Let's Encrypt certificate renewal - offline

I use Let’s Encrypt certificate on my Synology Diskstation. I got the notice that I have to renew it in 10 days. Of course I have automatic renewal, but currently I have no internet provider in the flat. And will not have it for another 20 days.

Is there some way to renew the certificate without internet connection on Synology Diskstation? If that is not an option, can I still make the renewal after expiration?

I’m not familiair with Synology, but in theory it’s perfectly possible to get a certificate for system X on a totally different system Y. For example, if the host to which the hostname in the DNS zonefile points isn’t available at all, you could always go for the dns-01 challenge, assuming you are capable of adding TXT records to the DNS zone from system Y. You could even make the necessary DNS changes on your mobile phone, for example. You’d need a ACME client on system Y of course, which might be difficult on a mobile phone :wink: But assuming you have some kind of computer (since Certbot also works on Windows, it could even be a Windows PC), you can generate the certificate manually through the DNS challenge and manually move it to the Synology.

That latter part is also in theory, because I have no idea if Synology makes it possible to install certificates manually… :roll_eyes:

Yes, renewal is in essence just a new certificate with exactly the same hostnames as the previous certificate. Technically, it doesn’t matter if you “renew” after one day or after 365 days (not regarding the Rate Limits obviously :stuck_out_tongue:).

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

@freessltools.com Please look into the dns-01 challenge. The statement you’re making now is incorrect.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

@freessltools.com Generating a CSR on a mobile phone could be cumbersome perhaps.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

@freessltools.com Generating a CSR through a website means the private key — which is required to sign the CSR — would be transfered to the website. Or at least the website code is being exposed to the private key, perhaps without uploading it and keeping it local, or not…

But this discussion is offtopic to say the least, unless @mohito doesn’t have any other way of running an ACME client. The biggest issue I think is getting any newly generated certificate into the Synology NAS.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

@freessltools.com No need to generate a CSR manually when using certbot…

Also, you’ve pasted your own website THREE TIMES in that last post… It looks very, very spammy to me.

You replied to my post about generating a CSR on a mobile device. That’s one stap before you can turn to the ACME client. You’re not reading correctly.

Hi @mohito

Synology has an own, integrated and well-working system to create and install new Letsencrypt certificates.

So if you are the only user and if you don’t use HSTS, create an exception in your browser, then you can use your DSM with the expired certificate.

Creating another certificate and try to install it - that may work.

But it’s not really required.

If your DSM is again online, renew the certificate.

Because it’s way easier than your website… Please stop spamming.

Did you actually read my very lengthy post?

I’ve read it. Certbot generates the private key and CSR for you. The only thing the user needs to do is add the appropriate TXT records to the DNS zone. No need for manual OpenSSL commands, therefore easier and more userfriendly.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Excuse me, but you started talking about certbot, so I assumed you weren’t talking about mobile devices any longer:

See?

I think we can close that topic.

3 Likes