I’d like to issue a ssl/tls certificate for a synology nas that runs on the internal network and cannot be accessed from the internet, thus the built-in feature to issue let’s encrypt certificates does not work.
The domain (projektwasser.at) is public, however the dns entry for the nas ([redacted].projektwasser.at) resolves via the internal dns server only.
I can imagine to add the dns entry to the public dns and allow internet access for the first issuance of the certificate, but not permanently to allow automatic renewal.
Synology has it's own client. So if there isn't an option like --manual, it may be impossible.
But: I don't use Synology. So if there is such an option, ask in the Synology forum.
--
PS: If you want to use the integrated Synology ACME client, outgoing access is required. If this isn't possible, you can't create a certificate with that ACME client.
Why would you need a publicly signed cert for a system that only accessible from a limited (known and controlled) set of systems.
You could generate an one internal cert from your PKI for an unlimited number of years (never having to renew it).
And even if you don't have an internal PKI system, any cert generated (again, for as many years as you wanted) could simply be "trusted" by those other internal systems.
Emphasis on the cert lifetime; as LE certs only last 90 days and if your process is not 100% automated, then you will have one more thing to do every couple of months (like we all don't have too much to do already).
For a secured environment, I wouldn’t even use HTTPS. Unless you’re also using your NAS for web application purposes or something where webbrowsers perhaps would refuse to connect to HTTP only resources. But for simply its main purpose: file storage? No…
Heck, I’m accessing my own NAS through NFS. If anything is not secure, it’s NFS
