Synology NAS using LE as a CA Signing Authority?

Alright, works now!!

Today I pulled the newest updates from Git and deleted following folders /etc/letsencrypt/[archive | live | renew | csr | keys]
I ran into this error, when I deleted only archive folder: TypeError: coercing to Unicode: need string or buffer, NoneType found

I think the main reason was that I created the text in folder /web/.well-known/amce-challenge with TextEdit tool in DSM. In my former tries, I created the file via Vi (ssh to my Synology-Box) and set file encoding via TextEdit later in DSM. I realized that even when I only had one line in Vi with the temporary LE-string, TextEdit in DSM showed me always an additional 2nd empty line.

Thanks for all your valuable feedback!

Thanks, now I understand openssl better.
It was a plain textual content in there and after I replaced x509 with rsa it shows me some content which looks fine for the moment.

However, I run through the whole process again with updated LE from Git and created the file in DSM via TextEdit. This worked pretty well.

For what it’s worth I manage to install 3 certificates on my Synology NAS (running DSM 5.2, other version might work slightly different) for 3 subdomains I registered. I used the manual LE setup on an Ubuntu box. The services setup are the Synology Surveillance Station, Photostation and a personal website. All 3 work a little different as:

  • Personal website is hosted from the web directory
  • Surveillance station works from a seperate https port being setup with an alias in the config portal screen
  • Photostation is setup by Synology as a sort of virtual host

To begin I registered a domainname for which I proceeded to create 3 cname records:

These redirected to 3 DDNS sites which all point to my public and dynamic ip address which is updated from my router (could have been my NAS as well I suppose).

In my web directory on the Synology where all port 80 traffic lands I created the following index.php (so yes you would need to have php enabled in DSM). Note that Photostation works ok by just directing to “photo”. No that to force http in Photostation that needs to be enabled in the settings of the Photostation itself.

<?

$domain = $_SERVER["SERVER_NAME"];

if ($domain == "site1.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: site1");
}
else if ($domain == "site2.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: photo");
}
else if ($domain == "site3.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: https://site1.mydomain.com:<https port>/<alias>");
}

?>

Also I created the following directory in the web directory:

  • site1 - containing my personal website

I updated this config /etc/httpd/conf/httpd.conf-user file to be like this near the bottom:

<VirtualHost *:80>
    Include sites-enabled-user/*.conf
    Redirect permanent /site1 https://site1.mydomain.nl:443/site1
</VirtualHost>

To setup the challenge response strings I had to trick a bit as the redirects will not mount up to what the Let’s Encrypt response URL is. In other words Photostation’s url will be http://test2.mydomain.com/photo/… where LE expects http://test2.mydomain.com/.well-known/acme/.

So to create the 3 challenge / response files I changed the index.php to temporarily be like the below so all 3 subdomains will look in /var/services/web/.well-known/acme/

<?

$domain = $_SERVER["SERVER_NAME"];

if ($domain == "site1.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: .");
}
else if ($domain == "site2.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: .");
}
else if ($domain == "site3.mydomain.com") {
    Header( "HTTP/1.1 301 Moved Permanently" );
    header("location: .");
}

?>

Also I disabled the redirect in /etc/httpd/conf/httpd.conf-user as I don want that during the setup process. Don’t forget to restart the webserver when you do:

/usr/syno/sbin/synoservicecfg --restart httpd-user.

From here I ran the LE setup, just entered the 3 subdomains I setup with my hosting provider and registered with LE. For each site I created the response file as described before in this thread instructed by the LE manual setup process.

That generates the pem files to import in Synology DSM.

After that I reverted the /etc/httpd/conf/httpd.conf-user and the index.php and all seems to work reasonably well now. Only exception are the mobile syno clients for the Surveillance Station that still require the https port (test3.mydomain.com:)

Cert are generated successfully as per instruction dip987 user
but I’m getting an error when importing certificate on Synology

  • illegal certificate

Then I converted PEM to CRT using PEM to CRT Script
but I received one more error:

  • file is not UTF8

After the conversion to UTF-8, error “illegal certificate” still exist.

Please help


UPDATE:

Please ignore, I copied symlinks instead of real real files :smile:

What would the renew command look like for the synology come 90 days? Certs were created on a separate Ubuntu machine.

Seems like too many synolgy.me subsdomains have been registered :frowning:

This is the error I’m getting while trying to get a certificate for my current synolgy domain.

There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: synology.me

Looks like that should get better once the public suffix list is updated on the ACME server: https://github.com/publicsuffix/list/pull/62

1 Like

I have the same error : “Error: The server could not connect to the client for DV”.
I tried everything, creating the files in DSM TextEdit, in UTF-8, i tried deleting /etc/letsencrypt/*, retried… still the same error.
Port 80 is open, it redirects to the default WebStation page.
I don’t know what to do.

Thanks in advance.

Ok, it was my fault, I had a firewall rule to block foreign IPs… it works!

1 Like

How do we know when the change will get merged by the ACME server?

Or someone you know has any solution for this ?

Synology looks like it has made it into the Public Suffix List on the staging branch, so assuming I'm reading the table linked above correctly, the next production upgrade will remedy this domain's particular rate limit issues.

I juste create a certificate for a synology.me subdomain. Seems like its up :slight_smile:

Let’s Encrypt integration In DS 6.0 beta 2 :smiley:

https://www.synology.com/en-uk/dsm/6.0beta/networking_security/

3 Likes

Today I installed the DSM 6 Beta 2 software on my Synology NAS. This release supports the use of the free SSL provider Let’s Encrypt. I also wrote a blog item on how to install and configure your Synology NAS to enable the SSL Certificate.

http://www.stefandingemanse.nl/how-to-use-lets-encrypt-ssl-certificate-on-synology-dsm/

Let me know if the information was usefull for you

1 Like

@DrEnergy Thanks for digging into DSM 6 Beta. This is such great news and looks really nice.

For the people out there that don’t dare to run the beta and do not want to wait for the stable DSM 6 release I summarized the steps from this thread to use manual mode for certificate creation and manually importing them to DSM in my blog post: https://melo.myds.me/wordpress/get-https-on-diskstation-with-lets-encrypt/

Hope it helps =)

Thanks for your post ! DSM6 is not compatible with my NAS. I have to stay in 5.2…

“DSM 5.2-5967 Update 1” redirects now
…/web/.well-know/acme-challenge
to /var/lib/letsencrypt/.well-known/acme-challenge directory.

That’s why my http://test.synology.me/.well-known/acme-challenge was displaying a 404 error.

I have to say I really enjoy the Let’s Encrypt integration in DSM 6. Combined with the new reverse proxy feature I can access everything on the DiskStation through HTTPS, including Tomcat deployed apps and the best part is that it is a one time setup with certificates being renewd automatically. So nice!

In case anyone is interested in this specific setup, I described it in a blog post: