How to install https certificate on GDS3705/10?

deedee · 2022-07-15 12:51:30 UTC

Hi,

Trying to install certificates, I first followed this guide, but only getting the “invalid certificate” error:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

I have read on this forum that for other devices from Grandstream, the following free certificate service was recommended:
https://letsencrypt.org/getting-started/
But I quickly ran into trouble: although we have shell access on the GDS3710, we cannot install the Certbot client as explained in the guide, can we ?

Does any guide exist that actually applies to the GDS3705/10 ?

GS_Guy · 2022-07-19 17:19:24 UTC

@deedee: Are you referring to customized certificate? You have to generate legal certificate someway from somewhere, then upload into GDS via the web UI.

Hope this helps. Thank you for using Grandstream Access Control products.

deedee · 2022-07-20 09:13:18 UTC

@GS_Guy: you are correct, I am indeed referring to custom certificates. I get that you need to generate them in someway, I just need to understand the specifics.

For instance, according to the let’s encrypt guide mentioned above: as GS doesn’t seem to support certbot installation, nor offers support for built-in let’s encrypt, I suppose that the only way to go is “manual mode”. Correct ?

I then need to choose between http and DNS challenge. It seems I have to choose DNS ? But then this:

When using the dns challenge, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge .

Where do I place this file, as I am directly connecting to the GDS by its IP address ?

GS_Guy · 2022-07-21 03:56:56 UTC

@deedee I am not good at network security and etc., I guess you might google “how to generate a certificate” and see whether you can get some hints. Or you can open a support ticket at Grandstream HELPDESK to ask related engineer to help you.

For the GDS, if you already have a legal and valid certificate file, just log into the device and upload into the internal cache memory of the GDS, the certificate file will be stored inside the device for related usage.

Hope this helps. Thank you very much!

golfvert · 2022-07-31 14:44:07 UTC

If you intend tu use let’s encrypt kind of certificates, then, you will need an additional piece of hardware (not the GDS) to implement what is required for the mechanism of let’s encrypt to work. It could be a raspberry pi running linux or something else. The GDS is not meant to offer that kind of service. Which is, IMHO, quite normal…

deedee · 2022-08-09 08:50:57 UTC

@golfvert, thanks for chiming in.

Above all, I intend to establish a safe connection to the GDS 3710. I still couldn’t figure out how to do it. Is there a way to achieve that without additional hardware (as per your suggestion) ?

golfvert · 2022-08-09 12:27:37 UTC

You want to HTTP_S_ to your GDS? So that the trafic is encrypted and nothing else?
I can think of few options;

create self signed certificates on your PC with “openssl” and upload those certificates on the GDS. Your browser, when accessing the GDS may/will complain that the certificate is not valid but, you should be able to bypass this warning.
don’t bother with certificates. Enable HTTPS on the GDS. Your browser WILL complain about that. It should nevertheless allow to bypass the warning.
Do it the “clean” way. Buy a certificate somewhere (eg cloudflare) and with the correct DNS configuration you should be able to connect to your GDS (after having uploaded the certs) without issues

It really depends on your use case. 1. and 2. are crapy solutions but might be sufficient depending on why you want that.
IMHO, if your network is not safe enough to use HTTP it is probably not safe enough to use “dirty” HTTPS.

deedee · 2022-08-11 17:29:58 UTC

Yes, I want to avoid a potential MIM attack (the GDS is accessible from the internet). I thought using the certificates was just good practice, and hence there would be documentation.

Regarding 1., I tried that (first guide I mentioned), to no avail.
2. is how I’m using it right now. Doesn’t feel quite right, though.
I was hoping to do 3. with letsencrypt…

damiano70 · 2022-08-11 17:38:22 UTC

do you have to expose it to the whole world? can’t you enable NAT in ACL?

golfvert · 2022-08-11 18:15:11 UTC

I think that creating/managing certs is out of scope of a videophone.
Using let’encrypt require a piece of hardware on the side.
Nothing to be done here, I am afraid…