When a certificate with the "tlsserver" profile is imported, it cannot be selected via the UI. However, if you're updating an existing certificate that is already assigned to a service or domain, it will work correctly, but you will no longer be able to assign it to any additional services.
This is an interesting finding.
That is interesting. Have you reported that to Synology?
Perhaps their UI is simply ignoring certificates without a Common Name which no longer appears in certs using the tlsserver profile
The "This is tlsserver profile" is the entry of the certificate, it can be displayed, but can not be chose. 
What is your suggestion for Synology to organize the UI for this situation? Force user specify a "Description" for that certificate or something?
It is up to them how to display it and allow it to be chosen.
But, one option is to choose one of the domain names from the Subject Alternative Names list in the certificate.
If you want to test whether it's just the CN being missing, rather than some other aspect of the tlsserver profile, you can try a test with using the default profile but with only domain names greater than 64 characters (which is too big for the CN so Let's Encrypt now omits one).
Oh no LEGO didn't support domain that longer than 63 bytes
Any suggestions for ACME clients that support 64 byte?
if it's just for importing so why not just use openssl to self sign one?
I learned a lot recently, I have two domains, when I found out I can get a certificate crossed two domains (I originally thought only domain+wildcard+its subdomain), so I don't need to waste resources to get two individual certificates, I can get one certificate for all my services.
well it was about over 64byte name certificate in classic profile: I thought that was just for testing to see if you can import it
LEGO didn't support to do this, so I'm asking if anyone know which ACME client can support 64byte domain.
feat: support simplified issuance for very long domain names at Let's Encrypt by MartinWeindel · Pull Request #2054 · go-acme/lego · GitHub was already merged.
keep mind between dots 63 character lable length limit is enforced by DNS protocol itself:
- 253 characters is the maximum length of full domain name, including dots: e.g.
www.example.com= 15 characters.- 63 characters in the maximum length of a "label" (part of domain name separated by dot). Labels for
www.example.comarecom,exampleandwww.This is an example of the domain with longest possible label (it leads to a scammy site):
http://www.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.com/. The domain name length = 71 characters.This will be an example of longest domain name:
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcde.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.com
Thenk you for the explanation, now I got a certificate with classic profile and without common name, the certificate still can't be selected in Synology DSM, so it is sure DSM will having bugs if the certificate didn't have common name.
I'm loath to recommend it, but certbot does.
There's nothing wrong with domains longer than 63 bytes in the SAN extension. It's just that a FQDN label can't be longer than that.
It's certbot I don't like--I don't have any particular opinion with respect to long FQDNs.
The problem I encountered is I put too much letters in same "label", LEGO is fine, thanks.
Update: Synology engineer said they've confirmed the UI fault and will fix in the future release. And they've noted that the CN valve isn't required.
