Using QNAP Let's Encrypt Certificate

Hi all, this is my first post here so I hope I get it right. :slight_smile:

I got Home assistant running on QNAP NAS in a docker container. It uses the certificates generated by QTS (I manually copy them from /etc/stunnel every time it’s required). Everything works fine but now I’m trying to set up Smartthings integration and I found out the certificate is only trusted by some browsers.

This is my config:

http:
  base_url: !secret hassio_url #https://myserver.myqnapcloud.com:8123
  server_port: !secret hassio_port #8123
  ssl_certificate: /config/stunnel.pem
  ssl_key: /config/backup.key

My fullchain certificate actually contains both key and cert so it looks like this:

-----BEGIN PRIVATE KEY-----
abc
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
xyz 
-----END CERTIFICATE-----

Whenever I open the hassio web UI in Opera it works splendidly:

I also tried running curl -X GET https://something.myqnapcloud.com:8123 and I got this:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What is the issue and how can I fix this please?

Hey Luboš, did you find a solution?

I have almost the same configuration, except I downloaded the certificate and the key from Control Panel > Security > SSL Certificate & Private Key, therefore my files are .crt. Everything was working fine; I just had to update a copy of the files inside the config folder of HAss with the new ones after the old expired.

Since the last series of updates, either new HAss version or the QTS 5.0.0.1828, the HAss app on the iPad reports “The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xyz. myqnalpcloud .com” which could put your confidential information at risk.” as soon as the app is launched. In the other hand, the connection to the web administration works fine (https ://xyz.myqnapcloud.com) and never reports issues regardless the browser.

Test with browsers iOS and Mac

  • Safari on iOS can connect without issues and shows the lock on the address bar. Safari on a Mac couldn’t
  • DuckDuckGo app says “The certificate for this server is invalid”
  • Chrome reports “NET::ERR_CERT_DATE_INVALID…This server could not prove that it is xyz.myqnapcloud.com; its security certificate is not valid at this time.”
  • Firefox “This Connection is Untrusted” “SEC_ERROR_EXPIRED_CERTIFICATE”
  • Edge “Your connection isn’t private…NET::ERR_CERT_DATE_INVALID”

Relevant configuration

  • Let’s Encrypt SSL certificate is valid (see below)
  • Home Assistant version 2021.11.2
  • Ports 80 and 443 are open
  • Port 8123 is open
  • ContainerStation 2.4.3.208

Screenshot 2021-11-11 215650

Troubleshooting tried without success

  • Added ssl_profile: intermediate to the configuration.yaml
  • QuFirewall on/off
  • Replaced the .crt with the .pem file from /etc/stunnel

This might be related to this issue: R3 Intermediate certificate has expired - Help - Let's Encrypt Community Support as the dates matches the R3 info when I try accessing HAss over 8123.

Any help or ideas on how to fix it will be appreciated.

Hello @xeerch

I’m not entirely sure if our issue is similar or not - what helped me last year was converting certificates I got from QNAP - I use following shell script every now and then: home-assistant-config/convert_ssl.sh at 7ee28cbee03117d2410de17bac8fbc3301ac5269 · lubosjerabek/home-assistant-config · GitHub

1 Like

Thank you so much! That solved the problem.

1 Like