I have a custom SSL certificate that I would like to install on my WD My Cloud device. Are there instructions on how to go about doing this? I have a custom domain for my network and the devices on it and I access the My Cloud device via it’s FQDN (ex. mycloud.mydomain.com) but get a browser error that the certificate does not match. I have a certificate but do not know how to install it on the device. I know it should be done via SSH, but need the steps.
The question I have is why put SSL certs on the device(s) rather than the router that controls the network for your custom domain.
If you have the expertise to have a custom domain, you should be able to figure out how & where to install SSL certs. At least some on the MyCloud (gen.1) are in /etc/ssl/certs but you may be able to install in /etc/ss/private as well.
I just did this to mine. It’s just a debian system under the hood running apache2. These are my notes.
How to install custom SSL certs to wdmycloud.
# Make sure you have SSH access enabled.
# You could lock yourself out of the web interface doing this.
# Apache is in /etc/apache2
# Find the certs
WDMyCloud:/etc/apache2# grep SSL */*
# The certs are kept here. Compare the certs with what the browser reports.
sites-available/wdnas-rest-api.conf: SSLCertificateFile /var/www/rest-api/config/server.crt
sites-available/wdnas-rest-api.conf: SSLCertificateKeyFile /var/www/rest-api/config/server.key
sites-enabled/wdnas-rest-api.conf: SSLCertificateFile /var/www/rest-api/config/server.crt
sites-enabled/wdnas-rest-api.conf: SSLCertificateKeyFile /var/www/rest-api/config/server.key
WDMyCloud:/etc/apache2# openssl x509 -in /var/www/rest-api/config/server.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
01:60:3c:93:13:89
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CS, L=Mountain View, O=Western Digital, OU=Branded Products, CN=remotewd.com
Validity
Not Before: Dec 9 18:39:19 2017 GMT
Not After : Dec 9 18:39:19 2027 GMT
Subject: C=US, ST=California, L=Mountain View, O=Western Digital Corporation, OU=Branded Products, CN=device2840660-89aad99a.wd2go.com/emailAddress=admin@localhost.com
...
# On pfsense (or wherever you get your certs),
# go to cert manager and create a new internal server cert.
# download the cert, key and cacert to the wdmycloud.
WDMyCloud:/etc/apache2# ls -l ~
total 12
-rwxrwx--- 1 mario 197121 2296 Mar 27 11:51 cacert.crt
-rwxrwx--- 1 mario 197121 2078 Mar 27 11:49 wdmycloud.crt
-rwxrwx--- 1 mario 197121 1704 Mar 27 11:49 wdmycloud.key
# We're going to overwrite what's there instead of renaming things.
# Backup existing files.
WDMyCloud:/etc/apache2# ls -l /var/www/rest-api/config
total 56
drwxrwxr-x 3 root www-data 4096 Nov 4 22:42 Windows
-rwxrwxr-x 1 root www-data 484 Mar 27 10:20 dynamicconfig.ini
-rwxrwxr-x 1 root www-data 484 Mar 27 10:20 dynamicconfig.ini_safe
-rwxrwxr-x 1 root www-data 14074 Jun 1 2018 globalconfig.ini
drwxrwxr-x 9 root www-data 4096 Nov 4 22:42 platformConfig
-rwxrwxr-x 1 root www-data 5956 Mar 27 10:20 server.ca-bundle
-rw-r--r-- 1 www-data www-data 1187 Mar 27 10:24 server.crt
-rw-r--r-- 1 www-data www-data 1139 Mar 27 10:24 server.csr
-rw-r--r-- 1 www-data www-data 1704 Mar 27 10:24 server.key
drwxrwxr-x 3 root www-data 4096 Nov 4 22:42 upgrade
WDMyCloud:/var/www/rest-api/config# tar zcvf original-wdmycloud-SSL-certs.tgz server.ca-bundle server.key server.crt
# Copy it off the wdmycloud and encrypt it because it contains a key.
$ rsync -Pa root@wdmycloud:/var/www/rest-api/config/original-wdmycloud-SSL-certs.tgz .
receiving incremental file list
original-wdmycloud-SSL-certs.tgz
6,081 100% 5.80MB/s 0:00:00 (xfr#1, to-chk=0/1)
$ gpg -se original-wdmycloud-SSL-certs.tgz
You need a passphrase to unlock the secret key for
user: "xxx"
4096-bit RSA key, ID xx, created 2022-01-01 (main key ID xx)
# Put the new material into place.
WDMyCloud:/var/www/rest-api/config# cat ~/wdmycloud.crt > server.crt
WDMyCloud:/var/www/rest-api/config# cat ~/wdmycloud.key > server.key
## Note: Make sure the cacert appends correctly. May be missing a LF.
WDMyCloud:/var/www/rest-api/config# cat ~/cacert.crt >> server.ca-bundle
# Reboot or restart apache2
/etc/init.d/apache2 restart
# Check startup in log
cat /var/log/apache2/error.log
# Reload the web page in your browser.
Keep in mind that gen2 myclouds have non-persistent storage, and will not retain the custom certificate.
There are ways to hijack an installed application (or rather, hijack its init script) on a gen2 mycloud to get the unit to either symlink in the certificates from a secure location in the persistent storage, or copy them into the volatile image when the unit boots.