The operating system my web server runs on is (include version): DSM 6
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): DK
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): DK
I have set this up to have https access to Home Assistant, and I can log on to the server, but the certificate is deemed not trusted and thus some integrations won’t work.
Thanks for helping out! I have been working for days to get this work, and one tip I got was to point to cert instead of chain. When I tried to change it back, the connection no longer work.
In the SSL folder, I have three files; cert, chain, and privkey (all pem files).
Having become aware of the certificate issues, I now realize that I also have issues with the default Synology certificate for “the rest of” the DMS setup. Is there any way to figure out what is wrong here:
I believe you had the same issue I had. This is not related to your Let’s Encrypt certificate, but to the default certificate that’s installed on your Synology NAS. As you can see in the screenshot, if you connect, the Synology uses its default certificate instead of the one you generated via Let’s Encrypt.
I’m assuming that you have imported / uploaded your certificate from Let’s Encrypt on the Synology already. If you go to Control Panel -> Security -> Certificate in DSM, and click Configure, you can select which certificate the NAS will use for which service, using the dropdown boxes.
You might also have to explicitly tell the Synology that its hostname is now hbandersen.synology.me (what it appears to be in the screenshot) - you can do that under Control Panel -> Network -> DSM Settings -> Domain (to set a custom domain name) and Control Panel -> Network -> General to set the server name. If you don’t do this, then the server name and the certificate won’t match. I’m not sure but that could cause trouble.
I also recommend turning on the firewall on the Synology to restrict access where possible.
Thanks, @pietervanw, that is probably the reason. I configured the certificate settings to use the Letsencrypt certificate for all services, but that gave another issue:
Hmm… what you show now in the screenshot is a different error: you’ve requested a certificate for banha.duckdns.org, but you probably put hbandersen.synology.me in your browser’s address bar. If banha.duckdns.org also routes to your Synology, you should put that in the browser address bar instead of the synology.me hostname.
Yes, I see what you mean. The thing is, the Synology domain I set up long before starting to play around with DuckDNS certificates is the address hbandersen.synology.me and that is used as the address of our personal home page, an address that to some extent is known among a number of people. I would hate to have to change that, but would also like to stop seeing the “unsecure” warning for that page. There is a certificate from Synology and I was hoping to get that to work properly.
The hostname that you request a certificate for with LE and the hostname of the server have to match 100%, otherwise the browser will not accept the certificate. In that case you cannot use a *.duckdns.org certificate with your NAS, you'll have to get a certificate for hbandersen.synology.me. I'm not familiar with the synology.me domain, is that a service from Synology similar to QuickConnect? You might be able to use the HTTP-01 challenge, read more about it here:
I don't think that challenge is natively supported by DSM though, so you'll have to start a webserver on the DSM and put the required file in the right spot manually while running the ACME client (for example certbot) on either the synology directly (requires SSH access probably), or on your own laptop / computer.
Which ACME client did you use to create the duckdns.org certificate?
Synologies come with an ACME client that supports HTTP-01, and supports DNS-01 when using the synology.me domain itself, I think. I don’t know much about using it, though.