Adding HTTPS access on QNAP NAS

New to HA, no IT experience, trying to get this set up.
Hardware: QNAP TS-453D, 32G RAM, 11TB free.
Software: QTS 5.0, updated to latest. Container Station

I am running HA in a Docker Container in Container station. I have a DDNS provided by QNAP: “my—name .myqnapcloud. com”. QNAP provides a Let’s Encrypt certificate under Control Panel–>Security–>SSL Certificate and Private Key. It expires 4/2022, and is set to automatically renew.

HA seems to require the addition of an HTTP section to point to the certificates and allow HTTPS access. This is the format I have seen:

http:
  server_port: 12345
  ssl_certificate: /etc/config/QcloudSSLCertificate/cert/fullchain.pem
  ssl_key: /etc/config/QcloudSSLCertificate/cert/privkey.pem

However, the files the the above directory (/etc/config/QcloudSSLCertificate/cert) do not contain fullchain.pem or privkey.pem.

Files in the directory are: cert chain combine csr intermediate.pem key
The key file is locked with a password, likely administrator, which I have disabled currently for security.

The files without extensions appear to be ascii, and when opened in the text editor start with
BEGIN PRIVATE KEY or BEGIN CERTIFICATE. This implies that they could be renamed directly to .pem.
combine contains both private key and the contents of the cert file.
Intermediate.pem contains the contents of the chain file and one other certificate
There is no fullchain.pem or privkey.pem

BTW, I am aware of the concerns for exposing my QNAP to the internet, and I will not likely leave this accessible all the time. Just trying to get this particular configuration working.

My goal was to point my configuration.yaml at the appropriate directory/file, and the certificates would update automatically with the NAS.

My DDNS is working fine otherwise, and I can access my HA docker via “HTTP:// myname. myqnapcloud.com:8123”. I have port forwarded port 443 to port 8123 as well.

I swear I have used Search to the best of my ability. The closest I have gotten is

The files he references, stunnel.pem and backup.key, are present. These are located in etc/stunnel. If these can be used directly, problem solved. stunnel.pem appears to be the same as the combine file (key + cert). backup.key is identical to the key file alone

My questions:

1. Is there a simple way to have the QNAP Let’s Encrypt certificates automatically be generated as fullchain.pem and privkey.pem?
2. Is the QNAP Let’s Encrypt instance already creating these files, and are they hidden somewhere else? It has taken my 2 days to find the above directories.
3. Can I create the fullchain.pem and privkey.pem from the above files? It seems like a simple rename and/or cut/paste. I would just have to manually do this every few months. If so, what parts of the above files go in each?
4. Would HA simply accept these files as they are? Or must they be named fullchain.pem and privkey.pem?

Thanks,

Alan

Hi Alan,

I manually copy the certificates from somewhere inside of QNAP’s system 4 times a year, put them into a directory under HA’s config and run following script that does the magic:

Works great - but certainly could be improved/fully automated

Good luck
L.

253D user here.

Answers to your questions:

1. There is a way to convert, but not straightforward - you’d have to do that via ssh, and do that every time the certificate renews. On top of that, would recommend you actually get rid of any connection on myqnapcloud.com - That domain is heavily and constantly being targeted by ransomwares for all kinds of exploits, so if you use the same certificate for both your QNAP and HA, both would be constantly under attack / scan. Anyways I guess you are aware of all these.
2. No. crt format
3. Yes you can convert crt to pem and then combine. See Using QNAP Let's Encrypt Certificate - #3 by lubosjerabek, if you absolutely have to. But again I’d recommend you try other domain.
4. No. You’ll have to convert and combine and copy.

= = = Off-topic = = =
Your QNAP can do VM, and have enough RAM. I would recommend you backup your config and kill the container and go VM instead. See discussions around the end of this thread. People tend to agree the VM route.

One might think the container route gives you more control and taxes you less on resources. That’s true in general, but for HA, that also introduces a lot more maintenance tasks (in my view) than necessary.

So what do I do? I do HAOS in VM, which evidently barely occupy anything and would offer the flexibility to do let’s encrypt via add-on, or do ZeroTier also via add-on.

Well, now that I think about it. You can do ZeroTier or Tailscale on QNAP. Maybe something to consider. I am just sharing my experience, and recommends VM install route for an HAOS.

Thank you all for your responses!

As I look at the sources you have directed me to, it seems that going the VM route would be best. Access to add-ons directly alone makes this attractive, and I am not the type to remember to update my certificates manually.

Makes me wish I had spent a little more for a higher end CPU, though.

Alan

a 453D is perfectly capable. HA, even under VM, barely taxes any resources of the box.

Quick Tutorial for Installing .OVA in Qnap for virtualizing the Home Assistant.

Agree, I’m running the older/lower spec TS-451+ without a problem

I am running HA on QNAP VM. The HA Qnap integration (QNAP - Home Assistant) is not working for me. What steps i could take to troubleshoot it?