This is not simple, as the synology box won’t support running the client directly.
A workaround, which worked for me, was to run the client on a different machine using
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual. In a second console, using
ssh root@synology-box, you need to create the
/volume1/web/.well-known/acme-challenge folder for the challenge in your webroot. The manual installer will ask you to place two files there, and press enter after each step.
Note that the first time I was asked to make files with a different content header. This can be done with
vi /volume1/web/.well-known/acme-challenge/.htaccess with content
<Files "*"> ForceType 'application/jose+json' </Files>
The second time I tried it both files to be placed were
text/plain, which didn’t require any changes and worked much simpler.
Would it be possible for you to jot down some additional steps you took to get to a working authentication on your NAS? I tried running a manual request from my Ubuntu machine and to follow the steps the manual process describes, but I can’t get it to work.
Which part are you struggling with specifically: Installing the certificates after you received them, or getting the certificate issued in the first place? Also appropriate error messages might help? Thanks.
I am also interested in how to implement a LE cert with my Syno
Thank you for your help !
Thanks for the reply. I found that I should first solve issues with redirecting my domain name to my Synology’s dynamic hostname as I do not have a static ip adress. Therefore it makes sense I can pass the first step of the manual LE client config to put the response file in place. This will take a couple of days, depending if I can get my hosting provider to cooperate. I have requested some sub domains as part of the LE Beta program as well where I can more easily redirect and use mod_rewrite on the NAS side if needed. Will report back if I manage to prgress a bit.
You can follow below step to using Let’s Encrypt CA on Synology NAS.
join Let’s Encrypt Beta, type in your domain name and e-mail address
wait about one day, you will get a mail from Let’s Encrypt, It is mean your domain already on Let’s Encrypt Server’s whitelist.
log in your synology then creat folders (.well-known/acme-challenge) in “web” shared folder.
note: you have to enable web station service and make sure let’s encrypt server could access your NAS by 80 port.
use ubuntu OS 14.04.1, open terminal then type
git clone https://github.com/letsencrypt/letsencrypt
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual
type your domain name and agree IP will be saved.
You will get some information.
Make sure your web server displays the following content at
h ttp://test.synology.me/.well-known/acme-challenge/aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is before continuing:
Content-Type header MUST be set to text/plain.
- creat a file in NAS acme-challenge folder.
note1: you can creat file on ubuntu then upload to Synolgoy NAS by file station
note2: file content is “aFQ0LDDkn75K3LmvCIUvEYwq2Op1s9-ullGSwjsh0Is.ONcckxWtBH9uUepl5Eo_BMJHTng23yAdFJ_jVtfSNLg” from above information
note3: make sure the file encoding format is UTF-8. You can check or change the format by Synology text editor on file station.
finish step 6 then press Enter key on ubuntu terminal. You will get the CA files at below path on ubuntu OS.
copy below files out from step 7 path
- import privkey1.pem, cert1.pem and chain1.pem to Synology NAS certificate.
control panel > Security > Certificate > “Import certificate”
Private key = privkey1.pem
Certificate = cert1.pem
Intermediate certificate = chain1.pem
- Enjoy Let’s Encrypt
I followed your step-by-step guide, which was straight forward and everything just worked as described! Finally I am not required to import the ca.crt of my self-signed certificate =)
When I do the steps I get a privkey.pem which has some bytes in it, but it seems to be corrupt or broken. When I want to import the certs to my Syno-box, I get an error, that the import of the certificate failed. Furthermore, I cannot open the certificate with openssl, it gives me following error:
openssl x509 -inform pem -in privkey3.pem -noout -text
unable to load certificate
140008398669472:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Also with any other tool like “QuickLook” in OSX, no content is shown for the privkey.
Is this related to certonly option, a general error with letsencrypt or a local problem.
BTW: I installed yesterday Ubuntu 14.04.1, updated the system, cloned LE from Git.
I have no idea about this problem.
Maybe you can try to delete below path on ubuntu OS. then try to run let’s encrypt script to get new CA again.
I followed your steps, which seemed to success:
- Congratulations! Your certificate and chain have been saved at
How ever, the folder
What did I wrong?
Note that I failed to run the python part in step 6:
socket.error: [Errno 98] Address already in use
CA path is here
I just tried this guide but i always getting “Self-verify of challenge failed, authorization abandoned” on Ubuntu desktop 14.04 in VirtualBox on Win10.
I can’t figure out if there is a error in the file I have to create or it’s somewhere else.
Surprisingly if i just enter the URL where my file should be my browser finds it and ofcourse shows me the content.
I have the same problem.
What do I 'm doing wrong?..
Thank you so much @dip987 ! Your tutorial worked like a charm (it has to be followed thoroughly though)… I would have never found out all these paths by myself, but thanks to you my Synology NAS is now LE certified, which is GREAT news
Do you mind me translating your post in french when I have a moment for that ? For others, for french fellows…
Sure, you can translate and share it. Let more people use Let’s Encrypt and donate it.
Make sure below file ******* on Synology NAS decode format is “UTF-8”
I just created the file under Ubunto and saved it as UTF8. Are there any better ways to do so? FileStation shows on openig an other encoding but when i cange it with FileStation it again shows another wrong encoding on the second openig.
Are you mind let me Teamviewer to your ubuntu OS check this problem ?
If not, please mail me. Thanks
i’am actually at work now, it’s 12:39 PM here (Germany) If it’s possible to teamviewer onto a virtual machin within Win10 we can do so. I’am at home in around 3-4 hours. I will message you by mail. thank you
OK, we can contact in mail. My time zone is GMT +8.