Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


freitasm

BDFL - Memuneh
79141 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#208215 1-Feb-2017 14:19
Send private message

Some routers allow you to access the configuration interface via HTTPS. I've configured the two routers I have at home to use a certificate  to identify these correctly. The main router (Synology RT2600AC) is "router.freitasm.com" and the second router (a Fritz!box 7490 running in Bridge Mode in the lounge) is "fritz.freitasm.com":

 

 

 

To get to this you will need only a domain name and a SSL certificate. Some routers will use generic self-issued certificates but those aren't always trusted by browsers, so I decided to go with StartSSL. They provide free certificates with one year validity. Unfortunately Firefox and Chrome are no longer trusting StartSSL certificates due to problems with the parent company. They have recently changed ownership and are working with Firefox and Chrome to have this changed. In the mean time you can use a LetsEncrypt SSL certificate instead. These have three month validity so you will need to renew frequently - or automate the process (more later).

 

You can easily create LetsEncrypt ceritifcates using SSL For Free.

 

I will show the screens for those two routers and how to load the certificates (different options) and you can work from here for different models (although not all will accept certificates).

 

DNS

 

Start by creating the domain name records for your router(s). These will point to your internal network addresses (in my case 192.168.2.1 and 192.168.2.201). This is for access only within your LAN. I do not recommend opening router config pages to the Internet, not even over encrypted connections. Alternatively you can modify your local hosts file or add these to a zone in your router only, if supported.

 

Synology RT2600AC

 

Start by logging to the admin site  and going to Control Panel | Services | Certificate. Click the button [Create certificate] to start creating a request. 

 

 

Select Create certificate signing request (CSR) and fill the fields with your information:

 

 

Once you click [Next] you will download a zip file containing the request file (.CSR) and the private key for your server (.KEY)

 

Go to your SSL supplier of choice and request a certificate using the .CSR file. 

 

Using SSL for Free you can authenticate the domain using a DNS TXT record or a file in the domain. Since this router is only visible within my LAN I decided to use a DNS TXT record in my freitas.com domain.

 

 

Check the box "I have my Own CSR" since you have the request file and click [Download SSL Certificate]. This will take you to a page with three boxes, each with a string of characters that make up your certificates. Don't worry about that - just click the button to download all three files in a zip container.

 

Unzip the files (certificate.crt, private.key and ca_bundle.crt) into a folder. Also unzip the server.key file from the zip file created by the Synology router. Now back to the Synology interface to load these... Click the [Import Certificate] to see the following:

 

 

Private key is the server signature file generated by your Synology when creating the request (server.key). Certificate is the certificate file created by LetsEncrypt (certificate.crt) and Intermediate Certificate is the signing authority information (ca_bundle.crt).

 

Click [OK] and the web service will restart. You can now access your router via https using the name you specified.

 

As additional measures you can configure the Synology router for additional security. Go to Control Panel | System | SRM Settings and  check the boxes "Automatically redirect HTTP connections to HTTPS" and "Enable HSTS".

 

Fritz!box 7490

 

The Fritz!box seems at first a bit easier but it will require an extra step with the certificate files before loading. You won't create a server key on your Fritz!box so we will use a key generated by your browser when creating the SSL certificate through SSL For Free. Also it won't create a CSR file so it will use the domain name you enter when requesting the certificate.

 

Go to SSL For Free and proceed to authenticate and create your certificate but unlike before this time you leave "I Have My Own CSR" unchecked.

 

When you click [Download SSL Certificate] you proceed again and download the zip file. Extract all three files to a folder but this time you will need to manually create a file (Notepad works well) and copy and paste the contents of each of the individual files, one after the other, in order: ssl.crt + sub.class1.server.ca.pem + ssl.key = all.pem

 

1. certificate.crt
2. ca_bundle.crt
3. private.key

 

Log into your Frtiz!box and go to Internet | Permit Access. At the bottom you will see "User's Own Certificate". Select the all.pem file you just created and click [Import]

 

 

Unlike the Synology Router where the web service automatically restart, you will need to go to System | Backup | Restart and reboot the Fritz!box. When it's back you can access it using HTTPS and the domain name you selected.

 

Comments

 

If your router allows for import of SSL certificates but there's no way to create a CSR then the Fritz!box instructions should work as well (providing your router can import the three files individually or as a single .PEM file). Actually you can create the certificate on browser using SSL For Free as explained in the Fritz!box instructions and import these files into the Synology router.

 

These instructions can also be used to create/import certificates into your Synology NAS device.

 

Automation

 

You can automate the renewal process on your Synology by logging in via SSH (root, password is the same as the admin password) and install (wget) an ACME-compatible package. This can take care of requesting SSL certificates and installing them automatically when it comes closer to the 90 day validity period. I might include this in another update later.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


Create new topic
tchart
2368 posts

Uber Geek

ID Verified
Trusted

  #1713927 1-Feb-2017 14:40
Send private message

Thanks I'll have to try this.



davidcole
6020 posts

Uber Geek

Trusted

  #1713929 1-Feb-2017 14:40
Send private message

So this is adding a proper https cert against your domain name for when you're accessing your https devices when internal (ie by using the domain name address)?

 

Ie I have the unifi controller running at home and openhab, and it always complains at me that the cert name has an invalid cert: ERR_CERT_AUTHORITY_INVALID  this would fix that problem?





Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server
Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 


mentalinc
3196 posts

Uber Geek

Trusted

  #1713931 1-Feb-2017 14:42
Send private message

Yes it fixes that problem 





CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 




freitasm

BDFL - Memuneh
79141 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1713934 1-Feb-2017 14:50
Send private message

davidcole:

 

So this is adding a proper https cert against your domain name for when you're accessing your https devices when internal (ie by using the domain name address)?

 

Ie I have the unifi controller running at home and openhab, and it always complains at me that the cert name has an invalid cert: ERR_CERT_AUTHORITY_INVALID  this would fix that problem?

 

 

As above, yes, it fixes the problem of self-signed certs not being recognised as valid authorities.

 

I have freitasm.com on Cloudflare and if you nslookup router.freitasm.com now you will see it points to my internal LAN address. This is just so I don't have to change hosts file in every device around the house - who know which one I want to use to access the router?

 

Obviously it will also work if you expose it to the Internet (with proper DNS) but I think people should never do this.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


davidcole
6020 posts

Uber Geek

Trusted

  #1713955 1-Feb-2017 15:25
Send private message

So for arguments sake...if I wanted an external SSL name ie home.domain.com and an internal name machine.domain.com (split because the external one could have different ports for different internal machines (I expose TT-RSS, an SSH server and a VPN).  

 

Would I get a seperate internal and external certificates, or would I get a single external one, and put in the internal hostname names as well for the internal access?

 

so I could access tt-rss on http://home.domain.com:1234  but when I'm internal I can access https://machine.domain.com:10000 for webmin (which are both the same machine)

 

 

 

 





Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server
Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 


freitasm

BDFL - Memuneh
79141 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1713957 1-Feb-2017 15:27
Send private message

LetsEncrypt allows you to create certificates with multiple domain names. You won't get wildcard with them but multiple is ok.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


ANglEAUT
2306 posts

Uber Geek

Trusted
Lifetime subscriber

  #1714083 1-Feb-2017 17:12
Send private message

Sweet. Thx for sharing this HowTo.





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.


 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).
yitz
2054 posts

Uber Geek


  #1714177 1-Feb-2017 21:04
Send private message

Oh noes my system log says I'm getting hacked!!11

 

 

Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: router.freitasm.com
Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: fritz.freitasm.com

 

 

Seriously though - what are peoples opinions on pointing FQDNs to private/RFC1918 address space?

 

 

Just saying because this sort of stuff is blocked by default on some configurations at least.

Aaroona
3192 posts

Uber Geek


  #1720168 14-Feb-2017 19:35
Send private message

yitz: Oh noes my system log says I'm getting hacked!!11 Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: router.freitasm.com
Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: fritz.freitasm.com Seriously though - what are peoples opinions on pointing FQDNs to private/RFC1918 address space? Just saying because this sort of stuff is blocked by default on some configurations at least.

 

 

 

if you mean internet facing DNS resolution pointing to internal addresses, then yes, generally not best practice.

 

If you're talking about internal DNS resolution, then that's fine.
For example, I own [domain].nz, however my router (running LEDE) accepts internal requests for a zone called int.[domain].nz - so every device on my network receives device.int.[domain].nz as a FQDN.

 

 

 

 

 

 

 

EDIT: Sorry, had just seen this was 2 weeks old! Only just catching up ;) 


Benoire
2773 posts

Uber Geek


  #1720184 14-Feb-2017 20:03
Send private message

Are StartSSL still going to be barred by the major browsers or has their snafu with security been resolved? I use StartSSL with my whole setup and I purchase the identity verified to give me unlimited SSLs against my domain but I understood from December last year that Google etc. may not accept any new certs issued by them.


freitasm

BDFL - Memuneh
79141 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1720189 14-Feb-2017 20:10
Send private message

I tried using StartSSL and they're still barred. They have sold to a different company as part of the process to being whitelisted but this will take time.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


Benoire
2773 posts

Uber Geek


  #1720190 14-Feb-2017 20:13
Send private message

My bad Mauricio!  Its been a long day and I completely missed the bit where you stated what I had indicated! oops.


davidcole
6020 posts

Uber Geek

Trusted

  #1720204 14-Feb-2017 21:23
Send private message

freitasm:

 

I tried using StartSSL and they're still barred. They have sold to a different company as part of the process to being whitelisted but this will take time.

 

 

 

 

weird, mine startssl ones were fine.....until chrome updated itself.  Now it complains again.  I guess I could look at lets encrypt.  I assume I have to authenticate my domain with them like startssl, and then I can request certs?  I managed to do my svn server, unifi controller which are two different internal machines.





Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server
Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 


Benoire
2773 posts

Uber Geek


  #1720222 14-Feb-2017 21:28
Send private message

StartSSL is fine with browsers if issued ebfore December 2016 I believe... The issue with lets encrypt is the limited life of the SSL as they where really only created for web servers rather than devices and IoT stuff.


Create new topic





News and reviews »

Logitech G522 Gaming Headset Review
Posted 18-Jun-2025 17:00


Māori Artists Launch Design Collection with Cricut ahead of Matariki Day
Posted 15-Jun-2025 11:19


LG Launches Upgraded webOS Hub With Advanced AI
Posted 15-Jun-2025 11:13


One NZ Satellite IoT goes live for customers
Posted 15-Jun-2025 11:10


Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00


Suunto Run Review
Posted 10-Jun-2025 10:44


Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50


HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40


Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06


Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57


AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55


Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14


New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08


Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04


Dyson Launches Its Slimmest Vaccum Cleaner PencilVac
Posted 29-May-2025 15:50









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.