Renewal 101 basics


#1

Hi all,
I’m pretty new but keen to learn. I have a Synology home NAS which I can access remotely. The guy who helped me set it up (I think) installed a certificate - I can see this under the Synogy control panel > Security > Certificate. I can see that it’s issued by LetsEncrypt and it has a date of 2018-1-15.
I’ve had an email saying that it’s about to expire and I need to renew it.

What do I do? (

Bob


#2

Hi @bremhillbob

if you use the Synology DSM, then you should find all relevant things under “Security - Certificate”.

This is an integrated solution. So you don’t need an external tool.

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate


#3

Also, the renewal warning e-mail could happen if you had an older certificate with slightly different name coverage. If that’s the case, then the warning might not be relevant if the changes in coverage were intentional.


#4

I’m pretty sure that there is just the one certificate and the details I can see on the NAS suggest expiry at the same time as the email so that seems to be right.

I can see the details but I just can’t see how to renew the certificate. I’ll go away and read the article suggested and see if that helps

Thanks for the advice guys

Bob


#5

Thanks Juergen for the link, that was helpful. I found the but about ‘renewing’ … this says …
To renew certificates:
When your certificate is about to expire, it can be renewed using this option.

  1. Click CSR .
  2. Select Renew certificate and click Next .
  3. Download the generated private key and certificate signing request.
  4. Send the CSR to the desired certificate authority for a renewed certificate.

I have 2 certificates one from Letsencrypt and one from synology. I select the lets encrypt one then click CSR and have only 2 options:
Create a CSR and SIgn CSR - there isn’t a renew option. HOWEVER …

On the ‘Add’ dropdown tab along the top there is an option to renew - so I’ve tried that and recieved an error about port 80 needing to be open to letsencrypt so I think that’s my next area to investigate (I have changed my router since the original install so I guess I’ve some work to do)

Bob


#6

No, not this manual option. This is, if you want to use another CAA. Use this:


To get certificates from Let’s Encrypt:

You can get free and secure SSL/TLS certificates automatically from Let’s Encrypt, an open and well-trusted certificate authority.

  1. Click Add .
  2. Select Add a new certificate and click Next .
  3. Select Get a certificate from Let’s Encrypt .
  4. Specify the following information:
  • Domain name : Enter the domain you have registered from the domain provider.
  • Email : Enter the email address used for certificate registration.
  • Subject Alternative Name : To allow one certificate to cover multiple domains, enter the other domain names here.
  1. Click Apply to save the settings. Once confirmed, the certificate will be instantly imported into your Synology NAS.

Yes, you need an open port 80, so Synology is able to place a special file and Letsencrypt is able to check this file.


#7

Juergen, I’d done as you’ve suggested but I now have 3 certificates (2 from lets encrypt and one from synology). The default is currently with the old one though I imagine I can change that fairly simply. I think what I’ve done is added a new certificate without renewing the old one. I’ve not looked at opening port 80 yet.

Regarding port 80 … I have BT home router (Smart Hub), The firewall only has options for port forwarding and I’m not entirely sure what I’m doing there …


#8

You should change the certificate, so Synology knows this is a LE-certificate Synology has created. Then the renew should work without any manual action.

What’s your domain name? If you have created a new Letsencrypt certificate, your router settings are already good.

Use

https://transparencyreport.google.com/https/certificates

to check your new certificates.