SSL CERT on synology device not valid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eomrt.synology.me

I ran this command:

It produced this output:

My web server is (include version): synology device

The operating system my web server runs on is (include version):SRM

Hi @Drew, and welcome to the LE community forum :slight_smile:

It is using a self-signed cert.
You should review their documentation on how to obtain an LE certificate.
Also, make sure you have updated to the latest Synology version.

2 Likes

Here is a post that has the Synology forum links

It worth cheching on them as well. :smile:

3 Likes

Here is a list of issued certificates crt.sh | eomrt.synology.me, only 2 showing with a date of 2022-12-15.
I would expect to see this certificate https://search.censys.io/certificates/e86b55a9cfc79b424439c5b3611a599a22dd642e7fe1ea5977c3bdf776ba9bd5 being served, but is not.

The certificate presently being served is self-signed, as @rg305 has noted.

$ openssl s_client -showcerts -servername eomrt.synology.me -connect eomrt.synology.me:443 < /dev/null
CONNECTED(00000003)
depth=0 C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = Eyesopen.co, emailAddress = atennant@eyesopen.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = Eyesopen.co, emailAddress = atennant@eyesopen.co
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = Eyesopen.co, emailAddress = atennant@eyesopen.co
verify return:1
---
Certificate chain
 0 s:C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = Eyesopen.co, emailAddress = atennant@eyesopen.co
   i:C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = EOMRT.synology.me, emailAddress = atennant@eyesopen.co
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 17 09:40:33 2022 GMT; NotAfter: Jan 18 09:40:33 2024 GMT
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBAgIHFkCZUgLeVTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCQ0ExCzAJBgNVBAgMAk9OMQ8wDQYDVQQHDAZMb25kb24xETAPBgNVBAoMCEVZ
RVNPUEVOMQswCQYDVQQLDAJJVDEaMBgGA1UEAwwRRU9NUlQuc3lub2xvZ3kubWUx
IzAhBgkqhkiG9w0BCQEWFGF0ZW5uYW50QGV5ZXNvcGVuLmNvMB4XDTIyMTIxNzA5
NDAzM1oXDTI0MDExODA5NDAzM1owgYYxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJP
TjEPMA0GA1UEBwwGTG9uZG9uMREwDwYDVQQKDAhFWUVTT1BFTjELMAkGA1UECwwC
SVQxFDASBgNVBAMMC0V5ZXNvcGVuLmNvMSMwIQYJKoZIhvcNAQkBFhRhdGVubmFu
dEBleWVzb3Blbi5jbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOjp
fob2DxN1apIjPp3kllY6V2zsLW+Gh32np+3xvCFmk6z2O3bFs3lNZxW/gp9FpofH
7ieq+40xcPGr4I/rPpwqO4NAL4j8HfrplT/2nt76HB/3q1VqpBKbAcHb5TVVC7xN
VQNDIWq9Tp5O16HckdM6KrSpACf869YI4d/kYeQigPQUoByyPY5Ez4EniDFLb69t
Li7dKm6CcczFsLel4i5l1sN+d/sVj30ZIr2f2od9KLsf/sVokbs53PON+Wn5LqDy
shS19jKNXQsulvGzwKVu9NHJFcxde/H4HWyBq4LHUSPmOcW77viDYkg72JrVBBm4
QmY6DhDGm/Pd95P8Y7ECAwEAAaOBmTCBljA6BglghkgBhvhCAQ0ELRYrbW9kX3Nz
bCBnZW5lcmF0ZWQgY3VzdG9tIHNlcnZlciBjZXJ0aWZpY2F0ZTARBglghkgBhvhC
AQEEBAMCBkAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAWBgNVHREEDzANggtFeWVzb3Blbi5jbzANBgkqhkiG9w0BAQsFAAOC
AQEAeXoQhutYqfwSFKlD6eF0deRoMJcXaVl0eFOSxWTV/GVIUypoJY8tpqG7cWAD
r0XaISyrP2S4fNFRNm2PETN51sMX2fPHZIOK6VWTibMdX3c/1xfcpZGaA9+tcWcQ
d/AojorKwB8t6I0MTFy6NaJZYDqm7JUt2DW98XhtNXSwpLCFW6fuYLrNu26BILIs
YoNDyvD4OvoLaUCcmuzXqEBURqdcE+aFflPiwhEv2N15pOh0RgZTO9HBwZ26w48F
Rge0P45trIXZkskCkuicxJfI1E3NrFYW4SnzgPTXoxMULHW0CamsKXO/CuF5lNXJ
fkXmBtsJVacVBqrKJWLilXMtnA==
-----END CERTIFICATE-----
---
Server certificate
subject=C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = Eyesopen.co, emailAddress = atennant@eyesopen.co
issuer=C = CA, ST = ON, L = London, O = EYESOPEN, OU = IT, CN = EOMRT.synology.me, emailAddress = atennant@eyesopen.co
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1615 bytes and written 383 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.