QTS 5.2.9.3451
QuObjects 2.5.539
I have a QNAP TS-853A that I am using as a S3 target with Quobjects.
It has worked nicely for quite a long time, but suddenly it has started acting weird.
I have a ‘public’ certificate on it, and I use it as a target for Proxmox Backup Server.
PBS is quite stringent with certificates, so I have of course uploaded the full chain in the QNAP.
I’ve tried checking the certificate, on the https port it shows the right certificate chain.
openssl s_client -connect s3.domain.com:443 -servername s3.domain.com -showcerts
Connecting to 185.109.88.115
CONNECTED(00000003)
depth=2 C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46
verify return:1
depth=1 C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
verify return:1
depth=0 CN=s3.domain.com
verify return:1
---
Certificate chain
0 s:CN=s3.domain.com
i:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 2 00:00:00 2026 GMT; NotAfter: Dec 17 23:59:59 2026 GMT
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
1 s:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
i:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46
a:PKEY: RSA, 3072 (bit); sigalg: sha384WithRSAEncryption
v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 2036 GMT
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
---
Server certificate
subject=CN=s3.domain.com
issuer=C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
…
But when I check on the QuObjects port, it doesn’t show the full chain, only the server cert???
root@proxmox-backup-server:~# openssl s_client -connect s3.domain.com:8010 -servername s3.domain.com -showcerts
Connecting to 185.109.88.115
CONNECTED(00000003)
depth=0 CN=s3.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=s3.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=s3.domain.com
verify return:1
---
Certificate chain
0 s:CN=s3.domain.com
i:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 2 00:00:00 2026 GMT; NotAfter: Dec 17 23:59:59 2026 GMT
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=CN=s3.domain.com
issuer=C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 2826 bytes and written 1648 bytes
Verification error: unable to verify the first certificate
I have tried doing a ‘combined’ certificate, and not upload the intermediate seperately. But it still doesn’t show the full chain, thus the connection is bad when seen from the outside.
As I said, this has worked for a very long time, without any issues, so what is going on now?