Zyxel Network-Attached Storage [NAS] - How to import or regenerate certificate on Zyxel NAS storage

This article provides a quick tutorial on creating new self-signed certificates on a NAS to resolve SSL-related errors and a guide on generating and importing globally trusted Let's Encrypt certificates in Arch Linux to avoid "Connection not secure" errors, ensuring seamless and secure WebGUI access.
End-of-Life Product Notice: We regret to inform you that the product "Zyxel NAS Devices" has reached the end of its useful life. As a result, technical support for this device may be limited. Please be aware that any manipulation or use of a device that is already end-of-life is entirely at your own risk. You can find a list of obsolete devices, including their retirement and end-of-support dates, at the link below. This page also provides the latest updated version for your device: End of Life

Generating Original Self-Signed Certificates on Zyxel NAS

Open a command prompt. To connect, use the following command with the address of your NAS and approve the connection if prompted.

$ ssh root@192.168.1.33

Run the following commands to restore the certificate repository to default (omit the first line to just generate new certificates). You will be prompted to enter information about the certificate. Defaults are fine enough, so just press enter until you reach the command prompt again.

# find /etc/zyxel/cert -type f -delete
# openssl req -newkey rsa:2048 -nodes -keyout /etc/zyxel/cert/key/default_key.cer -x509 -days 3650 -out /etc/zyxel/cert/default.cer

That's all! Feel free to exit the command prompt. You may also need to reboot the NAS for changes to take effect.

# exit

Create Let's Encrypt certificates for Zyxel NAS

Note: Please keep in mind that this is a workaround, and as such, it does have one minor side effect: when you click the SSL tab in the Control Panel, the WebUI locks down with error 500. If this happens, you may refresh the page and continue your work. Since this tab offers no functionality that is needed when using this guide, this is a quite minor setback compared to the advantages of using the Let's Encrypt certificate. 

Keep in mind: Running Arch Linux or another Linux-based OS environment (commands might vary slightly, if you are more comfortable with Ubuntu, for example, you might get a hint in this article that describes a similar approach for USGs, as both Ubuntu and Raspbian are Debian-based). Installation of a Linux environment is out of scope for this article, please refer to the installation guide for a distro of your choice. With Arch, however, you should be fine with just booting up the Live CD and starting right off the ramdisk.

Make sure your Arch is running up-to-date:

$ sudo pacman -Syu
  • Install certbot, an ACME client that will automate the process of certificate creation:
$ sudo pacman -S certbot
  • Make sure your Arch can listen on port 80, if necessary, forward port 80 to your machine. Create a certificate using the following command:
$ sudo certbot certonly --standalone --preferred-challenges http -d [yournasaddress.zyxel.me]

Note: if you are encountering a "challenge failed for domain" error, Let's Encrypt servers are unable to reach your machine. Please double-check that port forwarding is enabled and make sure no service is currently running at port 80 of your Arch. You may stop the service in question temporarily using the command:

$ sudo systemctl stop httpd
  • After this step, feel free to enable it again
$ sudo systemctl start httpd
  • You may now forward your port 80 to your NAS, and also port 443, should you did not set it already.

Upload Let's Encrypt certificates for Zyxel NAS

Your certificate is ready to be uploaded to your NAS, in this example we will use shell-based SFTP client. There is however a wide array of tools available to achieve this if you prefer a more visual approach, see the Troubleshooting section, where are described other options of handling SFTP in Arch. Please keep in mind, that if you decide to move certificates from their protected storage, make sure they are deleted or secured afterward! Never share your private key!

Connect to your NAS with root permissions, we will use sudo here, otherwise, we would not be able to read the certificates from secure storage:

$ sudo sftp root@[yournasaddress.zyxel.me]

Run following commands to copy the certificates to their respective position. We will make backups during the process so you can restore original certificates in case something goes wrong. Please be careful, you are running under root permissions and any command will be processed without asking. Double-check typos. You may also finish file and directory names by pressing Tab after the first few letters, this will also help you prevent typos. Also keep in mind that names are case-sensitive on both NAS and Arch, or any other Linux!

sftp> rename /etc/zyxel/cert/default.cer /etc/zyxel/cert/default.cer.bak
sftp> put /etc/letsencrypt/live/[yournasaddress.zyxel.me]/cert.pem /etc/zyxel/cert/default.cer
sftp> rename /etc/zyxel/cert/key/default_key.cer /etc/zyxel/cert/key/default_key.cer.bak
sftp> put /etc/letsencrypt/live/[yournasaddress.zyxel.me]/privkey.pem /etc/zyxel/cert/key/default_key.cer

That's it! You may exit the SFTP using the exit command and reboot your NAS!

sftp> exit

After reboot, you may log in and verify the results. Make sure SSL is enabled in Control Panel > Network > TCP/IP > Web Configurator. You may also enforce HTTPS usage on this tab if you desire.
secure_NAS.png

Renewal Let's Encrypt certificates for Zyxel NAS

By design, Let's Encrypt certificates are quite short-lived. Certificates will be valid for 90 days from the day of issuance. To renew your certificate, you need to forward the ports on your Arch Linux again, re-run the certbot command and upload it on your NAS again.

Troubleshooting

  • Common Issues and Solutions: Some users faced issues where the NAS would display a "500 Internal Server Error" after attempting to import a certificate. Solutions included verifying the certificate's format and ensuring all necessary files were correctly placed in the NAS directory. Others suggested checking the Apache configuration and manually restarting the web server to resolve these issues​ (Zyxel Community)​​ (Zyxel Community)​.
  • Automating Certificate Renewal: Automating the renewal of Let's Encrypt certificates was another frequently discussed topic. Users shared scripts that automatically copy the renewed certificates to the NAS and restart the web services. This involves setting up non-volatile storage for the root directory and configuring SSH keys for non-interactive login​ (Zyxel Community)​.
  • Self-Signed Certificates: For those relying on self-signed certificates, some encountered problems accessing the NAS web interface after enabling HTTPS. It's often recommended to temporarily disable HTTPS through SSH commands if you can't access the web interface, as detailed in a discussion about modifying the Apache configuration files​ (Zyxel Community)​.
  • Installing and Managing Certificates: Many users experienced issues installing SSL certificates on Zyxel NAS devices. A common problem is the NAS reverting to its self-signed certificate after rebooting. To fix this, users suggested deleting the CA.cer file in the /etc/zyxel/cert directory, which forces the NAS to use the default.cer file instead. This has helped users successfully implement certificates from authorities like Let's Encrypt​ (Zyxel Community)​​ (Zyxel Community)
  • I'm getting "challenge failed" for domain [mydomain]!
    This error generally means that your Arch cannot be reached by CA's server to verify authenticity. Please check whether port 80 is forwarded to your Arch machine and that no service is running on port 80 already (apache?)
  • I've imported certificates, now my NAS doesn't respond on either http or https!
    This indicates that NAS's web server encountered an issue during startup, most likely you have mixed things up when uploading certificates to your NAS. However, no need to panic, SSH/SFTP should still work. In case you are unable to achieve working conditions, please, see this article.
  • I don't really feel like using Terminal to handle files, any other suggestions?
    If it is more comfortable for you, you may use Gnome's Nautilus file explorer to run the SFTP session with NAS for copying files.
    nautilus.png
    If you don't have Gnome installed (maybe you are on Arch's Live CD), there is Terminal orthodox commander with SFTP support called Midnight Commander that should run even on pretty barebone Arch setup, to install & run as root, type:
    $ sudo pacman -S mc
    $ sudo mc

Just a heads-up: Zyxel NAS devices have reached the end of their support period. We understand this might be inconvenient, so to help you out, please visit our forum or explore the NAS section in our knowledge base for all the details. You can also find a list of outdated devices and their support timelines at the link below.

Thanks so much for your understanding and patience!

Articles in this section

Was this article helpful?
1 out of 4 found this helpful
Share