Is there a step by step process to setup auto renewing free Let’s Encrypt SSL certificate for self hosted website (to make website secure with HTTPS) using QNAP NAS’ built in Webserver Application?
Best method is to use an external hoster for the web site. 
QNAP has often been hacked in history, and providing NAS to internet (even, if “only” web server is accessible) is a bad idea.
HTTPS does not protect you in any way from being hacked.
Regards
2 Likes
DO NOT!!! DO NOT!! Publish your NAS to the internet. Exceptionally bad idea for multiple reasons.
1.) Many QNAPs have been hacked with ransomware doing this.
2.) SSL certificates only protect by encrypting the data that is sent between the server and the client on the other end. They do nothing to protect the server itself.
This is a bad idea in so many ways.
Get yourself an external web hosting account and host your website there. You can get them for a few dollars a month and that is so much better than exposing all your stuff.
If you must do something locally, then do it in a Container.
As mentioned, using the built in stuff opens you to potential problems.
Depending on your (unmentioned) NAS model though, a reasonably safe way to do this is to run your website in a container, if your NAS has the resources for that.
Ideally though, a 3rd party server is the way to go as your network and data is not at risk.
Thanks & I appreciate your warning. I’m a believer & want to have complete moderation over this website. It’s for my village & I provide it pro bono hence I’m trying to avoid the extra expense by it being posted somewhere in the cloud.
Am I misunderstanding the creation of a SSL secure website on my own NAS. How would getting an external web hosting account make my website and/or my NAS more secure?
You mention doing it in a container if I want to remain self hosted, that sounds interesting, what would that involve exactly? How would it be more safe than just getting a SSL certificate?
Are there any links you can provide where I could see someone’s journey to provide a self hosted website using Let’s Encrypt SSL Cert within a container on a QNAP NAS?
Running in a container gives you the control over the actual web server application, and it’s updates rather than relying on QNAP to patch, update, etc. You would have full control. I don’t run containers, but I’m sure others here (or google) will point you to hundreds of guides on how to setup your own web server on a QNAP NAS. It also gives you a huge amount of flexibility in what you run, add ons, etc. This has no relation or impact on the security of running SSL.
I applaud your efforts to run this pro bono for your community. I did a similar venture for organisations. Originally I ran it on a (differrent brand) NAS, but migrated to my QNAP NAS when I found the original underpowered. I then migrated from the QNAP NAS due to the security risk (just search on QNAP hacks from the past) to a Raspberry Pi. It offers a standalone device (so no risk to other devices or data) that was easy to setup and manage, and cheap (around $50 depending on configuration). Also cheap to run, and I could shut down my NAS and not affect websites etc. In the end, I found a cheap hosting site ($100 a year) and migrated to that. No hassle in keeping patched or updated (they do this), easily configurable, easy to backup (web gui), easy to install forums and other applications (available through the hoster), zero security risk, zero availability issues, doesn’t affect my personal internet connection usage, etc. The other benefit is that the host site also manages and provides the SSL certificates.
An external web hosting account does several things:
1.) Security is handled and maintained by the hosting company. They are generally better experts at it than the rest of us.
2.) Having the website run remotely on a hosted server, removes any danger of your LAN being compromised by an intruder.
3.) Having the website run remotely protects any other valuable data on the NAS.
There are many, many forum posts in the old forum about people who lost everything to ransomeware…
Is the cost of $6 a month for your village worth it as opposed to thousands of dollars or higher for ransomeware?
And let me repeat again:
Creating an SSL certificate does NOTHING to secure your website from attacks. It only ensures the data being sent/received is encrypted.
NA9D and others - If someone really needs to use a web server on QNAP NAS, what do you think about installing QuTScloud in Virtualization Station and routing it to this isolated virtual NAS system?
If somebody HAS to run a website on the NAS, isolate it via a container or VM.
(You can cloudflare or reverse proxy that one on top if needed)
1 Like
When you mention external hosting for as little as $6 per month to which provider are you referring? Do they allow separate use of Everweb for publishing and maintaining the website once migrated or do they require one to use their own software? I looked at NameCheap which seems to be very popular and fairly cheap but 1. They don’t offer telephone support. 2. They require one to use their cPanel to maintain the website.
Thanks Dolbyman. I’m not sure what using Cloudfare involves regarding the cost & complexity? When I looked into Reverse proxy this seems like a good solution except no-one with my exact setup appears to have achieved this outcome. Do you have a link to anyone who’s got QNAP NAS, using Webserver application where they have setup a Let’s Encrypt SSL certificate to achieve HTTPS for their self hosted website? How would I isolate the website via a container?
Regarding the Let’s Encrypt renewal, you may consider doing so via myQNAPcloud.
As for the risks of exposing your device to the internet, as other members have mentioned, it requires careful evaluation. If WAN access is absolutely necessary, please ensure you limit the exposure to the “minimum required scope” and properly configure Port Forwarding. Most importantly, always maintain a solid data backup—it is your ultimate line of defense for your data.
1 Like
Do a search of VPS providers. There’s a lot out there. With a VPS you can install and run whatever you want. It’s your own virtual server in the cloud. Some are less than $6 a month…
So have you put the webserver in a container or VM yet?..that was the first step
At the risk of incurring the wrath of others, there’s a article at: How do I install a Let’s Encrypt SSL certificate for my custom DDNS domain in QTS? | QNAP
However, let me tell a cautionary tale. A few years ago I set up an experimental website which was OK for a few months, then I started getting dozens of notifications of failed attempts to hack it overnight, and later, hundreds of what must have been brute force automated attempts.
I took it offline and haven’t bothered since.
If you insist on running it from your home, I’d say get a second nas from ebay or cex etc and dedicate it to the website.
Don’t forget that unlike external hosting, you’re paying the electricity bill.
Thanks to everyone for their helpful tips. SteveKo could you walk me through how to obtain a SSL through via MyQNAPcloud?
QNAP technical support didn’t mention this too me during a number of exchanges requesting help to add security to my Webserver Application self hosted website.
As you, and QNAP, point out, there are MANY steps that should be taken to “harden” your system and provide SOME level of protection. For example, it looks like your “mistake” was to allow admin gui from the internet.
There are many guides on the basics, such as (to mention only a few)
- Never enable admin gui from WAN
- Never enable UPnP on the NAS
- Never enable UPnP on your router (unless you REALLY know what you are doing, and for other devices)
- Never forward any port to your NAS unless you absolutely know what is on that port
- Never put your NAS in a DMZ
- Always ensure you run a firewall on your router
- Always have a full, offline, backup of anything you can’t afford to lose
- etc
Hi SteveKo, I have replaced the SSL certificate as you tested. Its reports the certificate is current. I have linked it to my website domain, is there something else I need to do to ensure the site is secure? I have enabled HTTPs in QNAP Control panel. While doing this I’m ;looking into using Rage Sofdtware’s External Hosting but need to speak with them before making the jump.
What you’re looking for is an alternative name for your ssl certificate.
You can define this under control panel→system→security→ssl certificates & private key.
First step is to get a Let’s Encrypt certificate via myQNAPcloud. You can’t configure an alternative name here. Second step is to configure the alternative name as described above via the control panel.