SSL on Synology DSM 6.0...zeroSSL, other client?

The RTF files are definitely the explanation for the error! From the Synology device’s point of view, they are indeed corrupt because they contain RTF formatting codes that aren’t part of the certificate.

1 Like

You’re the best and most brilliant trouble-shooter I’ve ever encountered. Most people like to give up quickly. You’re patient and thoughtful. Thank you so much!

Edit: and you do it all for free. Bravo, sir. Bravo.

Hi @iwantSSL, although the CSR allows you to request a certificate containing many different details about the person or organization who is the subject of the certificate, Let’s Encrypt as a matter of policy will ignore all of those details. This is the difference between Domain Validation (DV) and Organization Validation (OV); Let’s Encrypt is a DV-only certificate authority and does not include any subject identifying information in the certificate other than the domain name, because there isn’t a cost-effective way to verify other information automatically. Sometimes people do submit CSRs with the other fields filled in, but Let’s Encrypt then always strips them out before issuing the certificate—Let’s Encrypt only uses the CSR to find out what the list of domain names in the certificate should be, and what the public key should be.

So, if you’re going to use Let’s Encrypt certificates in the future, I wouldn’t worry that much about all of those options in the CSR: they can be relevant for other CAs, but not really for ours.

1 Like

Thanks for having the patience to solve the problem! Hopefully this information will help other people who might find themselves in a similar predicament someday.

1 Like

I’m sure it will. It’s such a silly mistake on my part. But it’s easily overlooked by people without patience. We almost need a checklist of simple mistakes to run by first. Lol.

The CSR is just an option to specify a bunch of information to the certificate provider (Let's Encrypt in this case) in a way so you can prove you actually hold the private key of the public/private key pair you generated.

Every certificate in the PKI system is based around the public/private cryptography system and every certificate holds the public part of that keypair. The private key is kept on the server and should be kept private at all times!

When you generate a CSR, the public key is embedded inside it, along the other info, such as the domain names. Sometimes, more info can be put into the CSR, such as the company et cetera, but Let's Encrypt ignores such information, as it only issues DV certificates. The CSR is then signed with the private key corresponding to the embedded public key. This signature of the CSR can be validated with this same public key, so the issuing provider knows you actually have the private key.

When the signature is validated with the public key, the CSR can be used. In Let's Encrypt case it only takes note of some of the info (public key, domain names) and ignores the rest. :slight_smile:

1 Like

Thank you so much Osiris. :slight_smile: Wonderful explanation. I feel between everyone who participated in my thread I’ve learned at least general knowledge about this entire process, including some technicals. Thanks again everyone!

Out of curiosity, is this supposed to happen?

Nope.

Most of the times it’s because the intermediate certificate is missing.

Try testing your site on https://www.ssllabs.com/ssltest/

Failed. Still pulling Synology cert. But I deleted that cert so not sure how it’s doing that?

Do you think it’s best how I setup? I bought the domain and pointed it to my Synology DNS. When I requested the LE cert I only put the domain I bought, not my Synology DNS.

Edit: it’s definitely not pulling my LE certificate. I wonder what could be going wrong. This is strange. One problem solved, another arises. :frowning:

I should mention that my work (and several of my colleagues' work) on Let's Encrypt is paid for by the Electronic Frontier Foundation, which is supported by donations.

It's also possible to donate to the Internet Security Research Group, which operates the Let's Encrypt CA:

1 Like

So the NAS said it was able to import the cert, but then it doesn’t appear to use it when you connect to it via HTTPS?

Correct. Check this out:

I’ll note that I am having difficulty enable port forwarding on my Synology NAS. I have a ticket setup with them to try to resolve this (hopefully). Do you think port forwarding is the issue? Port 443 is required to check the cert?

This seems to be unfolding in a very interesting manner :slight_smile: It’s certainly good to know that sometimes it could be about the case of copying and pasting into something like WordPad and saving it as the default .rtf. That’s one of the reasons there was download option rather early (for the browsers supporting that), but I guess it won’t hurt adding an option to download files as an archive.

1 Like

Interesting enough, I saw no download option. Only copy and paste. Unless of course the download option is a function of flash, which is disabled on my browser.

I think that IP address is a server hosted by GoDaddy (on secureserver.net), not a residential ISP. Do you have your NAS in your home? If so, I don’t think your DNS record is actually pointed at the NAS, but at something else. (I didn’t understand what you were referring to above with “my Synology DNS” but I assume this could be related somehow.)

1 Like

I did buy my domain from GoDaddy. On GoDaddy, I forwarded the domain I purchased to my Synology DDNS*.

So basically my GoDaddy domain is supposed to directly point to my Synology DDNS (my NAS is at my house). You’re saying it isn’t? So Basically fixing that should fix the issue?

I’m still confused about what machine is actually answering these queries. The IP address that your domain points at right now appears to be something hosted by GoDaddy (at 50.63.202.1, which I believe is a GoDaddy server facility and not your house), so I don’t understand what that is or why a Synology machine answers requests there with a Synology certificate.

But also, you got that “Your connection is not secure” error at some point (trying to visit the NAS in your browser?), but right now the IP address isn’t answering HTTPS requests at all?

1 Like

Yes, I've noticed on the screenshot above :slight_smile: It's not a flash-based option, but something that browsers need to support. Specifically: The "Download" button will not be working/available for the users of MSIE v11 and earlier versions and the users of Safari.

1 Like