Synology NAS certificate mismatch


#1

Hi,
I’ve had LetsEncrypt working fine on my NAS for awhile but I’ve noticed that every time it gets renewed the next time I log on using one of Synology’s mobile apps it gives me a warning about a certificate mismatch and I have to select OK to trust it again until next time.
Is there anyway to stop this from happening?

Thanks

Ninko


#2

Hi @Ninko,

What’s your hostname, and how are you obtaining the certificate?


#3

Hi,
Hostname is, familyds.net
Synology’s OS, DSM manages the certificates.

Thanks

Ninko


#4

I assume you have a particular subdomain under familyds.net?

https://crt.sh/?Identity=%familyds.net&iCAID=16418


#5

I do indeed yes.

Ninko


#6

Well, this seems to work properly for most users, so I have no idea what to suggest if you don’t want to let us look at your particular instance’s configuration.


#8

Thanks. I can’t connect to this site; is it deliberately designed to be inaccessible from other countries (or even from outside of your home network)?

It looks like you do have a current valid Let’s Encrypt certificate.

https://crt.sh/?Identity=%ameliaandclint.familyds.net&iCAID=16418

So, the certificate might be improperly installed on your device for some reason, which is hard to confirm without seeing the specific browser error message.


#9

It’s not an error from a browser it’s an error when using Synology’s mobile apps.

Ninko


#10

What does the error look like? Is it trying to access that same hostname and port?


#11

Screenshot_2018-06-09-00-24-48-1|564x500


#12

Unfortunately I don’t see your screenshot. I tried adjusting your forum userlevel just now—could you try uploading it again?


#13


#14

Thanks, that worked.

Sorry about all of the effort to get to this point, but I think this is just clumsy interface in this particular app. There’s nothing wrong or invalid about the new certificate; it’s just different from the old certificate. In this case the administrator (you) has changed the certificate.

I would suggest that you ask Synology for a way to disable this specific warning in the app.


#15

True, what @schoen writes. As a Synology user I can confirm this. I even wrote about this to Synology and they don’t seem to care.

I have worked around this by having two certificates:

  • Let’s Encrypt certificate for Synology web applications - DSM and Photo Station
  • 10-years self-signed certificate for other apps (that I use mostly on mobile) - Cloud Station, File Station etc. - this certificate will last enough and I and other my Synology users are not bothered every 3 months when LE certificate is renewed.

#16

Thanks @schoen, I see what your saying, thanks for your help.
@CraZ, that sounds like a good idea, might give that a go, thanks.

Ninko


#17

Is this app just remembering the certificate fingerprint without validating the certificate cryptographically against a list of trusted CAs? This behavior would make sense if most certificates used with these devices were self-signed, but now that Let’s Encrypt is available and Synology has added good support for use of Let’s Encrypt certificates on NAS devices, it seems like the app could validate the certificates and not show this warning when the certificate is trusted according to the mobile device’s policy.


#18

@CraZ, how do you set a certificate for just mobile apps, I can’t find that in the services list?

@schoen, I have no idea, I just have the LE certificate set to use as system default.

Ninko


#19

Well, I’ve reviewed my NAS settings and I was not correct about the mobile apps. I do have two certificates but the long-term self-signed certificate set up only for the Cloud Station app. So I didn’t have actually problem with mobile apps in general but only with Cloud Station mobile app and especially with Windows app – this is where my Synology users were constantly bothered by a warning that the certificate has changed and they had to re-apply the connection settings and accept new certificate :-/

Related topic on Synology forum:
https://forum.synology.com/enu/viewtopic.php?t=128991

My certificate configuration:


#20

Thanks @CraZ, in that case I don’t know what else to do other then to take it up with Synology.

Ninko


#21

Question for you. Did you have trouble installing your cert on your iPhone?
I’ve exported from my Synology NAS and I’m using the chain.pem file, I tried to use the cert file but it wouldn’t verify. Any insight would greatly appreciated.
Thank you.