How does the Letsencrypt certificate renewal work?

In light of the recent issues with My Book Live (I have one), I’m disinclined to let My Cloud EX2 Ultra have access to the internet. To this effect, I have blocked access of the internet to the NAS from the router.

Having said that, I am assuming that doing this would let Letsencrypt certificates stop renewing. Is that so? Can someone knowledgable about this confirm it?

If so, should I periodically let the drive have access to the internet near the renewal date?



Short answer: NO

Longer answer: For goodness sakes. . . .don’t let the abusive drunk go out to a bar once a week. . . .sure. . . it’s better than going out every night. . . .but still. . .don’t do it.

I suspect what will happen is the HTTPS redirect will fail. . .and the dashboard connection will revert to simple HTTP. Your browser might whine about an insecure connection. . .but you KNOW where your NAS has been. . .

. . .now, some other things may get dodgy. I suspect the apps might start having an issue because. . .the unit is gonna look for app updates and not find them. But I don’t know. I was not a huge app user to start with. . . .and not too long after forbidding my OS5 unit from accessing the internet. . .I forbit it from logging onto my network in any capacity (i.e. it’s powered down). My OS3 unit has cloud access denied; but it is not “blocked” at the router; as I want to retain VPN access to the unit.

1 Like

While true. HTTPS offers protection in local transfers as well by preventing man in the middle attacks. So just keeping it off the internet may not make it secure by default.

I wish it had a simpler way to control the Letsencrypt certificates. I can do that from the CLI but I fear it will mess up the GUI for their web interface.

it is my understanding that the implementation of the HTTPS redirect (which involves external DNS servers) also introduces the potential for a man-in-the-middle.

1 Like

Find a different solution. Have not seen anything from WD of late.

Dear god. I knew it! The way the redirection works is very weird.

Such a simple Letsencrypt command is being complicated by these people. They could just use acme to generate a script. These weird “hack” type SSL implementations make these devices even more insecure.

Just ask the user for a free No-IP or DuckDNS domain and register that using Letsencrypt.

I’m increasingly coming to the realisation that a properly secure NAS can only be custom made.