How to import Let's Encrypt certificate on NAS series storage

This guide will help you create globally trusted Let's Encrypt certificate using Arch Linux and import your new Let's Encrypt certificates (or any other as you like) to your NAS, effectively getting rid of "Connection not secure" error that is caused by self-signed certificate unless it is added as trusted on the client.

Please keep in mind that this is a workaround, and as such, it does have one minor side effect: when you click the SSL tab in Control Panel, the WebUI locks down with error 500. If this happens, you may refresh the page and continue your work. Since this tab offers no functionality that is needed when using this guide, this is a quite minor setback compared to the advantages of using Let's Encrypt certificate. 

Prerequisites:

• Running Arch Linux or another Linux-based OS environment (commands might vary slightly, if you are more comfortable with Ubuntu, for example, you might get a hint in this article that describes a similar approach for USGs, as both Ubuntu and Raspbian are Debian-based). Installation of Linux environment is out of scope for this article, please refer to the installation guide for a distro of your choice. With Arch, however, you should be fine with just booting up the Live CD and start right off the ramdisk.
• NAS series storage with the latest firmware (tested on NAS326 running V5.21(AAZF.5) )
• Make sure SSH is active on the NAS.
  

Table of contents:

• Creating certificates
• Uploading your certificates
• Certificate renewal
• Troubleshooting

Creating certificates

1. Make sure your Arch is running up-to-date:
   

   $ sudo pacman -Syu

2. Install certbot, an ACME client which will automate the process of certificate creation:
   

   $ sudo pacman -S certbot

3. make sure your Arch is able to listen on port 80, if necessary, forward port 80 to your machine.
4. Create a certificate using the following command:
   

   $ sudo certbot certonly --standalone --preferred-challenges http -d [yournasaddress.zyxel.me]

   Note: if you are encountering "challenge failed for domain" error, Let's Encrypt servers are unable to reach your machine. Please double-check that port forwarding is enabled and make sure no service is currently running at port 80 of your Arch. You may stop the service in question temporarily using the command:
   

   $ sudo systemctl stop httpd

   after this step, feel free to enable it again
   

   $ sudo systemctl start httpd

5. You may now forward your port 80 to your NAS, and also port 443, should you did not set it already.

Uploading your certificates

Your certificate is ready to be uploaded to your NAS, in this example we will use shell-based SFTP client. There is however a wide array of tools available to achieve this if you prefer a more visual approach, see the Troubleshooting section, where are described other options of handling SFTP in Arch. Please keep in mind, that if you decide to move certificates from their protected storage, make sure they are deleted or secured afterward! Never share your private key!

1. Connect to your NAS with root permissions, we will use sudo here, otherwise, we would not be able to read the certificates from secure storage:
   

   $ sudo sftp root@[yournasaddress.zyxel.me]

2. Run following commands to copy the certificates to their respective position. We will make backups during the process so you can restore original certificates in case something goes wrong. Please be careful, you are running under root permissions and any command will be processed without asking. Double-check typos. You may also finish file and directory names by pressing Tab after the first few letters, this will also help you prevent typos. Also keep in mind that names are case-sensitive on both NAS and Arch, or any other Linux!
   

   sftp> rename /etc/zyxel/cert/default.cer /etc/zyxel/cert/default.cer.bak
   sftp> put /etc/letsencrypt/live/[yournasaddress.zyxel.me]/cert.pem /etc/zyxel/cert/default.cer
   sftp> rename /etc/zyxel/cert/key/default_key.cer /etc/zyxel/cert/key/default_key.cer.bak
   sftp> put /etc/letsencrypt/live/[yournasaddress.zyxel.me]/privkey.pem /etc/zyxel/cert/key/default_key.cer

3. That's it! You may exit the SFTP using exit command and reboot your NAS!
   

   sftp> exit

4. After reboot, you may log in and verify the results. Make sure SSL is enabled in Control Panel > Network > TCP/IP > Web Configurator. You may also enforce HTTPS usage on this tab if you desire.
   

Certificate renewal

By design, Let's Encrypt certificates are quite short-lived. Certificates will be valid for 90 days from the day of issuance. To renew your certificate, you need to forward the ports on your Arch Linux again, re-run the certbot command and upload it on your NAS again.

Troubleshooting

• I'm getting "challenge failed" for domain [mydomain]!
  
  This error generally means that your Arch cannot be reached by CA's server to verify authenticity. Please check whether port 80 is forwarded to your Arch machine and that no service is running on port 80 already (apache?)
  
  
• I've imported certificates, now my NAS doesn't respond on either http or https!
  
  This indicates that NAS's web server encountered an issue during startup, most likely you have mixed things up when uploading certificates to your NAS. However, no need to panic, SSH/SFTP should still work. In case you are unable to achieve working conditions, please, see this article.
  
  
• I don't really feel like using Terminal to handle files, any other suggestions?
  
  If it is more comfortable for you, you may use Gnome's Nautilus file explorer to run the SFTP session with NAS for copying files.
  
  
  
  If you don't have Gnome installed (maybe you are on Arch's Live CD), there is Terminal orthodox commander with SFTP support called Midnight Commander that should run even on pretty barebone Arch setup, to install & run as root, type:
  

  $ sudo pacman -S mc
  $ sudo mc