Skip to content

Instantly share code, notes, and snippets.

@jvarn

jvarn/apply_ssl_cert_to_WD_my_cloud_nas.md

Last active August 26, 2024 06:54
Show Gist options
  • Save jvarn/4e3a138b2fa7b789b9da56a0a84f3862 to your computer and use it in GitHub Desktop.
Save jvarn/4e3a138b2fa7b789b9da56a0a84f3862 to your computer and use it in GitHub Desktop.
Download ZIP
Apply SSL cert to WD My Cloud NAS
Raw
apply_ssl_cert_to_WD_my_cloud_nas.md

How to apply your wildcard SSL certificate to a WD My Cloud NAS device

I have tested this on WD My Cloud EX4 (an obsolete model).

  1. Enable SSH access through the NAS web interface, choosing a suitable password when prompted.

  2. Copy the certificates over from where they are stored.

cd /home/user/certs # e.g.
scp *.pem [email protected]:/shares/Public/
  1. Connect using the chosen password.
ssh [email protected]
mkdir /shares/Public/certs # Public is a default folder used as an example, but best to put it in a custom user's folder
mv /shares/Public/*.pem /shares/Public/certs/
  1. Create a script to apply the certificates manually (for testing).
tee /shares/Public/certs/apply_certs.sh << EOF
#!/bin/sh
 
# Copy certificates to their locations
cp /shares/Public/certs/fullchain.pem /etc/ssl/certs/
cp /shares/Public/certs/privkey.pem /etc/ssl/private/

# Update Apache Conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2/conf/mods-enabled/ssl.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2/conf/mods-enabled/ssl.conf

# Update Apache DAV conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2_dav/conf/extra/httpd-ssl.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2_dav/conf/extra/httpd-ssl.conf

# Update Apache REST API conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2/conf/sites-enabled/wdnas-rest-api.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2/conf/sites-enabled/wdnas-rest-api.conf

# Restart Apache
/usr/local/modules/script/apache restart web
# OR /usr/sbin/httpd -f /usr/local/apache2/conf/httpd.conf -k restart
/usr/local/modules/script/apache restart dav
# OR /usr/local/modules/sbin/httpd -f /usr/local/apache2_dav/conf/httpd.conf -k graceful
EOF
  1. Test the script.
chmod +x /shares/Public/certs/apply_certs.sh
/shares/Public/certs/apply_certs.sh

Either add nas.fqdn.example.com to your website name server, to your LAN name server, or to your local /etc/hosts file, depending your intended scope of accessibility.

Now open your nas with its FQDN https://nas.fqdn.example.com in a new private window in your web browser.

Assuming all is well, proceed.

  1. Create a similar script to persist the certificate across reboots (as the WD My Cloud Ex4 Gen2 has non-persistent storage).
tee /etc/init.d/apply_certs << EOF
#!/bin/sh
### BEGIN INIT INFO
# Provides:          apply_certs
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Reapply SSL certificates at boot
### END INIT INFO

# Copy certificates to their locations
cp /shares/Public/certs/fullchain.pem /etc/ssl/certs/
cp /shares/Public/certs/privkey.pem /etc/ssl/private/

# Update Apache Conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2/conf/mods-enabled/ssl.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2/conf/mods-enabled/ssl.conf

# Update Apache DAV conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2_dav/conf/extra/httpd-ssl.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2_dav/conf/extra/httpd-ssl.conf

# Update Apache REST API conf
sed -i 's|SSLCertificateFile.*|SSLCertificateFile /etc/ssl/certs/fullchain.pem|' /usr/local/apache2/conf/sites-enabled/wdnas-rest-api.conf
sed -i 's|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/ssl/private/privkey.pem|' /usr/local/apache2/conf/sites-enabled/wdnas-rest-api.conf

# Restart Apache
/usr/local/modules/script/apache restart web
/usr/local/modules/script/apache restart dav
EOF
  1. Append this script to the server cron to run when the NAS reboots:
(crontab -l ; echo "@reboot /bin/sh /shares/Public/certs/apply_certs.sh") | crontab -
  1. Reboot the NAS
reboot

  1. Test in a new private browser window again.

  2. Optionally, disable SSH access again via the web interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment