Synology Setup without Port 80?

Hi folks,

My first request for LE assistance :slight_smile:

I’m running a Synology DSM 6.1 box on a LAN that already has a dedicated wed server on another box - so I can’t redirect HTTP (80) to the Synology box. So how do I set up an LE cerrtificate and get auto renewal working without breaking our existing website?

  1. Can I configure LE to authenticate on a different port, say 8080?
  2. Can I “domain authenticate” via a DNS entry or by placing a file on the website?

Any assistance would be much appreciated.

Chat soon.

Nope, Let’s Encrypt http-01 challenges work over port 80 only, and tls-sni-01 challenges work over 443 only. It will follow redirects, however. Thus, one option is to have the listening web server respond to requests for /.well-known/acme-challenge with a redirect to the same address on port 8080. This, I believe, would be a valid configuration.

I don’t know how issuance works for Synology. Is there some built in functionality, or are you using Certbot? Let’s Encrypt does have options for DNS challenges (entering a DNS TXT entry with specific contents.) as well as http challenges (uploading a file.) The latter is what works over port 80 already. There’s a third challenge type that works over https by requesting a specific, fake certificate via SNI, but I don’t believe you’re using this.

Hi Jared,
Thanks for that - I’m not responsible for the web server so the DNS route would be my prefered method.
Synology has the LE client built in, and makes no mention of DNS as an option - so presumably I need to speak to Synology or start using an external agent and setup SSH etc :frowning:
Is there a document or FAQ on the DNS TXT process I can read?
Chat soon.

Let’s Encrypt uses the ACME standard, so if you’re looking to DIY this you’d need to read the draft RFC. However, the better method would be to use a client that supports it that someone already wrote, like Certbot or acme.sh.

If you’re ok with some manual work every few months, you could also use a browser-based client like https://zerossl.com, but this isn’t really ideal.

The Synology Let’s Encrypt supports DNS authentication with their dynamic DNS service only. If you use synology.me or one of the other donains they offer you can just click the button and get a certificate no matter what port it is running on.

It does not support DNS authentication for custom domains. If you want to use a custom domain you can get a certificate manually as Jared suggests or you can run acme.sh on the Synology server to automate things.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.