Ask / Submit
1

sailfish X synology ssl certificate not trusted [not relevant]

asked 2018-04-14 00:56:23 +0300

wcr gravatar image

On my jolla, I had installed DS Notes, a little tool to access todo notes hosted on my synology home NAS and it worked very well. The NAS is accessible through the "quickconnect" thingy from synology and I also connect to it from my laptop and elsewhere.

On sailfish X, with my Xperia X 5121, where everything else works well, I cannot get DS Notes to connect, as it keeps complaining that my (standard, self-signed) SSL certifcate is not trusted, and it allows no exception. The little DS notes client actually offers to turn https on and off (my NAS forces it to be on), and it also has an option to "validate the certificate" (I have tried that "on" and "off", it made no difference).

I know I can get other certificates, and I have actually tried but encountered problems that probably can be solved. But since it worked on the jolla so easily, why does it nor work on sailfish X?

edit retag flag offensive reopen delete

The question has been closed for the following reason "question is not relevant or outdated" by wcr
close date 2018-04-14 14:55:19.711736

Comments

I don't know how DS Notes is handling certificates, but it is totally intended for your device to distrust self-signed certificates at first (otherwise, everyone could just self-sign arbitrary certificates). Not knowing the App itself, I'd suspect it would be up to the App to offer you to add an exception for accepting the self-signed cert. That's how it works in the "DS Audio" App, if I recall correctly.

So I'd suspect the problem to be related to the App, not the system itself. Can you check if you are using the same version of DS Notes on your Jolla and Xperia X?

ghling ( 2018-04-14 10:47:10 +0300 )edit

Thanks, the app actually explicitly offers the possibility to "validate the certificate" (whatever that means exactly), but no matter whether I tick that option or not, it refuses to connect, citing the problem with the self-signed certificate.

I think the version has not changed between the jolla and the experia.

And I was assuming that the security level with the self-signed certificates (after all, I sign them on the NAS itself) was perhaps not to the highest standards but at a "reasonable level", imagining that synology would not propose it if this wasn't the case.

wcr ( 2018-04-14 11:00:42 +0300 )edit

2 Answers

Sort by » oldest newest most voted
1

answered 2018-04-14 10:27:48 +0300

Stefanix gravatar image

A possible solution could be to access your NAS directly via a dyndns service (noip.com, spdyn.de, etc.) and use a free 'Let's Encrypt' certificate for the chosen url. Synology supports the automatic installation of such a certificate under "Security-Certificate". You might need to activate a port forwarding on your router. During the certificate installation the NAS needs to be accessible via http port 80. The forwarding of port 80 can be removed after the certificate installation and you can use any other port configuration. With the Let's Encrypt certificate your NAS is accessible via your dyndns url without the need to add an exception for a private certificate. Firefox displays a green lock, applications should accept the signed certificate.

edit flag offensive delete publish link more

Comments

Thank you, yes, I understand that is the complex solution.

I worked on that for several hours yesterday, trying to figure out how to associate the NAS with my private domain, creating a subdomain there and all that. I understand I could register yet another domain, just for the NAS, but I gave up at some point, since it was more complex than what I could handle.

One reason for the complexity might be that I am in France and the router documentation (orange livebox) is extremely bad concerning port forwarding, so I was glad that the quickconnect thing works without messing around with the router.

The question remains: why did DS Notes allow me to connect from the jolla and not from the xperia? The sailfish on the jolla was upgraded all along so the version must be very similar to the one of the xperia. I suspect there is an option somewhere just to TRULY accept my self-signed certificate.

wcr ( 2018-04-14 10:33:40 +0300 )edit

Of course it is desirable to allow the acceptance of self signed certificates. Usually it's no problem with browsers, but some apps don't have that option. No idea why DS Notes works on Jolla (1) and not on SF X. For me the Let's Encrypt installation was quite easy and solved some problems with apps requiring a signed certificate.

Stefanix ( 2018-04-14 10:47:56 +0300 )edit

Thanks, maybe this is off-topic here, but I think my problem was that I own a domain pointing to a hosted server elsewhere. I established a subdomain there and pointed that to the address synology offers for accessing the NAS from the outside. I was trying to get a Let's Encrypt certificate for that subdomain but failed. I also tried to just use the existing certificate from my main domain for the NAS, and I failed with that too. So in the end I could not figure out what domain to ask Let's Encrypt to provide a certificate for.

And anyway, again, I thought, why can't it just work the way it did on the jolla...

wcr ( 2018-04-14 11:03:33 +0300 )edit

Well, not sure how the Quickconnect works. Seems to act as a proxy, terminating the requests on the Synology server and establishing a second leg to your NAS. Let's Encrypt tries to verify that the certified domain points to the device the certificate is installed on (the NAS). This is not the case in your scenario.

Stefanix ( 2018-04-14 11:18:07 +0300 )edit

I think that's correct, which is why I would like my jolla solution back... Seems just like something in sailfish that does not let pass the "willingness to accept" the certificate somehow.

wcr ( 2018-04-14 11:35:09 +0300 )edit
1

answered 2018-04-14 14:53:48 +0300

wcr gravatar image

Impossible for me to reproduce what has happened, but after a power cut the NAS rebooted and now sailfish connects to it.

Thank you all of you who provided help!

edit flag offensive delete publish link more

Question tools

Follow
2 followers

Stats

Asked: 2018-04-14 00:56:23 +0300

Seen: 291 times

Last updated: Apr 14