Add subdomain via Synology DSM for use on another computer?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: onolan dot net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Currently I'm using a LetsEncrypt certificate to help secure remote logins to my Synology Diskstation using DSM 6.2. I'd like to expand it to add a subdomain on different computer (a raspberry pi running Apache). Currently, ports 80 and 443 are forwarded to the Diskstation and a number of services hosted on it are enumerated. My Pi web server traffic is redirected from an external DNS server (DNSmadeEasy) with an http redirect sending with the router port forwarding to port 80.

My understanding is that I can't get a wildcard cert via the Synology except for a Synology domain. I've skimmed this: https://www.blackvoid.club/lets-encrypt-docker-wild-card-certs/, which seems a tad complicated and I'd prefer something that didn't need manual updates every 3 months. Is it really necessary to use Docker?

Should I scrap my existing certificate and move things over to the Pi and then import the private key and certificate from there?

My Pi web server traffic is redirected from an external DNS server (DNSmadeEasy) with an http redirect sending with the router port forwarding to port 80.

I'm having a hard time understanding this. How do you actually access the website on your Raspberry Pi? Is it proxied through your Synology?

Actually obtaining a certificate on your Raspberry Pi server is not a problem - just use DNS validation. You can use certbot-dns-dnsmadeeasy or other clients that can do the same.

But I'm not sure whether you expect your Synology to handle SSL for your Pi, or whether you are somehow going to connect directly to your Pi, bypassing the webserver on the Synology.

Thanks for your reply and for the dnsmadeeasy link. I will have a look.

I have an http redirect in place at DNSmadeeasy that forwards to my router at a port #### (not port 80) and my router redirects to port 80 on the Pi. I'd like to leave the Synology alone if I can, for now anyway, and connect directly to the Pi but currently the Diskstation "owns" ports 80 and 443.

I'm not clear on whether I can use port forwarding like this for certificate renewal on the Pi and whether, given the limitation on getting a wildcard certificate with the Diskstation, I should seek to do that on the Pi. Also not clear on how many certificates I can have in use at once. (If I get a wildcard cert for use with the Pi do I need to replace the existing one?).

Great, that's exactly what I wanted to know.

In that case, you can just get a certificate on your Pi using the methods I linked.

You will end up with having two port forwards on your router (e.g. 8080 and 8443) which will route to Raspberry Pi on port 80 and 443, respectively.

Then you will be able to access your Raspberry Pi's Apache server over HTTPS using https://example.com:8443.

Optionally you can setup that port redirect at DME so example.com goes to https://example.com:8443.

The good thing about the "DNS validation" method is that it does not rely on any port forwarding to obtain the certificate. You could have no ports forwarded and it would still work, because the proof of domain control is done via the DNS Made Easy API.

As many as you want, within https://letsencrypt.org/docs/rate-limits/.

But 2 at once is nowhere near any limit you'd ever hit.

Many thanks. Unfortunately, I've just discovered that DNSmadeEasy only makes API keys available to business level memberships (however I discovered my address was very out of date!)

Now I need to see if there's list of DNS service providers offering API support? My usage level of DME doesn't justify extra cost.

There's a list on DNS providers who easily integrate with Let's Encrypt DNS validation but my personal recommendation would be Cloudflare (free, fast, reliable and supported by lots of ACME clients).

Wow. That was quick!

$29.95? for DME? No, it's $59.95 for up to 25 domains for Business membership. It's not clear if Small Business Membership ($15 for up to 10 domains) grants access to the API. I'll inquire. I think I used to pay $29.95 for 3 domains but obviously it's changed.

Thanks for the recc for Cloudflare. I have been with DME for many years and have generally avoided free services on the assumption that they aren't really free (thus Fastmail not Gmail).

Well, I pay them money, just not specifically for the DNS hosting .

Route53 is pretty good as well if you already have an AWS account. Per-zone price is cheap.

Let me know if you find out, I can update the post for accuracy.

I've filed a support ticket and will revert.

I know about the DDOS protection and malware site traffic filtering; not really an issue for me. Do you use Wireguard? Does it work out of the box w Cloudflare?

I have a fairly dormant AWS account; I'll take a look if I have to move. Thanks.

The proxy/WAF/CDN service is optional, you don't have to turn it on for your domain if you don't want it.

The DNS hosting on its own will otherwise work the same way as DME, and is all you need for DNS Validation.

Wireguard endpoints will keep working fine as long as you don't enable the proxy.

OK. Good to know. Thanks again for your very helpful and remarkably quick answers.

Response from DME

The lowest level membership we offer that includes API access is the Business Membership ($59.95/yr). Please note that the Small Business Membership is no longer offered and is a grandfathered plan as is the Home User plan.

Thanks, I updated the table.

Too bad Namecheap doesn't support this. /sigh. That's my registrar.

They do, e.g. https://github.com/acmesh-official/acme.sh/wiki/dnsapi#53-use-namecheap.

There's some financial prerequisites to meet though: https://www.namecheap.com/support/knowledgebase/article.aspx/9739/63/api-faq/#c

I had belatedly discovered the footnote and logged in. Your 2nd link was faster than I could find the info myself! I only have a couple of domains with DME but have 9 in all with Namecheap so the $ criterion is easily met.

Yeah ... I just read the footnote and could not for the life of me understand why I excluded Namecheap on that criteria, while listing other paid providers. I think I will integrate Namecheap into the table.

To have had an average of 2.5 domains paid up annually is hardly an onerous criterion (nb singular). However, I see that their API access seems largely about reselling domains and certificates. I've signed up for Cloudflare.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.