SSL on Synology DSM 6.0...zeroSSL, other client?

Could you elaborate on that forwarding a little? Basically I remember some topics discussed time ago about forwarding from some registrars done in an odd way (for example by serving your site in an iframe).

From what I can see, your site is not quite kamislookout.cloud. That one is merely a redirect to synology.me subdomain at high port. This is why it doesn't match.

2 Likes

I think it answers https connections. If you try to visit the URL outside of my network it won’t work. That tells me there is a port forwarding issue with my NAS at home, which I am waiting to hear back from support to figure out. This port forwarding issue all surfaced when I switched from dynamic > static > dynamic. Switched back because we figured out to fix my problem and manually import the cert so I didn’t need port 80 anymore.

I wonder what could cause port failure from switching from dynamic > static > dynamic in my NAS. I realize this is probably outside the scope of your help. It just confuses me. Support should get back to me later today hopefully.

Yes. So I bought a domain because I was under the impression I cannot generate a CSR / certificate for my Synology subdomain.

So kamislookout.cloud is strictly used to forward to my Synology subdomain. Was I supposed to included my Synology subdomain in the CSR?

@schoen probably knows answer to that (whether it can be issued for .synology.me)

Also I suspect with that domain it might work if CNAME DNS record with low TTL was used instead of setting up HTTP redirect.

1 Like

Is your “Synology subdomain” like somethingsomething.synology.com? Do you get to choose as a Synology customer where that DNS record points?

Is the forwarding currently done at the HTTP layer (sending an HTTP redirect in response to web browser requests)?

Sorry, I haven’t dealt with these concepts before so I’m trying to be sure I understand what you’re trying to accomplish.

1 Like

If it's like somethingsomething.synology.com, I think there will be rate limit issues if every customer tries to get a certificate for their own subdomain (LE won't be willing to issue that volume of certificates for a single registered domain), but I don't think there's a policy issue absolutely forbidding it.

I agree that the kamislookout.cloud name ought to be pointed at the Synology subdomain at the DNS level (CNAME is a great approach), not at the HTTP level. In response to a redirect at the HTTP level the web browser will make a request using the Synology subdomain name (which you don't have a certificate for). In response to a CNAME pointer at the DNS level the web browser will make a request using the kamislookout.cloud name (which you do have a certificate for).

One way of thinking of this is that if you have an HTTP redirect, the browser is told "oh, instead of going to kamislookout.cloud, I should go to somethingsomething.synology.com, which is a different site", while if you have a CNAME, the browser is told "oh, in order to go to kamislookout.cloud, I should connect to the IP address of somethingsomething.synology.com; that's where kamislookout.cloud is".

2 Likes

So, @iwantSSL, to sum it up: try the following - in the registrar’s interface for DNS, you can set your bought domain to be a CNAME to a synology subdomain (if they allow setting up TTL values, then set one as low as possible). Effectively what is going to happen that once the DNS changes are propagated, typing your .cloud name should actually use whatever address your .synology.me name points to. When you land there, that will be your device, which will hopefully be able to understand the request and serve .cloud certificate as expected. Keep us posted :slight_smile:

1 Like

Thanks for summarizing lol. I’ll look up instructions on changing my bought domain to CNAME, as I don’t know how to readily do this. This is what my GoDaddy account shows.

Well, GoDaddy has some articles on that, like this one - https://godaddy.com/help/add-a-cname-record-19236

And there’s also a video with a strange robotic voice narrative if that helps - https://www.youtube.com/watch?v=6O66f3TYbxY :slight_smile:

P.S. This one is better I believe - https://www.youtube.com/watch?v=Z-2k6lYLVfE (similar case of someone pointing to wpengine).

1 Like

lol. Doing it now. Give me a moment.

I think by now everyone in this thread is rooting for you :slight_smile:

1 Like

I honestly am getting a headache. I am going to take a break until I can get the ports open for my NAS. So I am at the mercy of their tech support, which seems much less responsive than these forums. Thanks for everything, and as soon as these ports are open I’ll try these steps and update this post.

Btw, don’t forget that at least one port there is likely open - the one you were HTTP-redirecting to. So once everything is set up, just try going to that cloud name while specifying that port. I hope that helps.

osiris@desktop ~ $ curl -I kamislookout.cloud
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /

osiris@desktop ~ $ curl -I kamislookout.cloud/
HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=900
Content-Length: 0
Content-Type: text/html
Location: https://kamislookout.synology.me:5090
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 22 Feb 2017 20:58:24 GMT
Age: 1
Connection: keep-alive

osiris@desktop ~ $ 

And synology.me currently is in the public suffix list.

Thanks, @Osiris. That makes it a bit more mysterious because the server on kamislookout.synology.me:5090 does speak TLS, but gives the Synology cert in response to SNI requests for either kamislookout.synology.me or kamislookout.cloud.

1 Like

Yeah, it responds with “Web Station has been enabled. To finish setting up your website, please see the “Web Service” section of DSM Help.”

Perhaps @iwantSSL just needs to finish that before the installed cert takes effect?

I’m not sure what all of that means. Web station was a package I installed previous because a tutorial told me to. But I think it’s largely useless for my purposes. I assigned a DDNS through Synology’s wizard, which refers to kamislookout.synolgoy.me:5090. 5090 is the https connection I established via port specification.

I got port forward working again. But still not pulling the right certificate. Meh.

Have you created a virtual host for the same name as the one your certificate was issued for and with the appropriate port? I guess it would be similar to the image below (from http://www.webfoobar.com/node/8 guide related to dev setup on Synology)

1 Like

No I haven’t. I’m not sure that would be necessary. Do you think I should require a third SSL cert through zeroSSL, and include in the URL my Synology DDNS as well as the domain I purchased?

My current SSL certification I only entered the domain I purchased, and not my Synology DDNS. My only concern is that I’ll be requesting a certification for a third time. Will I run into a limit issue for my domain?