Encrypting Synology NAS

I am a novice with encryption and am trying to encrypt data from my Synology NAS. I opened port 80 and setup seems to have worked. However, chrome reckons my cert is invalid:

Yet if I look at further information I can’t see a problem
Capture2

Hi @chriswooff

I see, you have checked your domain via https://check-your-website.server-daten.de/?q=wooff.synology.me

But: http answers, there is a redirect to port 5001. But this port is invisible.

So it's impossible to check if the https port is correct.

Is it possible to open port 5001? Then you can check your configuration.

Or use port 5001 direct - wooff.synology.me:5001.

Timeout -> no check.

Juergen thanks for your response. I have now opened port 5001.

Ah, now there is a new check - https://check-your-website.server-daten.de/?q=wooff.synology.me

Partial, it's good (if it is not a public website, only your personal usage):

Domainname Http-Status redirect Sec. G
http://wooff.synology.me/
81.141.63.234 400 0.083 M
Bad Request
http://www.wooff.synology.me/
81.141.63.234 400 0.086 M
Bad Request
https://wooff.synology.me/
81.141.63.234 -14 10.023 T
Timeout - The operation has timed out
https://www.wooff.synology.me/
81.141.63.234 -14 10.027 T
Timeout - The operation has timed out
https://wooff.synology.me:80/
81.141.63.234 200 1.050 Q
Visible Content:
https://www.wooff.synology.me:80/
81.141.63.234 200 0.787 Q
Certificate error: RemoteCertificateNameMismatch
Visible Content:

http doesn't work, https has a timeout.

But https over port 80 and non-www - there is the correct certificate:

CN=wooff.synology.me
	04.04.2019
	03.07.2019
expires in 90 days	wooff.synology.me - 1 entry

The connection is good, the chain is complete.

The www version is wrong, because the certificate doesn't has the www domain name. But you have a www dns entry.

There is no port 5001, perhaps you have created a wrong port forwarding.

You can create one certificate with both domain names (non-www and www) and use that. But it's a subdomain, so you can remove the www entry.

But with that configuration the creation of a new certificate may not work.

You should have a port forwarding

80 -> 80 (that's required to create a new certificate)
443 -> 443 (or 443 -> 5001).

Your current config looks like 80 -> 5001, that's wrong, because 80 isn't encrypted, your 5001 is.

1 Like

Hi Juergen, I really appreciate your help with this. I have endeavoured to make the cert valid for both wooff.synology.me and www.wooff.synology.me I have also modified the port forwarding as suggested but Chrome is still flagging up my certificate as invalid.

There is a new check - https://check-your-website.server-daten.de/?q=wooff.synology.me

05.04.2019 20:28:00

~~40 minutes old.

There is only the certificate with one domain name used:

CN=wooff.synology.me
	04.04.2019
	03.07.2019
expires in 89 days	wooff.synology.me - 1 entry

But checking your urls manual there is a newer result.

So rechecking - yep, now there is a new certificate with both domain names:

CN=wooff.synology.me
	05.04.2019
	04.07.2019
expires in 90 days	wooff.synology.me, 
www.wooff.synology.me - 2 entries

And both connections are secure.

So I don't see a problem.

Your port 5001 doesn't answer, but you use the two standard ports 80 / 443.

Do you have a screenshot? My Chrome is happy, no certificate error.

The two lines are marked as I - Content problem. But that's the result of checking the form-action url

webman/modules/ControlPanel/modules/dsm.cgi

A browser doesn't check that.

It is working for me now to thanks Juergen. There must have been something stuck in the cache. I am very grateful to you.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.