Wednesday, 20 March 2013

Synology Self Signed SSL Certificates Invalid Cipher Type

UPDATE: The new version of Synology's DSM (version 4.2) does not have the problem discussed in this post - so the simple fix is to update your Synology to version 4.2 or above. An anonymous comment also suggests a quicker fix than mine that sounds good but since I've already upgraded to 4.2 I can not test it.

Recently I started signing my own SSL certificates for internal use at my company. One of the systems which refused to play nice with my certificates was a Synology DS412+ running version 4.1 of their DSM software. The Synology guides for creating a self signed certificate assume you will be happy creating the CA on the Synology itself, not using a self signed certificate created on another separate CA system. Since I already have my own private internal CA which is trusted on my domain this was not ideal for me. When trying to import the certificate I created on my private CA I received a very unhelpful error...
Illegal certificate
...with no clarification on what was wrong with it. My first breakthrough came when I noticed that my certificate has a block of human readable text at the top and certificates generated using the guide on the Synology Wiki did not. Removing all text in the .crt file above "-----BEGIN CERTIFICATE-----" solved this problem - it is a text file so can be edited easily with vi, notepad or any other basic text editor.

Unfortunately importing the certificate now gives a new error:
Invalid cipher type. Please use another certificate and private key.
Again, this left me stumped for a bit. I managed to get it working by using the following series of commands to generate the certificate signing request and sign it:
$ openssl genrsa -out private/synology.key 1024
$ openssl req -config -new -key private/synology.key -out csr/synology.csr
$ openssl ca -config openssl.cnf -out certs/synology.crt -infiles csr/synology.csr
However I am still no wiser as to why this works when replacing the first two lines with my normal way of generating csr's...
$ openssl req -config openssl.cnf -new -nodes -newkey rsa:1024 -keyout private/synology.key -out csr/synology.csr -days 365
fails... If anyone can shed any light on this I'd love to learn what is happening. As far as I can tell both options would create rsa 1024 bit csr's which is the obvious interpretation of "Invalid cipher" and both commands use the same config file for defaults and v3 extensions etc. At least its working now and hopefully this will let anyone with the same problem generate their own ssl certificates for Synology devices.

5 comments:

  1. It looks like the Synology importer rejects PEM files with the invalid cipher type error when the header says "BEGIN PRIVATE KEY" (instead of "BEGIN RSA PRIVATE KEY").

    ReplyDelete
    Replies
    1. Thank you for the feedback that certainly makes sense. Unfortunately (or fortunately) I cannot confirm since the latest DSM (4.2) also imports my original certificates fine. Either way problem solved but I appreciate your suggestion.

      Delete
  2. Word of caution on DSM-4.0-2265. I also got this invalid cipher type error when adding a renewed certificate. I added RSA to the header of the new key and found that it prevented apache from starting. I had to set the value of runHTTPS="yes" to no in /etc/synoinfo.conf and go back and replace the "invalid" cert with the original before apache would start back up.

    ReplyDelete
    Replies
    1. It worked for me after changing the header into "BEGIN RSA PRIVATE KEY" and changin the footer into "END RSA PRIVATE KEY"

      Delete
    2. Forgot to mention: also running DSM-4.0-2265

      Delete