Synology NAS using LE as a CA Signing Authority?

This is not simple, as the synology box won’t support running the client directly.

A workaround, which worked for me, was to run the client on a different machine using
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual. In a second console, using ssh root@synology-box, you need to create the /volume1/web/.well-known/acme-challenge folder for the challenge in your webroot. The manual installer will ask you to place two files there, and press enter after each step.

Note that the first time I was asked to make files with a different content header. This can be done with vi /volume1/web/.well-known/acme-challenge/.htaccess with content
<Files "*"> ForceType 'application/jose+json' </Files>
The second time I tried it both files to be placed were text/plain, which didn’t require any changes and worked much simpler.

1 Like

Hi,

Would it be possible for you to jot down some additional steps you took to get to a working authentication on your NAS? I tried running a manual request from my Ubuntu machine and to follow the steps the manual process describes, but I can’t get it to work.

Thanks!

Which part are you struggling with specifically: Installing the certificates after you received them, or getting the certificate issued in the first place? Also appropriate error messages might help? Thanks.

Hi everyone,

I am also interested in how to implement a LE cert with my Syno :slight_smile:

Thank you for your help !

1 Like

Thanks for the reply. I found that I should first solve issues with redirecting my domain name to my Synology’s dynamic hostname as I do not have a static ip adress. Therefore it makes sense I can pass the first step of the manual LE client config to put the response file in place. This will take a couple of days, depending if I can get my hosting provider to cooperate. I have requested some sub domains as part of the LE Beta program as well where I can more easily redirect and use mod_rewrite on the NAS side if needed. Will report back if I manage to prgress a bit.

You can follow below step to using Let’s Encrypt CA on Synology NAS.

  1. join Let’s Encrypt Beta, type in your domain name and e-mail address
    https://docs.google.com/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM/viewform?edit_requested=true

  2. wait about one day, you will get a mail from Let’s Encrypt, It is mean your domain already on Let’s Encrypt Server’s whitelist.

  3. log in your synology then creat folders (.well-known/acme-challenge) in “web” shared folder.
    e.g. web/.well-known/acme-challenge
    note: you have to enable web station service and make sure let’s encrypt server could access your NAS by 80 port.

  4. use ubuntu OS 14.04.1, open terminal then type
    $ git clone https://github.com/letsencrypt/letsencrypt
    $ cd letsencrypt
    $ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual

  5. type your domain name and agree IP will be saved.
    e.g. test.synology.me

  6. You will get some information.
    ++++++++++
    Make sure your web server displays the following content at
    h ttp://test.synology.me/.well-known/acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is before continuing:

aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg

Content-Type header MUST be set to text/plain.
++++++++++

  1. creat a file in NAS acme-challenge folder.

e.g. /acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is

note1: you can creat file on ubuntu then upload to Synolgoy NAS by file station
note2: file content is “aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg” from above information
note3: make sure the file encoding format is UTF-8. You can check or change the format by Synology text editor on file station.

  1. finish step 6 then press Enter key on ubuntu terminal. You will get the CA files at below path on ubuntu OS.
    /etc/letsencrypt/archive/test.synology.me

  2. copy below files out from step 7 path

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

  1. import privkey1.pem, cert1.pem and chain1.pem to Synology NAS certificate.
    control panel > Security > Certificate > “Import certificate”

Private key = privkey1.pem
Certificate = cert1.pem
Intermediate certificate = chain1.pem

  1. Enjoy Let’s Encrypt :slight_smile:
7 Likes

Thanks dip987!

I followed your step-by-step guide, which was straight forward and everything just worked as described! Finally I am not required to import the ca.crt of my self-signed certificate =)

Thanks, dip987!

When I do the steps I get a privkey.pem which has some bytes in it, but it seems to be corrupt or broken. When I want to import the certs to my Syno-box, I get an error, that the import of the certificate failed. Furthermore, I cannot open the certificate with openssl, it gives me following error:

openssl x509 -inform pem -in privkey3.pem -noout -text
unable to load certificate
140008398669472:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Also with any other tool like “QuickLook” in OSX, no content is shown for the privkey.

Is this related to certonly option, a general error with letsencrypt or a local problem.

BTW: I installed yesterday Ubuntu 14.04.1, updated the system, cloned LE from Git.

Thanks

Hi Steve

I have no idea about this problem.

Maybe you can try to delete below path on ubuntu OS. then try to run let’s encrypt script to get new CA again.

“/etc/letsencrypt/archive/your.domain.name”

I followed your steps, which seemed to success:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/**/fullchain.pem.

How ever, the folder
/etc/letsencrypt/live
is empty!

What did I wrong?

Note that I failed to run the python part in step 6:
socket.error: [Errno 98] Address already in use

CA path is here
/etc/letsencrypt/archive/******

I just tried this guide but i always getting “Self-verify of challenge failed, authorization abandoned” on Ubuntu desktop 14.04 in VirtualBox on Win10.
I can’t figure out if there is a error in the file I have to create or it’s somewhere else.
Surprisingly if i just enter the URL where my file should be my browser finds it and ofcourse shows me the content. :frowning:

2 Likes

I have the same problem.

What do I 'm doing wrong?..

Thank you so much @dip987 ! Your tutorial worked like a charm (it has to be followed thoroughly though)… I would have never found out all these paths by myself, but thanks to you my Synology NAS is now LE certified, which is GREAT news :smile:

Do you mind me translating your post in french when I have a moment for that ? For others, for french fellows…

Sure, you can translate and share it. Let more people use Let’s Encrypt and donate it.:smile:

Make sure below file ******* on Synology NAS decode format is “UTF-8”
+++++
/volume1/web/.well-known/acme-challenge/*******

I just created the file under Ubunto and saved it as UTF8. Are there any better ways to do so? FileStation shows on openig an other encoding but when i cange it with FileStation it again shows another wrong encoding on the second openig.

Are you mind let me Teamviewer to your ubuntu OS check this problem ?
If not, please mail me. Thanks

i’am actually at work now, it’s 12:39 PM here (Germany) :wink: If it’s possible to teamviewer onto a virtual machin within Win10 we can do so. I’am at home in around 3-4 hours. I will message you by mail. thank you :blush:

OK, we can contact in mail. My time zone is GMT +8.

1 Like