Category Archives: DNS

Private DNS Domains: Creating SSL Certs for Your Devices That Access Internal Servers (Updated November 23, 2023)

Leave a reply

So in my last post, we went over creating the SSL cert creation for your internal web servers. It was a nice, wildcard cert that was able to be made once and installed on many making it easier on us. Now we’ll go over making the CA certs for Android and Windows clients that will do away with that annoying Chrome nag screen about security and whatnot when accessing them and instead appear as a nice and secure website to the browser!

Crafting the Simple Configuration for Android

It’s necessary for a simple configuration for Android to have the certificate to be a CA cert. So this part establishes the part where we define that for a later step in the process.

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names
basicConstraints=CA:TRUE

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

Save it as openssl.cnf. So, this is basically exactly like the server cnf file except for one thing and that is the line where it says basicConstraints=CA:TRUE. That makes it so that you don’t get an error on importing it into Android and it will work correctly!

You do NOT need this cnf file for the Windows cert, just skip ahead!

Generating the Signing Key for Android/Windows

So, this is for both Android and Windows, it’s basically the same but with different extensions.

Android:

openssl genrsa -out privkey.pem 2048

Windows:

openssl genrsa -out privkey.key 2048

I use the different extensions here just to keep things straight in my head when working with creating these certificates because we create a .pem for Android and a .crt for Windows.

Creating the Certificate Signing Request for Android/Windows

Like in the server post is basically the same, just with a tweak to differentiate the Windows command signature some.

Android:

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf

Windows:

openssl req -new -key privkey.key -out cert.csr

So, on Android, you see that you reference the cnf file. Remember, if you are doing this on Windows, you must specify the complete DOS path to the cnf file in the command statement.

Generate the Certificate

So now we have that we can generate the two different types of certificates for Android and Windows.

Android:

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Windows:

openssl x509 -req -days 365 -in cert.csr -signkey privkey.key -out cert.crt
OR (Easier way, skip all the previous Windows steps and follow the Android steps and after generating the Android Cert just do this!)
openssl x509 -outform der -in cert.pem -out cert.crt

And there you go, certificates made, one last thing for those special devices that require attention.

Craft a Full Chain pem

Here’s how to create a quick Full Chain pem file.

cat cert.pem privkey.pem > fullchain.pem

Installing the Certs

On Windows, you want to install the cert into your Trusted Root Certificates store. I had to restart Chrome and refresh my servers (that were already running their brand new internal certs) to get the Good To Go widget in the address bar. I haven’t tested with Edge, but I assume being chromium-based it probably uses the Windows Certificate Store as well. No idea about Firefox, never had the urge to use it.

On Android 13, based on your specific device look up how to install a custom certificate on it and it should see cert.pem (which you should have emailed to yourself already) in your storage somewhere. I’ve read you’re supposed to be able to just tap the pem file and it will auto-install but that did not work on a Pixel or a Samsung device. I had to go into Settings and do it through the menu.

If you are on a Pixel that is running Android 14 like me then when you get the option from settings to select the cert, it will not show any pem files. I am not sure why, but I found a workaround. After you download it, open the Files app and delete it. Sounds crazy but stay with me. Then go into settings and go through the certificate settings to the point of picking the certificate. This should launch a Files-like window to select it, tap the 3 dots in the upper right and select Show Hidden Files. Then there you go, the deleted cert.pem file will be there and just tap it and it will be installed. Crazy I know but that worked on my Pixel 8 Pro.

That should be it for Android, just kill and relaunch Chrome and it should be like on your desktop and with no nag screen.

I generally hope this helps anyone who could use the help. I know it has reduced the years of numerous clicking and tapping to get passed the security alerts over the years.

John

Tools Rundown: IT-Tools Docker Image!

Leave a reply

IT-Tools docker container is a very large suite of one-off tools and utilities that you access via a web interface. It is very easy to get running in Docker via Portainer and it is also very easy to use. I see this as a utility tool for all types of people in the IT field from admins to programmers as it really covers the gamut of tools that it provides.

How to get it going in Docker on my *nix system (this works for Synology as well)

Using Compose here is the basic gist of getting it up and running in Portainer. In Portainer, add a new stack, name it what you will, and then in the editor, paste the following:

version: '3.9'
services:
    it-tools:
        image: 'corentinth/it-tools:latest'
        restart: always
        ports:
            - '5545:80'
        container_name: IT-Tools

Then click on the “Deploy Stack” button and let it do its work. You should get a message that the stack was deployed successfully once it is finished.

I honestly have no idea how to do this in Windows as that demon child of an implementation of Docker is just weird and hard to understand versus the *nix versions.

Accessing IT-Tools

Once the stack is up and running, open your browser and navigate to: http://<ipaddressofdockerhost>:5545

This should open up this page for you.

And that is all there is to it! Just click an option to open it and use it, it’s all web-based. There is literally something that everyone can use quite often in their trade I believe and it definitely worth the 10-15 minutes it takes to get it going. Just bookmark it in your browser and then you have a great go-to tool for those things that you need a converter or other utility for.

You can choose a light or dark mode, as you can see from the screenshot I have it in dark mode. You can favorite utilities and tools as well and it will pin them to the top of the page as well.

I do hope you take a few minutes and try it out. It’s just a well-thought-out app that just ticks all the marks and that is few and far between these days. You rarely come across something like this.

John

Using Certbot with WSL on Windows to obtain wildcard certifications via DNS authorization (for DNS providers that provide support for the DNS challenge, i.e. Route53 or Google Domains) to Let’s Encrypt for your Synology NAS or SRM!

Leave a reply

โ€

Image Source: FreeImagesโ€

Are you looking to secure your Synology NAS or SRM with a wildcard SSL certificate? Look no further! In this article, we’ll show you how to use Certbot with Windows Subsystem for Linux (WSL) on your Windows machine to obtain wildcard certifications via DNS authorization. This is the manual way to do it, but there is also an automated way as well. But learning the manual way will help you to better understand the process of how it all works!

Understanding wildcard certifications and DNS authorization

To understand the importance of wildcard certifications and DNS authorization, let’s first take a closer look at what they are. A wildcard SSL certificate allows you to secure not only your main domain but also all its subdomains. This is especially useful if you have multiple subdomains or if you plan to create new subdomains in the future.

DNS authorization is a method used by Let’s Encrypt to verify that you have control over the domain for which you are requesting a certificate. With DNS authorization, you prove ownership of the domain by adding a specific DNS record provided by Let’s Encrypt to your DNS provider’s configuration.

Setting up Windows Subsystem for Linux (WSL) on Windows

Before we can start using Certbot with WSL on Windows, we need to set up the Windows Subsystem for Linux. WSL allows you to run a Linux distribution alongside your Windows operating system, enabling you to use Linux tools and applications on your Windows machine.

To set up WSL, follow these steps:

  1. Open the Windows PowerShell as an administrator.
  2. Run the following command to enable the WSL feature: wsl --install
  3. Wait for the installation to complete and restart your computer.

Once the installation is complete, you can proceed to the next step of configuring your DNS provider for DNS challenge support.

Configuring DNS provider for DNS challenge support

To obtain wildcard certifications via DNS authorization, you need to configure your DNS provider to support the DNS challenge. Currently, popular DNS providers like Route53 and Google Domains provide support for the DNS challenge, making it easy to obtain SSL certificates from Let’s Encrypt.

To configure your DNS provider for DNS challenge support, follow these steps:

  1. Log in to your DNS provider’s control panel.
  2. Navigate to the DNS settings for your domain.
  3. Look for an option to add a DNS record and select the TXT record type.
  4. Enter the DNS record provided by Let’s Encrypt in the value field.
  5. Save the changes and wait for the DNS record to propagate.

Once your DNS provider is configured, we can move on to installing Certbot on WSL.

Installing CertBot on WSL

Certbot is a popular open-source tool that simplifies the process of obtaining and managing SSL certificates. It supports various plugins, including the DNS plugin, which allows you to use DNS authorization to obtain wildcard certifications.

To install Certbot on WSL, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Update the package manager by running the following command: sudo apt update
  3. Install Certbot by running the following command: sudo apt install certbot

Once Certbot is installed, we can proceed to the next step of obtaining wildcard certifications with Certbot and DNS authorization.

Obtaining wildcard certifications with CertBot and DNS authorization

Now that Certbot is installed, we can use it to obtain wildcard certifications via DNS authorization. To do this, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Run the following command to obtain the wildcard certificate: sudo certbot certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.yourdomain.com"
  3. Follow the prompts to add the DNS record provided by Certbot to your DNS provider’s configuration.
  4. Wait for the DNS record to propagate and for Let’s Encrypt to verify the DNS challenge.
  5. Once the verification is complete, Certbot will generate your wildcard certificate and store it in the appropriate directory.

With your wildcard certificate obtained, we can now configure your Synology NAS or SRM for SSL/TLS using the wildcard certifications.

Configuring Synology NAS or SRM for SSL/TLS using wildcard certifications

To configure your Synology NAS or SRM for SSL/TLS using the wildcard certifications obtained from Let’s Encrypt, follow these steps:

  1. Log in to your Synology NAS or SRM web interface.
  2. Navigate to the Control Panel and select “Security.”
  3. Go to the “Certificate” tab and click on “Add.”
  4. Select “Import a certificate” and choose the option to import the certificate from a file.
  5. Browse to the directory where Certbot stored your wildcard certificate and select the appropriate files.
  6. Click “Next” and follow the prompts to complete the certificate import process.
  7. Once the certificate is imported, go to the “General Settings” tab and select the wildcard certificate for HTTPS connections.

Congratulations! Your Synology NAS or SRM is now secured with a wildcard SSL certificate obtained via DNS authorization. Your sensitive data is protected, and your users can enjoy a seamless and encrypted connection.

Automating certificate renewal with CertBot and cron jobs

To ensure that your wildcard certificate remains valid, it’s important to set up automated certificate renewal. With Certbot and cron jobs, you can automate the renewal process, so you don’t have to worry about manually renewing your certificates.

To set up automated certificate renewal with Certbot and cron jobs, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Run the following command to edit the crontab file: sudo crontab -e
  3. Add the following line to the crontab file to schedule the renewal process: 0 0 1 * * /usr/bin/certbot renew
  4. Save the changes and exit the editor.

By scheduling the renewal process to run once a month, you can ensure that your wildcard certificate is always up to date.

Troubleshooting common issues with CertBot and DNS authorization

While using Certbot with DNS authorization is generally straightforward, you may encounter some common issues along the way. Here are a few troubleshooting tips to help you overcome these issues:

  1. Check your DNS provider’s configuration to ensure that the DNS record is correctly added.
  2. Verify that the DNS record has propagated by using a DNS propagation checking tool.
  3. Double-check the spelling and syntax of the DNS record.
  4. Ensure that your DNS provider’s API credentials are correctly configured in Certbot.

If you still encounter issues, refer to the Certbot documentation or seek assistance from the Certbot community for further guidance.

Final thoughts

We have explored how to use Certbot with Windows Subsystem for Linux (WSL) on your Windows machine to obtain wildcard certifications via DNS authorization. We have covered the steps of setting up WSL, configuring your DNS provider for DNS challenge support, installing Certbot, obtaining wildcard certifications, configuring your Synology NAS or SRM, automating certificate renewal, and troubleshooting common issues.

By following these steps, you can secure your Synology NAS or SRM with a wildcard SSL certificate, providing a comprehensive security solution for your sensitive data. With Certbot and Let’s Encrypt, the process of obtaining and managing SSL certificates is made easier, allowing you to focus on what matters mostโ€”protecting your data and ensuring a seamless user experience.

So, what are you waiting for? Dive in and secure your NAS or SRM today!

Note: The content provided in this article is for informational purposes only. It is always recommended to refer to the official documentation and seek professional assistance when dealing with SSL certificates and server configurations.

John