Synology NAS - Can I see when the certificate is renewed


#1

Today when I wanted to log into my NAS a message appears telling me that the certificates do not match.

I assume, or suspect, that the certificate is auto renewed but how can I confirm this?

Thank you!


#2

Hi @Hoggorm

what’s the exact error? “do not match” means normally, that the certificate has the wrong name, this is not expiration.

Did you use the same url - https://domainnameofyourcertificate?

Or the ip address? Letsencrypt certificates are invalid if they are used via https://your-ip-address.


#3

The message is displayed in the Synology iPhone apps like DS File, DS Finder and DS Note.

The message is in Norwegian but an approximate translation is something like:


Non-compliance between certificates

SSL-certificate changed (fingerprint: 3c 21 + many more to letter/numbers). If the administrator did not change the server certificate, you may have been exposed to a damaging attack. Do you wish to trust this SSL-certificate and continue the connection?

Log out or Clear


I did not do anything really. As far as I can understand the Synology NAS renews the certificate every 60 or 90 days (?) and I hope this is what has happened.

In the Synology NAS Control Center under Security - certificate the Let’s Encrypt certificate shows an expiration date of 2019-02-19.

But can I confirm somehow that it is in fact this that has happened?


#4

If there is a new certificate created, the fingerprint changes. So if there is an additional fingerprint-check, this warning is correct - because the certificate is new.

That’s good.

select dateadd(dd, -90, ‘2019-02-19’)

2018-11-21 00:00:00.000

Letsencrypt certificates are 90 days valide, so the certificate is created yesterday.

What’s your domain name? You can use one of the Certificate Transparency Logs to check your domain:

https://transparencyreport.google.com/https/certificates


#5

As @JuergenAuer points out, it appears that your certificate did recently renew.

If for some reason you really need further confirmation beyond all that, and you can SSH to your Synology, the certificates are located under /usr/syno/etc/certificate/_archive/. You need to be root to see these (so use sudo -i after logging in via SSH) and run something like this:

user@<your_synology>:~$ sudo -i
root@<your_synology>:~# ls -la /usr/syno/etc/certificate/_archive/*/*                                                                                                                                 
-r-------- 1 root root 2151 Sep 13 09:10 /usr/syno/etc/certificate/_archive/DI0u5M/cert.pem                                                                                                  
-r-------- 1 root root 1647 Sep 13 09:10 /usr/syno/etc/certificate/_archive/DI0u5M/chain.pem                                                                                                 
-r-------- 1 root root 3798 Sep 13 09:10 /usr/syno/etc/certificate/_archive/DI0u5M/fullchain.pem                                                                                             
-r-------- 1 root root 1675 Sep 13 09:10 /usr/syno/etc/certificate/_archive/DI0u5M/privkey.pem                                                                                               
-r-------- 1 root root  179 Sep 13 09:10 /usr/syno/etc/certificate/_archive/DI0u5M/renew.json

(And yes, mine are past due to renew because I’ve been messing around trying to get my reverse proxy to play nicely.)

And, to answer your question about how often the certificate gets renewed:

root@<your_synology>:~# cat /usr/syno/etc/letsencrypt/letsencrypt.default 
{                                                                                                                                                                                            
        "server": "https://acme-v01.api.letsencrypt.org/directory",                                                                                                                          
        "synoddns": "https://ddns.synology.com/main.php",                                                                                                                                    
        "renew_before_expire_days":30                                                                                                                                                        
}

It would appear it attempts renewing 30 days prior to expiring (so, every 60 days).


#6

I tried this yesterday after turning off the firewall, but nothing appears in the list… Only a green bar appears with no text.
The firewall blocks a lot of traffic coming into the NAS but I assume turning it off should have given some results? I can’t see that there is no certificate, but I can’t confirm that there is either…

I would perhaps expect a red bar or some information telling me that no certificate was found if that was the case, but I see nothing…

Again - this could be because of some firewall functions that have not been completely turned off…

Thank you SLDan. This sounds like way above my knowledge level… :smiley:

I guess I just have to trust and believe that this was a certificate renewal. I find it somewhat strange though that I cannot find a current certificate number on my NAS that I can check with the one displayed on my phone.


#7

This sounds like a poor design choice on Synology’s part if the certificates are intended to change frequently and if they’re intended to be publicly-trusted certificates. (This behavior makes sense when users are using long-lived self-signed certificates because they should be aware of when the certificates change, but it doesn’t make as much sense when using short-lived publicly-trusted certificates.)

Are these apps still officially supported by Synology and are they current versions? Is there any kind of setting in the app that controls this warning? I wonder if this behavior might date to a time before Synology supported Let’s Encrypt (when perhaps a large number of Synology users would have been using self-signed certificates).


#8

Yes, all the Synology apps for iPhone have been updated within the last 6 months. I cannot see a setting for this in the apps unfortunately.


#9

Thanks for confirming that. My expectation is that there’s nothing wrong with your certificate and that the apps are just being overly-cautious in warning you about something that’s not really a problem. Is there a support channel you could use at Synology to check whether this is the intended behavior from their side and whether other people have been having trouble with this?