Having trouble getting a working cert. If I use Synology as my DDNS provider, I can have a FQDN to my NSA something like “myNas.synology.me”.
My question is, how should I set up the cert? *.synology.me widely used, and the email that corresponds to is is not mine. But, if I use myNas.synology.me, I get an untrusted cert…
There are hundreds, if not thousands, of certificates issued for *.synology.me domains. We would need more information in order to determine why you aren’t successfully getting a certificate.
The Synology Let’s Encrypt client logs its errors to syslog when invoked from the web interface. Please look in the log viewer in the Synology web interface (or /var/log/messages via SSH) for any errors related to Let’s Encrypt or certificates and paste them here.
Also if you provided the domain in question we could check it for common problems that prevent issuance.
Thanks for the response! However, I’m still having trouble.
To start, could you give a Synology-specific example of how to create/configure a cert? (ie tld vs subdomains, etc). I think this is trivial, but if I am doing it incorrectly, I would not necessarily know it…
Control Panel > Security > Certificates > Add > Add A New Certificate > Get a Certificate from Let’s Encrypt.
Then you can just enter any domain that you can access your Synology box at from the public
Internet, be that yourdomain.synology.me or any custom domain. You must also select an email address to receive notifications about certificate expirations and changes to the Let’s Encrypt Subscriber Agreement.
You can leave the subject alternative names blank if you don’t have multiple domains to secure. If you do, e.g. you have a custom domain and your synology.me subdomain, you would enter one here and one in the main domain field (it does not matter which one is which).
Note that for this to work for a custom domain you must have Synology listening and port forwarded from your router on port 80, not on any custom port. If you are just using a synology.me subdomain, you can use custom ports like 8080. This is because Let’s Encrypt must verify you own the domain. The Synology certificate client can vouch for your ownership of a subdomain under their control via DNS, eliminating the need to open port 80. But for custom domains they cannot do this; verification must be performed over HTTP port 80.
FYI, I have a router which features upnp that doesn't play well with synology, even though synology thinks it does. so, getting a proper cert per your directions helped me look elsewhere...the router is now manually configured and all is well.