but each time, the certificate returned was the Synology one, not the Let’s Encrypt one that you obtained. The -servername parameter here is choosing which server name is requested via SNI, and hence which name the server thinks it’s being accessed under (mimicking what a browser would do if it successfully connected to that IP address under that name). So I think the priority here is not adding more names to the certificate, but figuring out how to configure the NAS to use the existing certificate that you get from Let’s Encrypt when it’s accessed under the name contained in that certificate, which it apparently currently doesn’t do.
@leader and @Osiris have had hypotheses about what might be necessary for that, but I don’t know enough about Synology to be helpful with this part.
Maybe someone else can try to parse that; it sounds to me like they’re saying that the NAS is only willing to attempt to use certificates issued for the synology.me name, and not for any other name? (seems like a pretty weird policy)
it seems like the virtual hosts are used by the NAS to decide various things, maybe including what certificate to present (which is also usually the case for a traditional web server). The documentation even indicates that, when creating a virtual host, the NAS may then ask you to configure certificates for that virtual host (which seems like it would be an opportunity to import a certificate for a particular name).
Maybe you could try that or else as Synology support about it directly?
If I wanted to generate a new CSR with an alternative address, how would I do that on zeroSSL.com? I only see one box to enter a URL. It doesn’t allow to add extra. I also couldn’t verify via DNS record for my Synology DDNS since there is no physical way to do this.
Edit: the box says domains. Hopefully it doesn’t ask me to verify record for Synology DDNS.
So this may not be possible when importing certificates manually. In the Synology UI, it has this functionality to add your alternative DDNS. But when I try on zeroSSL, there is no challenge that I can accomplish such as DNS text record, since that functionality is not possible to achieve. I guess my only other option is virtual host?
I think first we need to understand what exactly you want and where you are at now.
Based on your current setup, this is what I see. You have a domain named “kamislookout.cloud”. Using GoDaddy, you set up a redirect to “https://kamislookout.synology.me”. This means that anyone who tries to visit that first domain are accessing a server owned by GoDaddy that then sends a 301 redirect code to that specific URL. Currently, your Synology device isn’t serving a certificate for that domain, so you’ll get certificate errors.
So, do you want the Synology device to answer on the synology.me subdomain or your purchased domain? If you want to access by your domain directly, you will need to make changes to get that working properly. If not, you’ll need to try and get a certificate set up for that synology.me subdomain.
Knowing how you want to access the system is the first step in figuring out how best to guide you.
I would like both options. But that’s too much for me to request. I’ll tell you after spending a week+ on this I want the easiest option and I am not picky. I just want a secure connection to my NAS over the internet. So however that is achievable I’m all ears. My only limitation is my ISP blocks port 80 (unless I buy a static IP - I’m trying not to spend additional money).
I was not wedded to using my purchased domain, rather I purchased the domain because I was under the impression that I cannot manually request a LE cert for my Synology DDNS (synology.me…). I did try to request another cert using my Synology DDNS as an alternative to my purchased GoDaddy (kamislookout.cloud). I ran into a road block as I wasn’t sure how to verify ownership of the Synology DDNS (definitely couldn’t through DNS txt record like I did with GoDaddy). Is this helpful?
Actually it does. Note that SSL Certificate Wizard says "Domains" (plural) and if you hover your mouse over that input, you will also see "List domain names for which you want the certificate issued". Additionally the documentation at Free SSL Certificates and SSL Tools - ZeroSSL says - ""Domains" - Enter the domain or the list of domains the certificate should be issued for (separated by either whitespaces or commas)." So yes, you can add plenty (up to 100).
For the record, I’ve changed my name servers to my ISP so that it directly connects the domain I purchased to my dynamic IP / server. The GoDaddy rep said this is better than just forwarding my address.
It is true that you’ll have a rough time with authentication for the synology.me subdomain since you can’t be accessed over port 80. If 443 isn’t blocked, the TLS verification may work, but I’m not sure that’s compatible with the ZeroSSL site walkthrough.
Since you did set a direct link to your server from the name rather than a redirect, you can use the DNS verification method to get a certificate. Keep in mind that you’ll be repeating this every 60-90 days (depending on how much overlap you allow).
I’m not wedded to zeroSSL. I just want this done lol. Is there a direction you can point me in for TLS? I don’t think port 443 is blocked. Just port 80 for me.
I don’t think I can do DNS verification since I’m using my ISP DNS. I don’t have access to the records.
Maybe someone who understands about Synology devices can explain how to configure it to serve the correct externally-obtained certificate in response to a particular SNI request? Apparently it was willing to import the certificate but then doesn’t actually use it. Is this about the virtual hosts?
Can you ask Synology about that, telling them that you got an external certificate for your external domain name and then imported everything related to the external certificate on the NAS, but that the NAS subsequently doesn’t seem to know to use that certificate (and key) instead of the built-in one when clients connect and request to access it under that name?
Hi @JoesDot, are you using a Synology device somehow, or could we split this conversation out into a new discussion thread?
This is a policy of the Let’s Encrypt CA, based on the idea that shorter certificate lifetimes are more secure in some ways. There have been previous discussion threads about this policy, running to hundreds of messages, which I can point you to if you’re interested.
There’s no way to get the Let’s Encrypt CA to issue certificates that are valid for more than 90 days. A big hope of Let’s Encrypt is that most users will find ways to automate the process so that they don’t actually have to do any extra work when the certificate expires. Some people have had great success with this and aren’t particularly bothered by the renewals, or don’t even notice them any more. How easy or difficult it is to automate depends completely on how you get and install the certificate (with what software, in what kind of hosting environment, etc.).
Yes, normally it does.
Yes, normally it does.
This is probably a result of a mixed content problem. A great resource for diagnosing these is https://www.whynopadlock.com/, which can scan your site and find and identify mixed content problems.
