The operating system my web server runs on is (include version): DSM 7.2-64570 Update 3
I can login to a root shell on my machine (yes or no, or I don't know): yes
Most applications, including PLEX, ... say that the certificate is not reliable or is self-signed, and it is not possible to continue working.
Basically I see the error "SSL_ERROR_BAD_CERT_DOMAIN".
"has a security policy called HTTP Forced Secure Connection (HSTS), which means that Firefox can only connect to it through a secure connection. You cannot add an exception to visit this site."
Although I renewed the certificate several times and sent requests for certificate verification to letsencrypt.
I'm trying to understand what the problem is and how it can be solved.
This has never happened before and everything worked fine for several years.
I can open this just fine. SSL Server Test: dzhus.synology.me (Powered by Qualys SSL Labs)
My suspect is that somebody is messing with your internet connection. (Or NAT hairpinning doesn't work on your LAN, try accessing from mobile data)
Everything is fine with access to the site, the problem is mainly when working through applications that say that the certificate is not reliable. And they lose access.
I can’t open Plex at all, through the Firefox browser, it says has a security policy called HTTP Forced Secure Connection (HSTS), which means that Firefox can only connect to it through a secure connection. You cannot add an exception to visit this site" and there is no access.
what cerifitace it sees when error is happening?
openssl s-client to there?
What domain name are you using in the apps and Firefox? Because you used to get a wildcard cert that would cover many names but now only two names are in your cert - your
dzhus.synology.me and the
mail subdomain of that.
You need to use the wildcard cert if you will be using other subdomain names
Everything seems to be fine here, thank you.
Seems to have fixed all the problems.
The only problem left is with Plex, when I launch from my domain, all browsers write SSL_ERROR_BAD_CERT_DOMAIN
has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only go there using a secure connection. You cannot add an exception to visit this site.
Subdomains don't help
Ports are open.
Any ideas what can be done?
You need to review your Plex config then because it is not using the Let's Encrypt cert. You could try the Synology forum
See the Plex cert with a site like this
If you don't want to use HSTS you can turn it off. That's totally up to you. It is not part of the cert and it is not part of DNS. It is set in the response headers for HTTPS requests.
I don't know how you configure Synology for that but in nginx you set response headers in the server block for the HTTPS port(s). After disabling it you would need to empty the HSTS cache in any browser.
Thank you very much, everything worked. I turned it on before but didn't clear the cache. I cleared the cache and everything worked. Thank you.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.