Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
63289 posts

Uber Geek
+1 received by user: 13814

Administrator
Trusted
Geekzone
Lifetime subscriber

# 208215 1-Feb-2017 14:19
3 people support this post
Send private message

Some routers allow you to access the configuration interface via HTTPS. I've configured the two routers I have at home to use a certificate  to identify these correctly. The main router (Synology RT2600AC) is "router.freitasm.com" and the second router (a Fritz!box 7490 running in Bridge Mode in the lounge) is "fritz.freitasm.com":

 

 

 

To get to this you will need only a domain name and a SSL certificate. Some routers will use generic self-issued certificates but those aren't always trusted by browsers, so I decided to go with StartSSL. They provide free certificates with one year validity. Unfortunately Firefox and Chrome are no longer trusting StartSSL certificates due to problems with the parent company. They have recently changed ownership and are working with Firefox and Chrome to have this changed. In the mean time you can use a LetsEncrypt SSL certificate instead. These have three month validity so you will need to renew frequently - or automate the process (more later).

 

You can easily create LetsEncrypt ceritifcates using SSL For Free.

 

I will show the screens for those two routers and how to load the certificates (different options) and you can work from here for different models (although not all will accept certificates).

 

DNS

 

Start by creating the domain name records for your router(s). These will point to your internal network addresses (in my case 192.168.2.1 and 192.168.2.201). This is for access only within your LAN. I do not recommend opening router config pages to the Internet, not even over encrypted connections. Alternatively you can modify your local hosts file or add these to a zone in your router only, if supported.

 

Synology RT2600AC

 

Start by logging to the admin site  and going to Control Panel | Services | Certificate. Click the button [Create certificate] to start creating a request. 

 

 

Select Create certificate signing request (CSR) and fill the fields with your information:

 

 

Once you click [Next] you will download a zip file containing the request file (.CSR) and the private key for your server (.KEY)

 

Go to your SSL supplier of choice and request a certificate using the .CSR file. 

 

Using SSL for Free you can authenticate the domain using a DNS TXT record or a file in the domain. Since this router is only visible within my LAN I decided to use a DNS TXT record in my freitas.com domain.

 

 

Check the box "I have my Own CSR" since you have the request file and click [Download SSL Certificate]. This will take you to a page with three boxes, each with a string of characters that make up your certificates. Don't worry about that - just click the button to download all three files in a zip container.

 

Unzip the files (certificate.crt, private.key and ca_bundle.crt) into a folder. Also unzip the server.key file from the zip file created by the Synology router. Now back to the Synology interface to load these... Click the [Import Certificate] to see the following:

 

 

Private key is the server signature file generated by your Synology when creating the request (server.key). Certificate is the certificate file created by LetsEncrypt (certificate.crt) and Intermediate Certificate is the signing authority information (ca_bundle.crt).

 

Click [OK] and the web service will restart. You can now access your router via https using the name you specified.

 

As additional measures you can configure the Synology router for additional security. Go to Control Panel | System | SRM Settings and  check the boxes "Automatically redirect HTTP connections to HTTPS" and "Enable HSTS".

 

Fritz!box 7490

 

The Fritz!box seems at first a bit easier but it will require an extra step with the certificate files before loading. You won't create a server key on your Fritz!box so we will use a key generated by your browser when creating the SSL certificate through SSL For Free. Also it won't create a CSR file so it will use the domain name you enter when requesting the certificate.

 

Go to SSL For Free and proceed to authenticate and create your certificate but unlike before this time you leave "I Have My Own CSR" unchecked.

 

When you click [Download SSL Certificate] you proceed again and download the zip file. Extract all three files to a folder but this time you will need to manually create a file (Notepad works well) and copy and paste the contents of each of the individual files, one after the other, in order: ssl.crt + sub.class1.server.ca.pem + ssl.key = all.pem

 

1. certificate.crt
2. ca_bundle.crt
3. private.key

 

Log into your Frtiz!box and go to Internet | Permit Access. At the bottom you will see "User's Own Certificate". Select the all.pem file you just created and click [Import]

 

 

Unlike the Synology Router where the web service automatically restart, you will need to go to System | Backup | Restart and reboot the Fritz!box. When it's back you can access it using HTTPS and the domain name you selected.

 

Comments

 

If your router allows for import of SSL certificates but there's no way to create a CSR then the Fritz!box instructions should work as well (providing your router can import the three files individually or as a single .PEM file). Actually you can create the certificate on browser using SSL For Free as explained in the Fritz!box instructions and import these files into the Synology router.

 

These instructions can also be used to create/import certificates into your Synology NAS device.

 

Automation

 

You can automate the renewal process on your Synology by logging in via SSH (root, password is the same as the admin password) and install (wget) an ACME-compatible package. This can take care of requesting SSL certificates and installing them automatically when it comes closer to the 90 day validity period. I might include this in another update later.





Create new topic
1516 posts

Uber Geek
+1 received by user: 196

Trusted

  # 1713927 1-Feb-2017 14:40
Send private message

Thanks I'll have to try this.

4378 posts

Uber Geek
+1 received by user: 669

Trusted

  # 1713929 1-Feb-2017 14:40
Send private message

So this is adding a proper https cert against your domain name for when you're accessing your https devices when internal (ie by using the domain name address)?

 

Ie I have the unifi controller running at home and openhab, and it always complains at me that the cert name has an invalid cert: ERR_CERT_AUTHORITY_INVALID  this would fix that problem?





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


 
 
 
 


1645 posts

Uber Geek
+1 received by user: 175

Trusted

  # 1713931 1-Feb-2017 14:42
Send private message

Yes it fixes that problem 





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 




BDFL - Memuneh
63289 posts

Uber Geek
+1 received by user: 13814

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713934 1-Feb-2017 14:50
Send private message

davidcole:

 

So this is adding a proper https cert against your domain name for when you're accessing your https devices when internal (ie by using the domain name address)?

 

Ie I have the unifi controller running at home and openhab, and it always complains at me that the cert name has an invalid cert: ERR_CERT_AUTHORITY_INVALID  this would fix that problem?

 

 

As above, yes, it fixes the problem of self-signed certs not being recognised as valid authorities.

 

I have freitasm.com on Cloudflare and if you nslookup router.freitasm.com now you will see it points to my internal LAN address. This is just so I don't have to change hosts file in every device around the house - who know which one I want to use to access the router?

 

Obviously it will also work if you expose it to the Internet (with proper DNS) but I think people should never do this.





4378 posts

Uber Geek
+1 received by user: 669

Trusted

  # 1713955 1-Feb-2017 15:25
Send private message

So for arguments sake...if I wanted an external SSL name ie home.domain.com and an internal name machine.domain.com (split because the external one could have different ports for different internal machines (I expose TT-RSS, an SSH server and a VPN).  

 

Would I get a seperate internal and external certificates, or would I get a single external one, and put in the internal hostname names as well for the internal access?

 

so I could access tt-rss on http://home.domain.com:1234  but when I'm internal I can access https://machine.domain.com:10000 for webmin (which are both the same machine)

 

 

 

 





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




BDFL - Memuneh
63289 posts

Uber Geek
+1 received by user: 13814

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1713957 1-Feb-2017 15:27
Send private message
931 posts

Ultimate Geek
+1 received by user: 195

Trusted

  # 1714083 1-Feb-2017 17:12
Send private message

Sweet. Thx for sharing this HowTo.





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.


1358 posts

Uber Geek
+1 received by user: 319


  # 1714177 1-Feb-2017 21:04
Send private message

Oh noes my system log says I'm getting hacked!!11

 

 

Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: router.freitasm.com
Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: fritz.freitasm.com

 

 

Seriously though - what are peoples opinions on pointing FQDNs to private/RFC1918 address space?

 

 

Just saying because this sort of stuff is blocked by default on some configurations at least.

Human
2908 posts

Uber Geek
+1 received by user: 98

Subscriber

  # 1720168 14-Feb-2017 19:35
One person supports this post
Send private message

yitz: Oh noes my system log says I'm getting hacked!!11 Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: router.freitasm.com
Feb 1 17:15:44 home daemon.warn dnsmasq[15277]: possible DNS-rebind attack detected: fritz.freitasm.com Seriously though - what are peoples opinions on pointing FQDNs to private/RFC1918 address space? Just saying because this sort of stuff is blocked by default on some configurations at least.

 

 

 

if you mean internet facing DNS resolution pointing to internal addresses, then yes, generally not best practice.

 

If you're talking about internal DNS resolution, then that's fine.
For example, I own [domain].nz, however my router (running LEDE) accepts internal requests for a zone called int.[domain].nz - so every device on my network receives device.int.[domain].nz as a FQDN.

 

 

 

 

 

 

 

EDIT: Sorry, had just seen this was 2 weeks old! Only just catching up ;) 






1730 posts

Uber Geek
+1 received by user: 217

Subscriber

  # 1720184 14-Feb-2017 20:03
Send private message

Are StartSSL still going to be barred by the major browsers or has their snafu with security been resolved? I use StartSSL with my whole setup and I purchase the identity verified to give me unlimited SSLs against my domain but I understood from December last year that Google etc. may not accept any new certs issued by them.




BDFL - Memuneh
63289 posts

Uber Geek
+1 received by user: 13814

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1720189 14-Feb-2017 20:10
Send private message

I tried using StartSSL and they're still barred. They have sold to a different company as part of the process to being whitelisted but this will take time.





1730 posts

Uber Geek
+1 received by user: 217

Subscriber

  # 1720190 14-Feb-2017 20:13
Send private message

My bad Mauricio!  Its been a long day and I completely missed the bit where you stated what I had indicated! oops.


4378 posts

Uber Geek
+1 received by user: 669

Trusted

  # 1720204 14-Feb-2017 21:23
Send private message

freitasm:

 

I tried using StartSSL and they're still barred. They have sold to a different company as part of the process to being whitelisted but this will take time.

 

 

 

 

weird, mine startssl ones were fine.....until chrome updated itself.  Now it complains again.  I guess I could look at lets encrypt.  I assume I have to authenticate my domain with them like startssl, and then I can request certs?  I managed to do my svn server, unifi controller which are two different internal machines.





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


1730 posts

Uber Geek
+1 received by user: 217

Subscriber

  # 1720222 14-Feb-2017 21:28
Send private message

StartSSL is fine with browsers if issued ebfore December 2016 I believe... The issue with lets encrypt is the limited life of the SSL as they where really only created for web servers rather than devices and IoT stuff.


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41


Nokia 9 PureView available in New Zealand
Posted 6-May-2019 09:06


Motorola Solutions joins local partners to deliver advanced communications network in New Zealand
Posted 30-Apr-2019 21:50


Micron launches high-performance NVMe SSDs for cloud and enterprise markets
Posted 30-Apr-2019 10:27


Jaguar Land Rover trials in-vehicle smart wallet technology
Posted 29-Apr-2019 21:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.