Container Station console only works with myqnapcloud link - Certificate issue? (2024)

Hi all.

I have set up my own domain name, DDNS service and reverse proxy so I can access my QNAP (TS-873A) web inbterface without the use of myqnapcloud.It all works great except that the console in container station does not.
If I access the qnap web interface via the myqnapcloud link, the console in container station works.
If I acces the qnap web interface via the local network IP and port, the console in container station does not work.
If I access the qnap web interface via my own domain name, reverse proxy and ssl certificate combination, the console in container station does not work.

It seems like a certificate issue, where the container staion will only trust you enough to allow the use of the console if you have connected to the interface via the myqnapcloud link/certificate.

I have looked at the container station certificate under preferences in container station and clicked renew (it succeded) but I don't see any option to trust my own domain name / reverse proxy / ssl certificate.

I want to not have to use the myqnapcloud link and disable myqnapcloud altogether (due to past history / security concerns), but I have to be able to use the console in container staion.

Any help will be greatly appreciated.

Do you talk about the container console 'Attach terminal'? Or is even the Container Station app not available?

Certificates are only valid for specified domains, and you can add additional ones with the domain name field for the certificate settings of your docker/container station. Did you provide the additional domain names there?

This is how container station looks when I connect to the nas using the XXXX.myqnapcloud.com link

Please notice that the log is populated. If I execute a /bin/bash command, I get a working terminal and I can interact with the container.

This is how it looks if I access the nas via my local IP address (no SSL certificate) or via my personal domain address, with its own, valid, Let's Encrypt SSL certificate.

Notice that the log is not populated. If I execute a /bin/nash command, I get an empty console, with a cursor at the top but I cannot write in it.

I have tried adding my domain in the domain field in the Preferences --> Certificates tab and renewing the certificate but it did not help. I tried my top domain, the subdomain I forward to the NAS and a wildcard subdomain but nothing worked.

No idea what to do so I can access the log and console in the container station without having to use the myqnapcloud access.

The container station app works fine either way and the containers run fine.

Can you check the certificate if the alternative domain names are included? Perhaps it didn't show up there? If you used the download button from the screenshot the certificate should be in /root/.docker on your NAS.

I guess there is no firewall or NAT router between your machine and the NAS? If a router or firewall is ther you may have to configure the port forwarding. But the myqnapcloud link is established via a VPN connection, and the portforwarding takes place on the myqnapcloud side. So besides the certificate it may be a network issue. I don't consider that to be likely, but still possible

Actually, if I click on download I get an option to select where to save the certificate. I saved it on the desktop of the PC where I'm viewing the NAS webpage from.
It produced a zip file with 3 files inside.
ca.pem
cert.pem
key.pem

I ran ca.pem and cert.pem though an online SSL decoder and this is what I got:

There doesn't seem to be a reference to an actual URL in the certificate.

I'm not even certain that the certificate is involved in the issue, but I know that if I access the NAS through XXXXX.myqnapcloud.com the logs and /bin/bash consoles work and if I access it through my local IP address (no SSL certificate) or my own subdomain URL (valid Let's Encrypt certificate that shows a secure connection in the address bar when accessing the NAS), they do not work.

OK, so you didn't protect the docker daemon from your NAS? Like this: https://docs.docker.com/engine/security/protect-access/? Are you able to stop and start a container when accessing via IP or subdomain?

No, I did not do the procedure detailed in the link you provided. I am able to start and stop containers, create new dockers and applications and everything else, regardless of if I connected through the myqnapcloud link, local IP or my domain. It all works fine. Only the logs and /bin/bash console are not working, as far as I have noticed so far.

I am running QUFirewall and have implemented the Advanced Security Policy through the Security Centre.

OK, I assume it won't be a certificate issue, as this should be blocking all commands to the docker daemon and will only do this if you secured docker. The QuFirewall can be the issue, but would most likely block the complete NAS access and not just container station logs.

Strange but there must be something else. Lets try the following, log in from local so that you can't see the logs. Then select 'Inspect' for one container and search for the 'log path' there. Try browsing to that path with the 'File Station' on you NAS admin interface.

This is the path:

LogPath:"/share/ZFS530_DATA/.qpkg/container-station/docker/containers/6d4c6f2a2a7f92e156819cdb30285ba45c5dde4cbec2454575074449043de92d/6d4c6f2a2a7f92e156819cdb30285ba45c5dde4cbec2454575074449043de92d-json.log"

But Filestation cannot access this path (as far as I know - correct me if I'm wrong), I would have to connect through SSH in order to do that.

But it may help you to know that if I reboot the NAS, then log in via my personal domain (or local IP) where I cannot see the logs (or run /bin/bash) and then, without logging out, make another session, loggin into the same account via the myqnapcloud link, on that session I can see the logs and can run /bin/bash. This is at the same time, through 2 different tabs on the same browser.

Yes, I'm using the same user.

Not only that, but if I log into the NAS through my own domain (where I do not see the logs console) and inspect a container to find the log path as you instructed and then log into the NAS through the myqnapcloud link and open the container station to inspect the same container, I find the inspect dialogue with the entries expanded just like I left it in the 1st session. The log file is of course showing the same path.

Please remember, it is not only the logs console, but the same behaviour happens in every console window, as I get a non functional console when I execute /bin/bash, when not on the myqnapcloud link, but it works through the myqnapcloud link.

This is my container station version, I don't seem to have an option to update it further.

I can access the NAS web interface if I type the name I have given to the NAS (which is not the same as my myqnapcloud prefix - it does not have to be), in my browser, like so: https://nasname:port
It does say that it is not secure. The same happens if I use the IP address I have assigned to the nas instead of the name.

Plot twist: Even though the browser says the site is not secure, the logs work in Container station, if I use the NAS name in the address.

So the logs work if:
I use the local NAS name in the address (not secure)
I use the myqnapcloud address (secure)

The logs do not work if:
I use the local IP of the NAS in the address (not secure)
I use my own domain name that redirects to the IP (secure)
I use my own domain name that redirects to the local NAS name (secure)

note: where the logs work, all consoles work, such as execute /bin/bash