Introduction
Let’s Encrypt currently generates certificates using the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm, instead of using RSA (Rivest, Shamir and Adleman).
This creates a problem because the QNAP web interface does not support ECDSA and RSA with a key higher than 2048 bits. However, the QNAP web server does have the capability to use them.
Pruebas realizadas en la versión de firmware: QTS 5.0.1.2346
Ansible
In order to use our certificate generated by Let’s Encrypt, we will have to upload them manually. This action will be automated thanks to Ansible.
File inventory:
1
2
3
4
5
6
| [all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_ssh_private_key_file=/Users/pablojoserocamora/.ssh/id_ed25519
[test]
qnap.procamora.com
|
File main.yml:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| ---
# ansible-playbook -i inventory main.yml -v -K
- name: Playbook QNAP SSL
hosts: all
become: false
become_method: sudo
become_user: admin
gather_facts: false
vars:
ansible_user: procamora
ansible_python_interpreter: /share/CACHEDEV1_DATA/.qpkg/Python3/python3/bin/python3
pre_tasks:
- name: set custom home
ansible.builtin.set_fact:
MY_HOME: "{{ lookup('env', 'HOME') }}/procamora.com/letsencrypt/live/procamora.com"
tasks:
# 1) SSH into your NAS and go to /etc/stunnel/
# 2) replace the backup.cert with your own certificate (PEM format, no human readable content)
# 3) replace backup.key with your own private key (PEM format, no human readable content)
# 5) replace uca.pem with your certificate chain (PEM format, no human readable content)
- name: Copy files
ansible.builtin.copy:
src: "{{ MY_HOME }}/{{ item.src }}"
dest: "/etc/stunnel/{{ item.dest }}"
mode: 0600
owner: admin
group: administrators
backup: true
become: true
loop:
- { src: cert.pem, dest: backup.cert }
- { src: privkey.pem, dest: backup.key }
- { src: chain.pem, dest: uca.pem }
# 4) replace stunnel.pem with your private key+certificate (PEM format, no human readable content)
- name: create stunnel.pem (key+certificate)
ansible.builtin.copy:
content: "{{ lookup('file', '{{ MY_HOME }}/privkey.pem') }}\n{{ lookup('file', '{{ MY_HOME }}/cert.pem') }}"
dest: /etc/stunnel/stunnel.pem
mode: 0600
owner: admin
group: administrators
backup: true
become: true
# 6) execute /etc/init.d/thttpd.sh restart
# 7) execute /etc/init.d/stunnel.sh restart
# 8) execute /etc/init.d/Qthttpd.sh restart
- name: restart services
ansible.builtin.shell: "/etc/init.d/{{ item }} restart"
become: true
loop:
- thttpd.sh
- stunnel.sh
- Qthttpd.sh
|
We can run the playbook with the following command (-K is used to indicate the password for escalation to admin)
1
| ansible-playbook -i inventory main.yml -v -K
|
The values that can change from the playbook are:
ansible_user: procamora. Which is our qnap user.ansible_python_interpreter: /share/CACHEDEV1_DATA/.qpkg/Python3/python3/bin/python3. Path of the python3 binary needed by ansible.MY_HOME: "{{ lookup('env', 'HOME') }}/procamora.com/letsencrypt/live/procamora.com". Path where letsencrypt generated the certificate.ansible_ssh_private_key_file=/Users/pablojoserocamora/.ssh/id_ed25519. Path of our private key to connect via SSH.
Verification
Once the playbook is executed, we can access with the browser and verify:
- The browser considers the certificate to be valid.
- QNAP recognizes our certificate generated with wilcard as valid.
Fuentes: [0][fuente0]
[fuente0]: https://forum.qnap.com/viewtopic.php?t=110557
