
Also I checked that in the client config file (C:\Users\MyUserName\AppData\Roaming\vhui.ini) the following line is present under the [General] section:
SSLCAFile=C:\\Temp\\letsencrypt_cert.pem
6. I have "Auto Find Hubs" activated but the server is not found (Note: Without SSL activated at the server side the server is found perfectly).
The system messages show the following:
2019-03-24 15:03:04 INFO :VirtualHere Client 4.6.8 starting (Compiled: Mar 11 2019 12:30:38)
2019-03-24 15:03:04 INFO :Client OS is Windows 7 (build 7601, Service Pack 1), 64-bit edition
2019-03-24 15:03:04 INFO :Using config at C:\Users\MyUserName\AppData\Roaming\vhui.ini
2019-03-24 15:03:04 INFO :IPC available at \\.\pipe\vhclient
2019-03-24 15:03:04 INFO :Using SSL CA File C:\Temp\letsencrypt_cert.pem
2019-03-24 15:03:04 INFO :Auto-find (Bonjour) on
2019-03-24 15:03:04 INFO :Auto-find (Bonjour SSL) on
2019-03-24 15:03:04 INFO :ReverseLookupService listening on port 7573 (IPv6 dual-stack)
2019-03-24 15:03:04 INFO :SSLReverseLookupService listening on port 7572 (IPv6 dual-stack)
2019-03-24 15:03:06 INFO :Error -0x0050 during SSL handshake when connecting to NameOfMyServer.local.:7574, NET - Connection was reset by peer
2019-03-24 15:03:11 INFO :assert:../src/common/event.cpp,1897,SearchDynamicEventTable,nNew != dynamicEvents.size(),
2019-03-24 15:03:40 INFO :Error -0x7280 during SSL handshake when connecting to NameOfMyServer.local.:7574, SSL - The connection indicated an EOF
2019-03-24 15:04:02 INFO :Error -0x0050 during SSL handshake when connecting to NameOfMyServer.local.:7574, NET - Connection was reset by peer

Has anyone SSL running with the virtualhere server on a synology or can give me any advice what I am doing wrong?

#5

Actually it wont work with letsencrypt because they only issue 3 month certificates and you would have to restart the virtualhere server every three months to pick up the new ones.

Basically letsenrypt certificates are almost useless for your use-case as they dont provide server identity like a real certificate authority does (i.e the ones where you need to send you company registration documents to them), so you might as well just issue yourself with a certificate using the normal ssl instructions on my website https://www.virtualhere.com/ssl_setup and then make the certificate expiry a few years.

#6

i have a comodo positive ssl now sertigo RSA Validation Secure server CA

i exported the certificate from my NAS
i get 4 files ca.key ca.crt server.key server.crt - no pem files

i created a server.pem using copy /b server.key+server.crt server.pem

i added the sslCert setting on config.ini and the the log says server started successfully using ssl server certificate.

i created ca.pem from ca.key and ca.crt as above and loaded to client but it doesn't work .
i also used openssl x509 -in ca.crt -out ca.pem -outform PEM

neither ca.pem worked

any clue what i am doing wrong?

#7

In the client right click USB Hubs->Advanced Settings->SSL->Certificate Authority File->Browse and find it there. Click save and the client will restart

Now are there any errors listed in the Client USB Hubs->System Messages when it tries to connect to the server?

#8

2019-07-26 08:41:21 INFO :VirtualHere Client 4.8.1 starting (Compiled: Jul 18 2019 10:56:05)
2019-07-26 08:41:21 INFO :Client OS is Windows 10 (build 18362), 64-bit edition
2019-07-26 08:41:21 INFO :Using config at C:\...\vhui.ini
2019-07-26 08:41:21 INFO :IPC available at \\.\pipe\vhclient
2019-07-26 08:41:21 INFO :Using SSL CA File C:\...\ca.pem
2019-07-26 08:41:22 INFO :Error -0x2700 during SSL handshake when connecting to ....:7574, X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

#9

on NAS the log says Error -0x7780 during SSL handshake, SSL - A fatal alert message was received from our peer

#10

I think you need to append all the ca.crt back to root inside the pem. Can you export the all the ca's for your certificate from the synology?

#11

i exported all the ca from synology . no good.

Has anyone SSL running with the virtualhere server on a synology or can give me any advice what I am doing wrong?

server and client with no SSL works flawlessly.

#12

Works for me. I did this

1. Requested an SSL certificate from https://ssl.comodo.com/free-ssl-certificate
2. Extracted the zip file they sent me with all the certificates in it

All the certificates comodo email you in the zip file are actually PEM files. You can determine that by looking at the crt file and see that it starts with ----BEGIN CERTIFICATE--- and the contents are base64 encoded. That is actually the format of a pem file.

3. On the synology copied the server.key and prod_virtualhere_com.crt to the /volume1/@appstore/VirtualHere directory
4. cat prod_virtualhere_com.crt server.key > server.pem
5. Stopped the virtualhere server using the DSM package manager
6. vi config.ini and added the line SSLCert=/volume1/@appstore/VirtualHere/server.pem
7. Started the virtualhere server via the DSM
8. on the client cat'ed together all the CA crts into a PEM
9. In the client right click USB Hubs->Advanced->SSL->Certificate Authority File and point it to the PEM generated in the previous step
10. When the client restarted it then connects to the synology via ssl.
11. Verified that the SSL was working by right clicking on the Synology Hub->Properties and selected all in the Address Field and it says

DiskStation.local.:7574 (192.168.1.103:7574) 
(
cert. version     : 3 
serial number     : 2E:CA:CD:7F:32:A9:FA:9D:8F:B0:E3:C6:66:DA:26:22 
issuer name       : C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA 
subject name      : OU=Domain Control Validated, OU=PositiveSSL Trial, CN=prod.virtualhere.com 
issued  on        : 2019-07-26 00:00:00 
expires on        : 2019-08-25 23:59:59 
signed using      : RSA with SHA-256 
RSA key size      : 2048 bits 
basic constraints : CA=false 
subject alt name  : prod.virtualhere.com, www.prod.virtualhere.com 
key usage         : Digital Signature, Key Encipherment 
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication 
)
#13

thanks for your time.
sometimes i feel dumb

i've got a DS210j DSM 5.2
i did as you said.
server runs fine.
on step 8 i cat'ed the CAs /usr/syno/etc/ssl/ssl.crt/ca.crt & /usr/syno/etc/ssl/ssl.key/ca.key into ca.pem and done steps 9 and 10.
still doesn't work

2019-07-27 13:43:47 INFO :VirtualHere Client 4.8.1 starting (Compiled: Jul 18 2019 10:56:05)
2019-07-27 13:43:47 INFO :Client OS is Windows 10 (build 18362), 64-bit edition
2019-07-27 13:43:47 INFO :Using config at C:\Users\.....\vhui.ini
2019-07-27 13:43:47 INFO :IPC available at \\.\pipe\vhclient
2019-07-27 13:43:47 INFO :Using SSL CA File \\office_server\private\certs\vh\3\ca.pem
2019-07-27 13:43:47 INFO :Auto-find (Bonjour) on
2019-07-27 13:43:47 INFO :Auto-find (Bonjour SSL) on
2019-07-27 13:43:48 INFO :Error -0x2700 during SSL handshake when connecting to myserver.eu:7574, X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2019-07-27 13:43:51 INFO :assert:../src/common/event.cpp,1897,SearchDynamicEventTable,nNew != dynamicEvents.size(),

#14

You wouldnt have the ca.key file ? I thought you said you got your SSL from a third party like comodo, you wouldnt get the key from them as thats how they sign their ca.

Anyway just follow the steps i said in the previous post and it will work for you.

#15

i have a comodo positive ssl

they send me 4 .crt files

myserver.crt
SectigoRSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt

i made a pem from the 3 last files ( also combination of 2 of them ) but no luck

the free certificate lasts only 90 days.

#16

Comodo definately works as i just tested it, the only other thing i can think of is to make sure you are using the latest server for your synology here https://www.virtualhere.com/nas