Clarification of Synology NAS DiskStation Manager (DSM) Documentation of Let's Encrypt Integration

Many users of Synology NAS DiskStation Manager (DSM) come here to the Let's Encrypt Community each week seeking assistance with acquiring and installing certificates for securing access to their DSM login pages. Often, the ambiguities and misconceptions presented in the DSM documentation have led them astray. This topic serves as a discussion to clarify the documentation.


You can only register for certificates from Let's Encrypt with a limited number of email accounts. If the limit is exceeded, use an email account previously registered to get more certificates.

I'm not exactly sure of the source or veracity of this statement.


You can only register for a limited number of certificates per domain from Let's Encrypt. If the limit is exceeded, enter the current domain name as the Subject Alternative Name (SAN) and use another domain name for the certificate request.

This is ambiguous and misleading. There are three applicable rate limits:

  • 5 certificates with the exact same subject alternative names (SANs) (regardless of order) per any seven consecutive days
  • 50 certificates per apex domain name (as defined by the Public Suffix List) (regardless of order) per any seven consecutive days
  • 100 SANs per certificate

Swapping the common name (CN) (or domain name in DSM terms) with a SAN will NOT bypass the first limit listed above. Adding an additional SAN will. However, why would anyone ever need 5 certificates covering the exact same SANS, nonetheless more? This is a glaring sign of a certificate installation problem, NOT a certificate acquisition problem.

Many DSM users hit the second limit listed above, often as a result of using a subdomain name of a very popular, shared, apex domain name. Utilizing an apex domain name of your own (or one of its subdomain names) will avoid hitting the second limit listed above.

If you find yourself needing a single certificate covering more than 100 (sub)domain names, either you need to seriously rethink your structure or you need to split the (sub)domain names amongst multiple certificates and let SNI handle them.


Let's Encrypt will perform domain validation before issuing certificates for your domains. To renew your certificates, please make sure that ports 80 have been opened on your Synology NAS and router. All the other communications with Let's Encrypt go over HTTPS and will keep your Synology NAS secure.

It helps to understand how an http-01 challenge actually works.

Your external port 80 needs to be open and your NAS needs to externally respond via HTTP over port 80 or redirect to externally respond via HTTPS over port 443 (even with a wrong/expired certificate). The ports that your NAS uses internally (such as 5001) are irrelevant. If your NAS tries to redirect to externally respond over port 5001, this will not work for satisfying an http-01 challenge. To make things absolutely clear, "external" means "exposed to the public internet" while "internal" means "within your private network". Go to redirect-checker.org to see what's going on externally with your NAS.

I have no clue what on Earth this is talking about: "All the other communications with Let's Encrypt go over HTTPS and will keep your Synology NAS secure". Sensitive ACME transactions between your NAS and Let's Encrypt are cryptographically signed to ensure their authenticity and integrity. All ACME transactions occur over HTTPS. I'm not sure how this "will keep your Synology NAS secure".


Certificates issued by Let’s Encrypt are valid for 90 days. If the domain authenticates successfully, your DSM will renew the certificate automatically before it expires. To renew your certificates, please make sure that ports 80 have been opened on your Synology NAS and router.

The exact same requirements apply for the renewal of a certificate that applied for the initial acquisition of the certificate. If you change your NAS configuration after certificate acquisition, be sure that the new configuration still meets the requirements for certificate acquisition.

2 Likes

The API conversation always happens over HTTPS (Let's Encrypt doesn't offer its API over HTTP), while the HTTP-01 challenge validation will occur over HTTP. :slight_smile:

2 Likes

That's a very good point, @schoen.

1 Like