SSL on Synology DSM 6.0...zeroSSL, other client?

Hi everyone,

I’ve done some thorough reading to get SSL on my Synology. And I’m at a dead-end. I’ve spent at least a week trying to figure this out. I’m at a lost and almost hopeless. Some useful info below:

I’m running Synology NAS with 6.0 I believe, which supports let’s encrypt in the UI. But my ISP blocks port 80 (unless I get a static IP which is too expensive for my use).

So I’ve tried this challenge thing…with little luck. I can’t find a decent guide outside port 80. I’ve tried to manually import certificates from zeroSSL manually (the key, domain certificate, and issuer certificate). I did this by copying and pasting the respective files into a notepad then renaming extensions to .key, .cert, and .cert. I either get the error from DSM “illegal key” or “invalid cert.” I’m not sure why…I own a domain and point it to my Synology…ugh. I feel this should be easier.

hi @iwantSSL

have you acutally issued a valid letsencrypt certificate?

if so what is the domain name?

do you understand the process of CSR, validation, and key and certificates?

If not then I suggest reading up on those first.

The most likely cause of your issues is that the private key and the certificate do not match

There are several good articles on Synology

Having port 80 blocked is a bit of a nuisance are you sure this is correct as its a very common port.

Are you running CPANEL on your synology?


1 Like


Thanks for your reply. I saw you on these forums a lot before writing this post. Sorry that I kind of rambled.

I read on zeroSSL’s website for a bit to understand CSR, key, and certificates. At least I think. zeroSSL has a pretty easy web browser to process all of these things. Unfortunately port 80 is blocked. I called my ISP and asked and they said I could get a static IP and open all ports, but that’s too expensive for what I am doing.

I’ll check out these guides right now that you posed. Thanks for your assistance. Hopefully I can figure this out.

Also, I’m not sure what CPANEL is, and I do not see it on the package center. I’m betting the fact that I don’t have web hosting setup…is one thing that is preventing me from getting this to work? I just bought a domain, pointed it to my NAS. I didn’t set anything else up.

You might be able to use ZeroSSL’s DNS verification option even if port 80 is blocked. Look for the checkbox in the bottom left corner on the first step.

I used exactly that. I am at the point where my certificate is issued successfully with zeroSSL. The problem is when I try to import it into my Synology, I keep getting the error “illegal private key.” :confused:

OK. You have us at a small disadvantage because you can see your Synology UI and we can’t.

Can you describe in some detail the sequence of events leading up to the error? For example if you’re uploading a file or pasting it into a text box, if there is something in the page saying to use PEM or PKCS#12 or other specifics about file formats. You should not show anyone the private key data but it’s safe to publish anything else.

1 Like

Please also make sure that you are using the domain key from the last step, not the LE key from the first step.

1 Like

Here are the steps I took:


  2. online tool - this leads you to the first page, which asks you to enter your domain and email (for notification on expiration)

  3. I entered my domain, and my email address (as far as I know any will work, it’s just for reminder purposes)

  4. I hit next, it generates the CSR (at 4028 length I believe…not sure if Synology only accepts 2048)

  5. I hit next again, it generates to my understanding the let’s encrypt key for renewal purposes, I save both the CSR and LE key in different text files for later use, and select verify via DNS txt value

  6. I verify DNS txt value no problem…hit next

  7. the screen below displays:

  8. I then copy and paste each item into a respective text file. I note that the certificate box you see above has the domain and issuer certificate in one, but I separate these into two different files as Synology asks for both of them separately.

  1. I go to Synology DSM setting for importing a certificate and do the following:

Hopefully this makes things more clear. I want to resolve this :frowning:

Just to make sure - when you split the certificate file, you do as instructed on the page and preserve BEGIN and END bits and also use the first for the Certificate and second for “Intermediate certificate” - correct?

1 Like

That is correct. I retained the BEGIN and END when I split for both certificates. And I used intermediate for last box in DSM. I mean, we can have that discussion if I’m doing it right if I can somehow get rid of the illegal key error.

From what I can see, quite a few people experienced this in the past with completely different certificates. In 2014 apparently there was even a confirmed problem with importing certificates, to which support replied with:

This has been confirmed as a known issue and we have recorded this issue and will try to fix this issue soon. Sorry for your inconvenience.

The workaround is change language to English for an instance and the issue is gone.

Another similar topic:

It could be that there is still some bug in this specific firmware you are using for example. If importing still fails, you can try using to automate process, as described on Synology NAS Guide · acmesh-official/ Wiki · GitHub

I would suggest trying, but as far as I remember, Perl is an add-on package on Synology, so ... :slight_smile:

1 Like

So I don’t have to enable web server or anything like that? You think this is most likely a Synology bug? Are there any steps I skipped?

The cloud front method says it works with “limited browsers” for the free version. Does that matter? Or will I still get the same encryption?

Also, what is I can install Perl but I’m not sure how that helps me?

If there is anything in that client or guide that might help for the example to bypass importing via interface and just place required files in the right places, then it might work, otherwise other clients probably would not be useful either. I haven’t personally worked with Synology devices, so to me at this moment that indeed looks like a bug, especially after seeing the posts on Synology forums. If it was my device, I’d probably tried to check if there were any firmware updates with changes that might be related to SSL and if there were, I might try installing them.

1 Like

No firmware updates. Look like I’m stuck without encryption. Sigh :confused:

What if I called my ISP and temporarily got a static IP to open port 80 to obtain the cert? then cancelled the static IP / closed the port? I wonder if that would work. Then I could use Synology directly to obtain a certificate from LE.

edit: what do you think of this guide?

That might work, but keep in mind that you would have to do that every 90 days.

Regarding that guide, considering that it suggests to “Now go into the management tool of the synology, go to webservices and click the button ‘import certficate’”, I’m afraid that will end in the same way.

1 Like

Yes, I understand that. My guess is Synology will make other options for people who cannot open ports for LE. In the mean time, this could be a workaround? Also, check my edit above if you could

Okay. Seems my only option is to temporarily open port 80. LE doesn’t perpetually need access to that port does it? It’s only at the moment it my Synology is retrieving the certificate?

Hi @iwantSSL, I didn’t follow your whole conversation with @leader, so I don’t mean to assume that there are absolutely no other possible options for you. However, if you’re using verification via port 80, that only needs to be available while the certificate is being requested (during the authorization step), not at other times. But as @leader pointed out above, you would have to do this every 90 days for certificate renewal as well (the authorization has to happen again as part of each subsequent issuance before the certificate expires).

1 Like

I see. I guess it’s better than nothing until Synology updates DSM to allow other options through their UI for LE.