ACME TLS-SNI-01 on Synology NAS

Action is required to prevent your Let’s Encrypt certificate renewals from breaking.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a certificate in the past 60 days.

TLS-SNI-01 validation is reaching end-of-life and will stop working on February 13th, 2019.

You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.My domain is: https://a1a-studios.synology.me

I ran this command: none

It produced this output: none

My web server is (include version):synology NAS server

The operating system my web server runs on is (include version): DSM Version: 6.2.1-23824-4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel)

IM CONFUSED ABOUT THIS EMAIL, SHOULD I UPDATE THIS? IS THIS A GENERAL EMAIL?

Hi @a1astudios

as I know, DSM doesn't use tls-sni-validation. And your certificate is valide:

CN=a1a-studios.synology.me
	05.12.2018
	05.03.2019
	a1a-studios.synology.me - 1 entry
2 Likes

I got the same warning email today. Running same DSM version on a 1815+.

No information in the email showing the domain, and it only says its in the last 60 days, so no help there either. My cert is valid, but will it be after Feb? Is there a way (command line or otherwise) to check what method was used?

1 Like

I got the same warning email today. Running DSM 6.2.1-23824 Update 4 on a DS418play.

The email also doesnt show the domain. My cert is also valid and I updated it today (no problems), but what will be after Feb?
I have no Idea how to change the Method on the Synology Diskstation. Do you have any suggestions? How can I check the method which is actually used?

1 Like

I forgot … I’ve root access to my NAS and searched for certbot (find . -iname certbot*) but I didn’t find it.

1 Like

Thank you [JuergenAuer] as far I can remember the certificate was going to renew in automatic mode. Synology was very kind in helping me with the install it on WordPress. it has been working great and e-commerce settings are all in the green but is only for one website. I contacted them for any documentation they might have on this issue but if you say they don’t use this, is cool too.

Synology has repply : Troubleshooting Tips and Suggestions

Thank you for contacting Synology Support.

Regarding your issues, the following troubleshooting tips are recommended.

The Let’s Encrypt built-in Synology supports TLS-SNI-01, HTTP-01 and DNS-01 validation.

Although TLS-SNI-01 validation is reaching end-of-life, the Synology Let’s Encrypt will not be affected.

If you have enabled Synology DDNS and use the name to apply for the certificate, the process will go through HTTP-01 validation first.

Once Synology DDNS server is not ready, or there is any failure during HTTP-01 validation, the process will fall back to DNS-01 validation.

For non-Synology name service, it uses HTTP-01 which requires port 80 accessibility.

Thus, we suggest you keep port 80 open for validation if you do not user Synology DDNS name to apply the certificate.

If there is any problem, please feel free to contact us.

6 Likes

Ah - thanks, direct informations from Synology.

So we know it exact.

2 Likes

If you want to force your renewal before 13 Feb:

3 Likes

Im glad you find this information usefull. im new to installing ssl certificates and its challenging sometimes.

2 Likes

I am going to link my answer in this thread as well: Synology TLS-SNI-01 End of Life Email?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.