Tag Archives: ssl

Private DNS Domains: Creating SSL Certs for Your Web Servers and Devices That Access Them (Updated November 23, 2023)

Leave a reply

It’s pretty easy to get a growing internal network going at home now with devices getting cheaper and whatnot. But I myself don’t particularly don’t feel the need to expose them to the internet and only use them for myself. But I don’t like the nagging from Chrome about how this site is not secure for whatever reason on my Desktop or my tablet or phone. So I sat down this weekend and worked out how to create a cert for my web serving stuff and a CA cert for my end-use devices that made Chrome be quiet and happy and think everything was nice and secure. Here’s how I did it for the server side, later tomorrow or today I will add a post on how to do the client cert for you.

Install openssl on your working machine and buckle up!

Once you have openssl installed you need to do this twice, once for the Web servers and once for the CA for the end-user devices to accept that cert you made before.

The first thing is to generate a configuration file because we are going to make a wildcard certificate to keep from having to generate a cert for each server independently! Here’s the configuration example:

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
countryName        = US
stateOrProvinceName = Texas
localityName       = Who Hee
organizationName   = Your Org
organizationalUnitName= Your Org Name
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

(Added more depth to CNF file)

Ok on *nix you can pretty much save that in whatever directory you are going to run the openssl command from as it will assume based on the prompt that it exists wherever it was executed from. Save the file as: openssl.cnf

On Windows, you need to change the below (like literally the text that follows below) areas where the openssl.cnf is mentioned to point to where the config is saved in the prompt.

Generate the Signing Key

Next up we generate the signing key:

openssl genrsa -out privkey.pem 2048

That is it!

Generate the Certificate Signing Request

Now we have to generate the CSR for generating our actual server cert.

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf (Updated to add -config option to CSR request)

That was nice and easy as well, now onto generating the server’s certificate!

Create the Actual Server Certificate

Now to the almost final step which is to create the cert to be installed on all the internal servers.

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Here is where we reference the openssl.cnf to get our wildcard cert. Remember Windows users to input the complete DOS path and use quotes if it has spaces to the actual cnf file.

Once Last Thing For Those Special Needs Servers

For those servers (i.e. Synology) that require a Full Chain pem file as well you can do this from *nix.

cat cert.pem privkey.pem > fullchain.pem

Ok, the server cert is done, you should be able to add it to your web servers now. I’ll be putting up the client portion for Android and Windows client CA certs sometime later today or tomorrow so that the annoying Chrome nag screen goes away.

John

Using Certbot with WSL on Windows to obtain wildcard certifications via DNS authorization (for DNS providers that provide support for the DNS challenge, i.e. Route53 or Google Domains) to Let’s Encrypt for your Synology NAS or SRM!

Leave a reply

‍ Are you looking to secure your Synology NAS or SRM with a wildcard SSL certificate? Look no further! In this article, we’ll show you how to use Certbot with Windows Subsystem for Linux (WSL) on your Windows machine to obtain wildcard certifications via DNS authorization. This is the manual way to do it, but there is also an automated way as well. But learning the manual way will help you to better understand the process of how it all works!

Understanding wildcard certifications and DNS authorization

To understand the importance of wildcard certifications and DNS authorization, let’s first take a closer look at what they are. A wildcard SSL certificate allows you to secure not only your main domain but also all its subdomains. This is especially useful if you have multiple subdomains or if you plan to create new subdomains in the future.

DNS authorization is a method used by Let’s Encrypt to verify that you have control over the domain for which you are requesting a certificate. With DNS authorization, you prove ownership of the domain by adding a specific DNS record provided by Let’s Encrypt to your DNS provider’s configuration.

Setting up Windows Subsystem for Linux (WSL) on Windows

Before we can start using Certbot with WSL on Windows, we need to set up the Windows Subsystem for Linux. WSL allows you to run a Linux distribution alongside your Windows operating system, enabling you to use Linux tools and applications on your Windows machine.

To set up WSL, follow these steps:

  1. Open the Windows PowerShell as an administrator.
  2. Run the following command to enable the WSL feature: wsl --install
  3. Wait for the installation to complete and restart your computer.

Once the installation is complete, you can proceed to the next step of configuring your DNS provider for DNS challenge support.

Configuring DNS provider for DNS challenge support

To obtain wildcard certifications via DNS authorization, you need to configure your DNS provider to support the DNS challenge. Currently, popular DNS providers like Route53 and Google Domains provide support for the DNS challenge, making it easy to obtain SSL certificates from Let’s Encrypt.

To configure your DNS provider for DNS challenge support, follow these steps:

  1. Log in to your DNS provider’s control panel.
  2. Navigate to the DNS settings for your domain.
  3. Look for an option to add a DNS record and select the TXT record type.
  4. Enter the DNS record provided by Let’s Encrypt in the value field.
  5. Save the changes and wait for the DNS record to propagate.

Once your DNS provider is configured, we can move on to installing Certbot on WSL.

Installing CertBot on WSL

Certbot is a popular open-source tool that simplifies the process of obtaining and managing SSL certificates. It supports various plugins, including the DNS plugin, which allows you to use DNS authorization to obtain wildcard certifications.

To install Certbot on WSL, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Update the package manager by running the following command: sudo apt update
  3. Install Certbot by running the following command: sudo apt install certbot

Once Certbot is installed, we can proceed to the next step of obtaining wildcard certifications with Certbot and DNS authorization.

Obtaining wildcard certifications with CertBot and DNS authorization

Now that Certbot is installed, we can use it to obtain wildcard certifications via DNS authorization. To do this, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Run the following command to obtain the wildcard certificate: sudo certbot certonly --manual --preferred-challenges=dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.yourdomain.com"
  3. Follow the prompts to add the DNS record provided by Certbot to your DNS provider’s configuration.
  4. Wait for the DNS record to propagate and for Let’s Encrypt to verify the DNS challenge.
  5. Once the verification is complete, Certbot will generate your wildcard certificate and store it in the appropriate directory.

With your wildcard certificate obtained, we can now configure your Synology NAS or SRM for SSL/TLS using the wildcard certifications.

Configuring Synology NAS or SRM for SSL/TLS using wildcard certifications

To configure your Synology NAS or SRM for SSL/TLS using the wildcard certifications obtained from Let’s Encrypt, follow these steps:

  1. Log in to your Synology NAS or SRM web interface.
  2. Navigate to the Control Panel and select “Security.”
  3. Go to the “Certificate” tab and click on “Add.”
  4. Select “Import a certificate” and choose the option to import the certificate from a file.
  5. Browse to the directory where Certbot stored your wildcard certificate and select the appropriate files.
  6. Click “Next” and follow the prompts to complete the certificate import process.
  7. Once the certificate is imported, go to the “General Settings” tab and select the wildcard certificate for HTTPS connections.

Congratulations! Your Synology NAS or SRM is now secured with a wildcard SSL certificate obtained via DNS authorization. Your sensitive data is protected, and your users can enjoy a seamless and encrypted connection.

Automating certificate renewal with CertBot and cron jobs

To ensure that your wildcard certificate remains valid, it’s important to set up automated certificate renewal. With Certbot and cron jobs, you can automate the renewal process, so you don’t have to worry about manually renewing your certificates.

To set up automated certificate renewal with Certbot and cron jobs, follow these steps:

  1. Open the WSL terminal on your Windows machine.
  2. Run the following command to edit the crontab file: sudo crontab -e
  3. Add the following line to the crontab file to schedule the renewal process: 0 0 1 * * /usr/bin/certbot renew
  4. Save the changes and exit the editor.

By scheduling the renewal process to run once a month, you can ensure that your wildcard certificate is always up to date.

Troubleshooting common issues with CertBot and DNS authorization

While using Certbot with DNS authorization is generally straightforward, you may encounter some common issues along the way. Here are a few troubleshooting tips to help you overcome these issues:

  1. Check your DNS provider’s configuration to ensure that the DNS record is correctly added.
  2. Verify that the DNS record has propagated by using a DNS propagation checking tool.
  3. Double-check the spelling and syntax of the DNS record.
  4. Ensure that your DNS provider’s API credentials are correctly configured in Certbot.

If you still encounter issues, refer to the Certbot documentation or seek assistance from the Certbot community for further guidance.

Final thoughts

We have explored how to use Certbot with Windows Subsystem for Linux (WSL) on your Windows machine to obtain wildcard certifications via DNS authorization. We have covered the steps of setting up WSL, configuring your DNS provider for DNS challenge support, installing Certbot, obtaining wildcard certifications, configuring your Synology NAS or SRM, automating certificate renewal, and troubleshooting common issues.

By following these steps, you can secure your Synology NAS or SRM with a wildcard SSL certificate, providing a comprehensive security solution for your sensitive data. With Certbot and Let’s Encrypt, the process of obtaining and managing SSL certificates is made easier, allowing you to focus on what matters most—protecting your data and ensuring a seamless user experience.

So, what are you waiting for? Dive in and secure your NAS or SRM today!

Note: The content provided in this article is for informational purposes only. It is always recommended to refer to the official documentation and seek professional assistance when dealing with SSL certificates and server configurations.

John