Can this work with Synology, a dynamic DNS and port 80 blocked?


Here is my setup:

  • Running a web server (as well as many other services like FTP, VPN, etc.) from a home-based Synology NAS
  • ISP doesn’t allow fixed IP for residential customers
  • ISP blocks port 80 but not port 443
  • I have a free dynamic DNS account with no-ip
  • My Synology NAS does the regular updating of my IP with no-ip
  • With no-ip, gets forwarded to my cable-modem’s IP
  • With no-ip’s FREE account, under “host type”, I must choose EITHER “DNS HOST (A)” OR “Port 80 redirect”. I selected “DNS Host” so that all my ports are forwarded, but with this config, I can’t specifically redirect port 80
  • A friend had a paid dyndns account and he forwards for me to
  • On my router, port 8080 gets forwarded to port 80 on my NAS
  • My domain is registered with NetFirm, and there, I have set a URL pointer for toward which in return gets forwarded to

All this works, except that when I access my NAS through various ports (or even locally at for example) I get the very annoying Chrome warning that the connection isn’t private. Worst, my Synology NAS allows me to easily share files with a URL (that looks like but when I send that URL to friends or customers, they get the Chrome warning that they are being hacked and they freak out.

I know Synology has “included” an automated way to add Let’s encrypt certificates within the UI, but when I do so (Control Panel --> Security --> Certificates --> Add --> Add New --> Get a certificate from Let’s Encrypt I get the error message:
“Failed to connect to Let’s Encrypt. Please make sure your DiskStation and router have port 80 open to Let’s Encrypt domain validation from the Internet”. As mentioned, port 80 is blocked by my ISP.

I do have SSH/Root access to my NAS, which is running Linux 3.10.77.

Is there a way to make Let’s Encrypt work for my setup?


I’m bumping since I haven’t seen any answer or pointers in the right direction.


The only way I can think of, would be to use the dns-01 challenge, and then add the cert to the NAS.

The ACME client that’s integrated in Synology DSM only supports domain verification via port 80. However, since you have SSH/root access, you can use any other client in combination with the dns-01 challenge to get a certificate without having to open any ports.

This guide should help to get you started. It uses as a client. The dns-01 challenge requires that you have the ability to programmatically create a TXT record for your domain to verify ownership. The record changes for each renewal (every 3 months), so you’ll need an API for this unless you want to repeat that step manually every 3 months. supports a number of common DNS APIs as well as the option to use a custom script.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.