2x Synology NAS, 1 with HTTPS 1 without

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://thylbert.synology.me:51276/

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): Synology DSM 6.X

My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, DSM 6.X

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

Hello

I have 2 Synology Diskstations. Same network.

1. https://thylbert.synology.me:51276 > Let’s Encrypt certificate is working
2. https://192.168.1.12:5001 > Let’s Encrypt certificate is not working (but been delivered by padlock information)

Also, the first diskstation is reachable over WebDav from different LAN (RaiDrive over Win10 64bit)

I have no modem redirects.
I don’t use a domain name.

4 vital questions:

1. I cannot seem to figure out how the first one uses port 51276, it’s not set up in the DSM at all. And the default HTTPS port is 5001. However it works and I don’t know why it’s working. So I am not eager to bleep around with it… don’t want to get it broken. But main question here is: ‘Why it uses port 51276 and where this setting came from’
2. The same set up was done on the 2nd diskstation, it says that I have an Let’s Encrypt Authority X3 certificate, however the browser says it’s invalid. When I click on the padlock I can see all the details, when it was issued and such.
3. If WebDav and HTTPS only works with your own domain name, how come the 1st Synology is working in fact? I just used the Synology DDNS really, but didn’t put any records on any of my domains.
4. Why does the 2nd Diskstation uses an IP and not thylbert2.synology.me:5001

Been trying to troubleshoot this one for over 3 weeks. Made a support ticket on the Synology Community Forums and after 14 days still no answer.

You can check my support question here: https://community.synology.com/enu/forum/16/post/125971

I’m fairly new with all of this, learning fast however, it seems the community of Let’s Encrypt is my last resort.

Would love to get a greater understanding of all this. And have 2x Synology NAS with HTTPS and WebDav up and running!

Sincere regards
Thylbert

Sorry but this seems pretty unlikely. Your 2 domains point at the same IP address, you have 2 different physical devices (NAS), having redirects seems the only way to get this running. Was the first NAS setup by some other person who could have setup your 'modem' to redirect 52176 to 5001 for your first NAS ?

You are correct.

The modem redirects to the static IP address of our business local LAN.
I meant there are no domain redirects oops!

No, it’s all done by me. I have never entered an odd port like 52176 but I remember opening a support ticket at my ISP for unblocking port 80 and 443 (default blocked with Technicolor modems in my country) maybe the ISP technicians did some odd settings.

I’ll check that now and will report.

Hi @Thylbert

there are two checks of your domain - https://check-your-website.server-daten.de/?q=thylbert.synology.me

If you use a special port, so add the port - https://check-your-website.server-daten.de/?q=thylbert.synology.me%3A51276

That looks good. The www version isn't secure, but that's not a problem, the non-www version works.

Your second domain is invisible - https://check-your-website.server-daten.de/?q=thylbert2.synology.me%3A5001 - there are only timeouts.

That may be the reason.

Hello

@gpatel-fr: You have been a life savior! You made me remember the support from the ISP and guess what… they did some crazy portmapping.

On the 192.168.1.7 > they portmapped 5001 to 51276
On the 192.168.1.12 > they portmapped 5001 to 61276

And all of a sudden things started to make sense.

when I enter:

https://thylbert2.synology.me:62746

I have a working HTTPS without warnings.

@JuergenAuer: Thanks for your reply aswell. I completely forgot about the portmapping our ISP did a couple of weeks ago, feel so dumb!

Are both now secure to use with WebDav? I noticed you wrote:

‘That looks good. The www version isn’t secure, but that’s not a problem, the non-www version works.’

Do you mean it’s publicly non-secure?

Thanks in advance! A lot.
Thylbert

Check the output of https://check-your-website.server-daten.de/?q=thylbert.synology.me%3A51276

That's a Grade N -> one connection isn't secure.

But the details:

Only the www version isn't secure.

Your certificate doesn't have the www version. But it's not a public website, so it's not critical.

You can

• create one certificate with both domain names (or)
• remove the www dns entry (or)
• ignore the problem

A public website shouldn't ignore it, but a NAS -> not so critical.

Firstly, thanks for your crystal clear explanation!

Secondly, might sound bit stupid but how do I remove the www dns entry? In the DSM 6.X from Synology (Config Panel) I used their DDNS settings and didn’t use ‘www’ at all.

Also, are you able to elaborate how to create a certificate with both domain names on the Synology DSM 6.X, just create a second cert request but including the www?

Rookie here, trying to learn!

Thanks in advance
Thylbert
PS: Option 3 is the cheapskate one, I prefer to learn

In your domain management, there, where you have an A-entry yourdomainname -> yourIP-Address. That's outside of your DSM.

I don't know if the Synology DSM allows that: Creating one certificate with two domain names. A DSM is normally only used with one domain name.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.