Synology NAS using LE as a CA Signing Authority?

I’m not entirely sure what the actual concern is here. You don’t give anyone access to your server. All you’re doing is running software that automatically requests new certificates when they are needed.

There is some automation to install those new certificates when they are received, but that shouldn’t be any ADDITIONAL concern. By definition you have to trust all trusted certificate authorities. Any single one of them can make certificates for any domain. Now that the intermediate certificates are cross signed, this already goes for LE as well. There is lots wrong with a system that inherently trusts a large list of CA’s and LE is not going to fix that. But it will make it much easier to get domain validation and encryption running on all servers.

“Nothing has to be validated” seems like a very generic claim. This is not true. When a certificate is requested for a certain domain, LE asks the requester to put a file on that domain for verification of control of the domain. This is done by the software running on your server. That way LE knows you are requesting a cert for a domain you have control over and the new cert is made and issued. The software on your server than updates the certs on your server with the new one.

In short, all it does is automate the steps you would have done manually.

Maybe the concern is that a perfectly good cert is automatically replaced with one that somehow doesn’t work? I don’t really know. And this seems highly unlikely.

And if you don’t trust LE… well, tough, your browser now does. So unless you dig in there and remove CA’s from that trusted list. Any certificate issued for any domain by LE will be trusted by your browser and everyone elses.

1 Like

Hey J.C. Jones can you please elaborate on how you can get a certificate for the Synology NAS with the LE client?

I also own a Synology NAS and requested LE beta access for the domain.
I got the invite yesterday but I can’t figure out how to run the LE client in manual mode. Actually I can not run it on the NAS at all and trying to run it on my desktop (e.g. with ./letsencrypt-auto -d auth) gives me this error:

Failed authorization procedure. (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge

I am quite new to this, never requested a certificate for a domain, since I did never own a domain and I am sure I am missing something and do not understand the entire picture yet, so any advice is much appreciated!

Thanks in advance =)

For your NAS you’ll probably need to use Manual mode, until Synology supports ACME directly. In Manual mode, you will get a file to place on your NAS’s web server function that is the “challenge response.”

(I’m not sure if there’s a walkthrough for Manual mode yet, but that’d be a great blog for someone to write!)

I truly think there should be some manual/walkthrough for a manual mode because not everyone has apache and/or nginx on linux, there is Windows, nas boxes, non-webservers (email-server for example) etc.


Hi, if somebody could help me to have The certificate up and running on my symbology it would be great. I have no clue how to get it done

This is not simple, as the synology box won’t support running the client directly.

A workaround, which worked for me, was to run the client on a different machine using
./letsencrypt-auto --agree-dev-preview --server certonly -a manual. In a second console, using ssh root@synology-box, you need to create the /volume1/web/.well-known/acme-challenge folder for the challenge in your webroot. The manual installer will ask you to place two files there, and press enter after each step.

Note that the first time I was asked to make files with a different content header. This can be done with vi /volume1/web/.well-known/acme-challenge/.htaccess with content
<Files "*"> ForceType 'application/jose+json' </Files>
The second time I tried it both files to be placed were text/plain, which didn’t require any changes and worked much simpler.

1 Like


Would it be possible for you to jot down some additional steps you took to get to a working authentication on your NAS? I tried running a manual request from my Ubuntu machine and to follow the steps the manual process describes, but I can’t get it to work.


Which part are you struggling with specifically: Installing the certificates after you received them, or getting the certificate issued in the first place? Also appropriate error messages might help? Thanks.

Hi everyone,

I am also interested in how to implement a LE cert with my Syno :slight_smile:

Thank you for your help !

1 Like

Thanks for the reply. I found that I should first solve issues with redirecting my domain name to my Synology’s dynamic hostname as I do not have a static ip adress. Therefore it makes sense I can pass the first step of the manual LE client config to put the response file in place. This will take a couple of days, depending if I can get my hosting provider to cooperate. I have requested some sub domains as part of the LE Beta program as well where I can more easily redirect and use mod_rewrite on the NAS side if needed. Will report back if I manage to prgress a bit.

You can follow below step to using Let’s Encrypt CA on Synology NAS.

  1. join Let’s Encrypt Beta, type in your domain name and e-mail address

  2. wait about one day, you will get a mail from Let’s Encrypt, It is mean your domain already on Let’s Encrypt Server’s whitelist.

  3. log in your synology then creat folders (.well-known/acme-challenge) in “web” shared folder.
    e.g. web/.well-known/acme-challenge
    note: you have to enable web station service and make sure let’s encrypt server could access your NAS by 80 port.

  4. use ubuntu OS 14.04.1, open terminal then type
    $ git clone
    $ cd letsencrypt
    $ ./letsencrypt-auto --agree-dev-preview --server certonly -a manual

  5. type your domain name and agree IP will be saved.

  6. You will get some information.
    Make sure your web server displays the following content at
    h ttp:// before continuing:


Content-Type header MUST be set to text/plain.

  1. creat a file in NAS acme-challenge folder.

e.g. /acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is

note1: you can creat file on ubuntu then upload to Synolgoy NAS by file station
note2: file content is “aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg” from above information
note3: make sure the file encoding format is UTF-8. You can check or change the format by Synology text editor on file station.

  1. finish step 6 then press Enter key on ubuntu terminal. You will get the CA files at below path on ubuntu OS.

  2. copy below files out from step 7 path


  1. import privkey1.pem, cert1.pem and chain1.pem to Synology NAS certificate.
    control panel > Security > Certificate > “Import certificate”

Private key = privkey1.pem
Certificate = cert1.pem
Intermediate certificate = chain1.pem

  1. Enjoy Let’s Encrypt :slight_smile:

Thanks dip987!

I followed your step-by-step guide, which was straight forward and everything just worked as described! Finally I am not required to import the ca.crt of my self-signed certificate =)

Thanks, dip987!

When I do the steps I get a privkey.pem which has some bytes in it, but it seems to be corrupt or broken. When I want to import the certs to my Syno-box, I get an error, that the import of the certificate failed. Furthermore, I cannot open the certificate with openssl, it gives me following error:

openssl x509 -inform pem -in privkey3.pem -noout -text
unable to load certificate
140008398669472:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Also with any other tool like “QuickLook” in OSX, no content is shown for the privkey.

Is this related to certonly option, a general error with letsencrypt or a local problem.

BTW: I installed yesterday Ubuntu 14.04.1, updated the system, cloned LE from Git.


Hi Steve

I have no idea about this problem.

Maybe you can try to delete below path on ubuntu OS. then try to run let’s encrypt script to get new CA again.


I followed your steps, which seemed to success:
- Congratulations! Your certificate and chain have been saved at

How ever, the folder
is empty!

What did I wrong?

Note that I failed to run the python part in step 6:
socket.error: [Errno 98] Address already in use

CA path is here

I just tried this guide but i always getting “Self-verify of challenge failed, authorization abandoned” on Ubuntu desktop 14.04 in VirtualBox on Win10.
I can’t figure out if there is a error in the file I have to create or it’s somewhere else.
Surprisingly if i just enter the URL where my file should be my browser finds it and ofcourse shows me the content. :frowning:


I have the same problem.

What do I 'm doing wrong?..

Thank you so much @dip987 ! Your tutorial worked like a charm (it has to be followed thoroughly though)… I would have never found out all these paths by myself, but thanks to you my Synology NAS is now LE certified, which is GREAT news :smile:

Do you mind me translating your post in french when I have a moment for that ? For others, for french fellows…

Sure, you can translate and share it. Let more people use Let’s Encrypt and donate it.:smile: