Heartbleed and Certificate Authorities

Share this post on:

Some people might have noticed, that my Certificate Authority (CA) has lost it’s trusted status due to Heartbleed, a bug in the OpenSSL libraries. As my CA, startssl.com did not come up with a solution for Heartbleed and also was unable to manage it’s merge with other SSL companies, Mozilla flagged the CA as untrusted in FireFox 51. Google Chrome followed up with version 56 of their browser and flagged the CA as untrusted.

As I am some kind of fan about SSL and the idea behind it, I just switched to Let’s encrypt for my certificate. Within Control / Panel Secruity / Certificates you can quickly generate certificates yourself with your Synology. Just open port 8080 for the initial setup and 443 for the SSL transactions and leave them open for automatic re-news. Afterwards you can create your new certificates via Add / Add a new Certificat / Get a Certificate from Let’s Encrypt:

You can use your dynamic DNS providers domain name and reference an alternative domain, which includes your official domain, if you host your page yourself. Sometimes this is required, as some domain providers – such as 1&1 – want to sell their own SSL certificates and block services like Let’s encrypt. By going through your dynamic address via myFritz.net or dyndns.com you can avoid this issue. In case you receive an error message, which recommends a fresh login, you most likely have one of the following issues:

  • Ports of your router are closed
  • Synology firewall might be misconfigured
  • Synology webstation is not running
  • Domain or dynamic DNS provider blocks the required traffic

As Let’s encrypt certificates don’t run long, it makes sense to leave port 8080 and 443 open; the certificate will be automatically re-newed this way; a better way would be to open the ports manually, to re-new the certificates yourself.

Leave a Reply