Certificate Auto Renewals

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:jcahow.ddns.net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have two seperaate NAS devices, one from Synology and one from Asustor that are both using Let's Encrypt certificates.

The problem I run into is that both want to use port 80 to auto renew their certificates. I can only have my router setup to port forward one or the other to their corresponding static IP addresses. This causes the other NAS to have an expired certificate.

Is there anything special about port 80 in that I would like to use two different ports (one for each NAS) so that they can both auto renew their certificates?

If port 80 must be used how do NAS users with multiple devices get around this problem?

Welcome to the Let's Encrypt Community, Jay

This is often accomplished by using a reverse proxy that directs traffic to your internal IP addresses based on the (sub)domain name requested over port 80.

You could try a multi-cert. Set up your CSR to have a Subject Alternative Name like:

DNS:nas1.example.com, DNS:nas2.example.com

Use that CSR each time you renew. Point port 80 to one of the NAS servers. Lets Encrypt will query your systems twice -- once for each of nas1 and nas2. Once the certificate is signed, copy it to the other unit.

Alternately, you could just point port 80 to a different web server and copy the signed cert or certs to the appropriate resting place. I do this -- sort of -- on one of my haproxy servers that has a couple of certs from Lets Encrypt.

I barely get by with Certificates so bare with me.

So are you saying that both of my NAS devices can use the same Certificate since both NAS devices have the same Domain name and just route to different ports (with the Router internally sending them to different static IP addresses)?

If that is true where do the Certificates end up on the NAS devices and what process would I follow to copy an updated Certificate from one NAS device to the other?

Good so far. Yes, a certificate can have multiple (sub)domain names and thus the certificate (and its private key) can be utilized by multiple devices. This creates a certificate and key management problem though.

This is a bit troubling. While it is possible to have different devices serving the same domain name on different ports (or even the same port in the case of a load-balancing scenario), it is customary to simply assign each device its own (sub)domain name so that they can both utilize the same port (80 for example). Certifying them individually prevents you from exposing a shared private key owing to copying a new certificate and its private key.

To borrow from @jscarville's example:

This depends upon your device manufacturer and configuration. You'll want to consult the documentation/support for your device to determine this. Sometimes the settings in the NAS itself can indicate the location of the files.

By the by, when using http-01 challenges to prove domain name control (as you are), you must initially use port 80 externally, which can then be redirected to either ports 80 or 443 externally. For your internal routing (within your own network), you can use whatever ports you like.

I wrote the following a few weeks ago. You might find it helpful.

So are you saying that both of my NAS devices can use the same Certificate since both NAS devices have the same Domain name and just route to different ports (with the Router internally sending them to different static IP addresses)?

Yes. It is quite common to see two. Usually something like "DNS:www.example.com, DNS:example.com".

The names don't even have to be in same domain but that is probably not a good idea unless you really understand how it works. I do not know if Let's Encrypt has a limit but I've seen multi-certs with a dozen or more names in the Subject Alt Name.

For an example go to:

https://login.microsoftonline.com/common/oauth2/authorize

and do a View Certificate. That particular certs has nine individual names and all are not in the same domain.

Also, as griffin pointed out, there are downsides to multi-certs so it is trade off.

If that is true where do the Certificates end up on the NAS devices and what process would I follow to copy an updated Certificate from one NAS device to the other?

That I cannot help you with. I have never worked with either of the NAS devices you have.

100 SANs be the limit

With Let's Encrypt your job is split into:

• Acquire a cert (validate you control the domain, get the cert)
• Deployment (copy/install the cert where it's needed)

For setups that are getting complicated using http validation I generally recommend switching to DNS validation. Here is an example using acme.sh:

You can also use (my) Certify The Web app https://certifytheweb.com which is Desktop UI which will let you get a cert using DNS validation, then it can be set to auto deploy the cert over ssh/sftp to your nas using a Deployment Task. You can have one cert per box or you can combine the certs (multiple names per cert), just whatever you prefer.

Good to know. Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.