Tuesday, 29 April 2014

Secure your NAS with a trusted certificate

With all the security buzz around heartbleed I decided to secure my QNAP NAS just a little more, so I reconfigured it to only allow SSL connections.

However, because I have a twisted mind, I just couldn’t live with the browser complaints about using a non trusted certificate…. I had a quest… :)

Step 1: Buy yourself a certificate

Since I was not willing to pay a lot of money to fulfil my needs I ended up at [] ( where I could buy a certificate for only 4.99$ a year.

So I bought myself a certificate.

Note: There is only one thing you have to know before you buy a certificate: you need an approver email linked to the domain that you use for your certificate. Most often this means that you will be the domain owner for the domain linked to your certificate.

Here’s an example: if you want to buy a certificate for the approver email has to be one of the following:


If you have access to the approver email you can just go on and buy yourself a certificate.

Step 2. Get your keys

The next step is to get yourself a pair of keys. The easiest way to do this is via openssl.

openssl req -nodes -newkey rsa:2048 -keyout qnap.key -out qnap.csr

This statement will deliver you two files:

  • qnap.key: your private key (as the name says, keep it private!)
  • qnap.csr: your Certificate Signing Request

Step 3: Activate your certificate.

Activate your certificate by submitting your CSR at the merchant where you bought your certificate.

  • To copy your certificate to the clipboard

    pbcopy < qnap.csr

Step 4: Add your trusted certificate to your NAS

Once you’ve submitted your CSR you’ll get two new certificates in return: a Web Server CERTIFICATE and a INTERMEDIATE CA.

All there is left to do is to add the certificate to your QNAP NAS.


vim /etc/stunnel/stunnel.pem

Note: you can find a cheat sheet on how to use vim here.

Add your certificates and key like this: - First your private key - Secondly your Web Server CERTIFICATE - Then your INTERMEDIATE CA

    -----END RSA PRIVATE KEY-----
    -----END CERTIFICATE-----
    -----END CERTIFICATE-----

You can now safely go to:

Update your Domain Name (DNS) with a Dynamic IP and Amazon Route 53

Note: works also on a QNAP NAS

  • Install Python and pip (for QNAP you can find a how-to here).
  • Install the required libraries
    $ curl -o boto-2.27.0.tar.gz -k
    $ pip install boto-2.27.0.tar.gz
    $ curl -o -k
    $ pip install
  • Configure boto
    $ touch /etc/boto.cfg
    $ vim /etc/boto.cfg

    Add the following lines to boto.cfg:

    aws_access_key_id = <your_access_key_here>
    aws_secret_access_key = <your_secret_key_here>

    Note: you can find a cheatsheet on how to use vim here.

  • Install the script to update your DNS. The script is also available on Github here.
    $ cd /share/MD0_DATA]
    $ mkdir scripts
    $ cd scripts        
    $ curl -o -k
  • Configure the script
    $ vim
    • Change the following lines (more info about Amazon Hosted Zones is available here):
      # Settings, Change me!
      HOSTED_ZONE = 'ZXQU10000001'
      DOMAIN_NAME = ''
    • Change the file permissions:
      $ chmod +x
    • Test the script:
      $ ./   
  • Run your update script every 5 minutes

    $ vim /etc/config/crontab
    • Add the following line:

      */5 * * * * /share/MD0_DATA/scripts/
    • Restart cron and reboot

      $ /etc/init.d/ restart
      $ reboot

Note: there seems to be a script available on the QNAP NAS just to retrieve your WAN ip, the script is located on your NAS under /etc/init.d/

Install Python pip on QNAP NAS

  • QNAP Model: TS–439 Pro II
  • CPU: Intel(R) Atom(TM)

Setup procedures

  • Install Python from QNAP App center. (It should be the most easy way)
  • Access your NAS through SSH, ex. ssh admin@
  • Install setuptools
    $ wget --no-check-certificate      
    $ tar xf setuptools-3.4.4.tar.gz        
    $ cd setuptools-3.4.4       
    $ python build
    $ python install
  • Install pip
    $ curl -O -k
    $ tar xf pip-1.5.4.tar.gz
    $ cd pip-1.5.4
    $ python install   
  • Add symbolic links
    $ vim /share/MD0_DATA/.qpkg/Python/

    Note: you can find a cheatsheet on how to use vim here.

    Insert the following two statements under the “#create symbolic links” section

    /bin/ln -sf ${QPKG_BASE}/.qpkg/Python/bin/pip /usr/bin/pip
    /bin/ln -sf ${QPKG_BASE}/.qpkg/Python/bin/pip2.7 /usr/bin/pip2.7

    Save and exit.

    /share/MD0_DATA/.qpkg/Python/ restart

SSL error when using pip

When running pip install you’ll get the following SSL error (run with -v option):

SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Workaround: Install libraries manually


  • Download the archive:
    curl -o boto-2.27.0.tar.gz -k
  • Install the archive:
    pip install boto-2.27.0.tar.gz

Sunday, 13 April 2014

Clang error installing Ansible on Mac

Installing the latest version of Ansible on Mac should be very easy when using pip. However, when I tried to do this on my Mac with the most recent versions of all software, I got the following error during install:

clang: error: unknown argument: '-mno-fused-madd'

The problem seems to be the latest (5.1) version of Xcode which treats unknown passed parameters as errors.

The workaround is quite simple, run the pip command with the following prefix:

ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future sudo pip install ansible

Run pip this way and your Ansible install will work like a charm again.