0

I just added a NAS (network attached storage) to my LAN and I'd like to access it via HTTPS. Everything works, except that when I browse to it, chrome responds with "Not Secure" in the address bar, and there's a strikethrough line in the "https" protocol part of the URL. I'm having a similar problem with Mozilla Firefox.

Steps

  1. On my PC, which is running Linux Mint 17.3, I created a root certificate authority by executing sudo /usr/lib/ssl/misc/CA.sh -newca.
  2. I logged into the NAS using http and created a CSR (certificate signing request), which I then downloaded to my PC. The file has a .csr extension.
  3. I then signed the .csr file using the command sudo openssl ca -out myCert.pem -infiles myCert.csr.
  4. I imported the certificate myCert.pem into the NAS using it's web interface.
  5. I added the CA certificate myCaCert.pem on my PC to its certificate store by moving it to /usr/share/ca-certificates/extra/myCaCert.crt and then running sudo dpkg-reconfigure ca-certificates.
  6. I then checked that the end certificate myCert.pem file worked okay by running openssl verify myCert.pem. The output was "myCert.pem: OK".
  7. I then imported the root certificate myCaCert.pem file into Mozilla Firefox and chrome.

After completing these steps, Firefox and chrome both show that the url for the NAS via https is insecure. Is it necessary to set up a service on my PC that has the myCaCert.pem file in order to serve the file? Not sure what to do at this point...

EDIT

As suggested by dave_thompson_085, I checked the security errors in Chrome in the developer tools. The following two errors are being displayed:

(1) Subject alternative name missing: The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

(2) Certificate error: There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

I thought subject alternative names were optional.... I'll try generating another CSR with a SAN....

Andrew
  • 175
  • 2
  • 7
  • This isn't an answer. But I know Firefox on Windows will NOT use the Windows certificate store. This is why I refuse to support Firefox in any corporate environment. Mozilla feels they have an ethical duty to force their own certificate store on their users in the name of "security." So there may be no solution in regards to Firefox. – Appleoddity Oct 11 '17 at 01:37
  • @Appleoddity: Thanks for the tip. In Firefox, I went to "Preferences" and searched for "certificates". Then clicked the button "View certificates" and added the myCaCert.pem certificate to the category of certificates labelled "Authorities". I tried something similar with chrome, but it didn't seem to help in either case:( – Andrew Oct 11 '17 at 01:46
  • 1
    AFAIK both FF and Chrome give an error page, not just an address bar warning, for untrusted issuer. If there is an error page click Advanced and look at (or tell us) what they say; otherwise if you click in or next to the barred or gray https, what exactly do they say is bad? – dave_thompson_085 Oct 11 '17 at 08:20
  • 1
    If certificate is correctly created and configured in the NAS's http server - even with self-signed CA - and this CA added to browser's truststore, no warning will be sent. Note: the server certificate usually needs to have alias extensions with domain and or ip-addresses depending on URL you use to invoke https – tonioc Oct 11 '17 at 12:53
  • Thanks @tonioc. I'm not sure I understand your note. By alias extensions, do you mean subject alternative names? I added an edit to the question as per the comment by dave_thompson_085, since that might be what's causing the issue. – Andrew Oct 11 '17 at 15:19
  • 1
    yes indeed I was talking about subject alternative names. These are added in extfile passed to openssl x509 request. – tonioc Oct 12 '17 at 11:01

1 Answers1

0

The comments posted by date_thompson_085 and tonioc were instrumental in tracking down the problem. Unfortunately, the CSR created by the NAS that I'm using, which is a Synology DS916+, does not have an option to include SANs (subject alternative names) in the request. As a result, I used openssl to create a certificate request on my PC, instead, which I then signed using the same method (openssl ca ...) as posted in the original question. I needed to use a custom .cnf config file with the openssl command, one for making the request and one for signing it, in order to get the SANs to show up in the end certificate. However, after importing that certificate into the NAS, the issue that was occurring with chrome and firefox ceased.

Andrew
  • 175
  • 2
  • 7