Prepare to use different certificates for my Syno NAS

Help
1

I’m setting up my new local Web-based services on a Synoloy DiskStation (1019+).
Using a fixed IP-Adresse (Telekom) linked to the domain haus-kirchberg.biz.
Plan is to connect to the different Services splitt by sub-domains:
NAS Web Interface: ds.haus-kirchberg.biz
Axigen Mail Server: mail.haus-kirchberg.biz (runing as a NAS docker image)
Unifi-Controller: unifi.haus-kirchberg.biz (runing as a NAS docker image)

So far I have created a Let’s Encrypte certificate for my Domain haus-kirchberg.biz;ds.hauskirchberg.biz by the Syno NAS certificate feature, which runs fine.
In a next step I will use also activate the axigen built-in cerificat feature at the mail-web server to create and manage the sub domain mail.haus-kirchberg.biz.

To reach the domains from the internet I will handle this by the Telkom Homepage DNS feature with CNAME entries (mail.haus-kirchberg.biz; ds.haus-kirchberg.biz).
For the unfi controler I will handle this similar, but I need to digi in first to the unifi cert handling.

Planed procedure:

  • Need to forward (port forwarding) the differnt domains at my router
  • Update the firewalls accordingly (Router, NAS)
  • Need to setup the certifcation process for each service (NAS is still working)

Is this a possible scenario or do you see mistakes witin the planed process?
Will I get problems with my certificates, requested for the same domain, by different instance?
Maybe there are other proposed solution for my setup?

Thanks in advance for your support

My domain is: haus-kirchberg.biz

I ran this command: Synology Auto renewal prozess

It produced this output:

My web server is (include version): only local installed Services

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Telekom

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): DSM 6.2.2 update 5

2

One possible mistake:

Routers typically have no concept of domain names (SNI). so an external IP:port will just forward to internal IP:port.
If you have multiple internal IPs that all share the same external IP and port... you may need to insert a more "inteligent" device (inline) to handle the similar port traffic.
[NGINX may be a good solution for this situation]
Even if they all use different ports (HTTPS/SMTP/SFTP/etc.), you may still run into a problem when trying to validate their certs individually; as all of them will either:

  • Be using the same IP and port for HTTP authentication
  • Will have to use DNS authentication
    OR
  • They will "share" a single cert [from a single system]
3

According your feedback it will not be possible to request 2 or more LE certificates for one domain and a sub domain from different application. And you are right, I can only forward different ports to the internal application (using same public IP).

At my setup all application running at the synology diskstation with the same privat IP (docker container in host mode). I was already asking the synology support for a possibility to use the NAS certificate (single cert) also out of the docker immage, but it is not possible to mount this folder out of docker container (otherwise I will run in permission problems).

Another idea is to copy the cerificat (as far it is renewed) form the NAS cert-folder to the cert directories of the application by script (restart of the docker container afterwards). Therefore I need to control the cert renewal process (do it manually), but then I have to take care that the syno auto-renewal process (cert renewal each 50 days) is inoperative.

Maybe ther is someone with similar requiremets and has solved this.

Thanks for your support.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.