Synology TLS-SNI-01 End of Life Email?


#1

All, like others I too am on a Synology using the built in Let’s Encrypt support. I am on DSM 6.2.1-23824 Update 4.

I received the email about TLS-SNI-01 deprecation. I’m very sure that I am only using LE with the Synology at this point and definitely in the last 60 days.

But, I see some other threads that the Synology doesn’t use that method, so why the email if true?

Interestingly, we make use of a Synology at work with LE certs and have not (yet) received an email about this.


#2

I got the same email for my synology client.


#3

Hi @majorsl

check your certificate if the renew works.

If yes, ignore the mail.

DSM uses http validation.


Action is required to prevent your Let's Encrypt certificate renewals from breaking
#4

I received the same notification from Let’s Encrypt about deprecation of the “ACME TLS-SNI-01” TLS protocol for my Synology servers.

I ran a DSM update along with other updates on the Synology hosts and then set all communication protocols to use only advanced newer. Rebooted and saw that my certificates are all valid through April.

Be nice to know for sure if ACME TLS-SNI-01 on my Synology hosts have in fact been updated to TLS-ALPN-01?

Now I am trying to add a certificate to the Synology Router 2600 series. It’s a great router but it does NOT come with the Let’s Encypt Whizard so need to do this the old way.


#5

Thanks for the replies so far, but no one seems to have answered which method Synology uses definitely. I also can’t see how to manually renew since they make their client simply and it only does so when it needs to.

My unit is still under support, so I opened a case with Synology in hopes of an official reply. Others may want to do the same.

If I get a reply, I will of course share it here.

Thanks!


#6

I have an update from Synology tech support:

“We are aware of the change with Let’s Encrypt, however this will not affect your certificates. There are 2 kinds of validations when applying for Let’s Encrypt certificates in DSM 6.0+: dns01 and http01 validations . You should not see any issues with your certificates.
Note: tls-sni-01 validation was supported in DSM 6.2, but Let’s Encrypt unfortunately disabled this validation on 2018/1/9 because of security problems.
We don’t have any information regarding whether TLS-ALPN-01 will be supported. I will submit a request to add this functionality to our systems to developers but can’t currently give a timeline for its inclusion.”


#7

Hi @Chuck

thanks for this information.

So there was a tls-sni-support, but it’s already deactivated.


#8

I received mostly the same response a few minutes ago. The GUI for DSM doesn’t show what method it used when first setup and since they appear to have supported both, I asked for clarification if going forward it would use http01 even if sni was first used. I assume so, but better safe than sorry.


#9

Hi @majorsl,

How long have you been on DSM 6.2.1? The email went out to people who had validated a certificate using TLS-SNI in the last 60 days. If you were on an older version, it might have done a renewal using TLS-SNI before an upgrade?

If you’d like to send me your domain name, I can double-check what User-Agent was sent and when the last validation was.


#10

Sure, I’ll send you a PM with that. I’ve done every DSM update as they’ve rolled out within a week of release after making sure others aren’t having issues.


#11

Checking logs, it looks like @majorsl’s most recent issuance, using DSM6.2 Update 4, still used tls-sni-01. Based on what @chuck heard from Synology tech support:

It sounds like maybe DSM 6.2 supports tls-sni-01 and will choose it if available, but will fall back to http-01 if tls-sni-01 is not offered by the server (as will happen on Feb 13). @chuck would you be interested in following up with Synology tech support to check if that’s the case?

Assuming that’s the case, the fallback should work, unless your ISP blocks port 80. We’ve seen a number of people reporting that problem. One way to test if your ISP blocks port 80: From someplace outside your home network, run curl http://<YOUR_DOMAIN_NAME>/ and curl https://<YOUR_DOMAIN_NAME>/.


#12

I got the following reply, however they seem to be assuming you’re using their synology.me service and updating the DNS server on the Synology itself.

I have DNS provided elsewhere, and I’m hoping/assuming it falls back to the http-01 method. I’ve asked that question explaining my use case.

“Yes, it will fall back to dns1, then to http1. When we apply for a certificate from Let’s Encrypt using a Synology DDNS name (eg. aaa.synology.me), Let’s Encrypt will look up the DNS server for the information of _acme-challenge.aaa.synology.me. We need to add a TXT record on the Synology DNS server with the information needed by Let’s Encrypt, making it a successful lookup, then the certificate will be approved and issued.”


#13

Further reply from them (but I don’t have DDNS, just a static IP being used with 'ol DNS, not sure they are getting this…)

Thank you for the info, we are still waiting to hear how it will affect 3rd party DDNS. I’ll go ahead and escalate to get more info. Would you be able to provide remote access to your NAS so they can check it out?


#14

There is definitely something wonky going on with the synology. My Synology has been kept up to date on DSM versions (no longer than a week after a new versions is installed my system is updated) and I got the email.

According to Synology, it should not be possible for me to get this message, and yet I did. Since I have no way to check or verify the Synology cert renewal process, I am not at all confident that on 20 Feb I won’t be left without a valid cert.

I have a real domain name with a real IP and real DNS, not the synology.me stuff.

Anyone have a clue as to what I can do on the Synology to check this before hand? Or just force renew the cert now so at least I have a couple of month leeway instead of 7 days? Their sync-letsencrypt utility is bare bones and doesn’t even document it’s own command line switches.


#15

Hmm…
Do you control the firewall?
If so, you could test a forced renewal with https port blocked to your DSM server (forcing http).
If that succeeds now then it will succeed after 2/13.


#16

This is exactly what I’m doing: I’m going to force renew the day before deprecation of TLS-SNI-01 and then I’ll do it again a couple of days after. This will give me a couple of months to sort things out if the 2nd renewal fails.

It seems Synology, at least the front line techs, are not prepared for people using something other than synology.me which is strange to me.

I like the idea of testing with https blocked. I might give that a go.


#17

Hi majors!
How do you force an update of the certificate? Thanks


#18
  1. Go into the Control Panel of your Synology
  2. Click Security
  3. Click Certificate
  4. Click the certificate you want to renew
  5. Click the drop down menu that is attached to “Add” (weird, I know, you’re not adding.)
  6. Choose renew certificate

Good luck!


#19

As root, or using sudo:

ls /usr/syno/etc/certificate/_archive

You will see INFO, DEFAULT, and something else. You need the something else. If you have multiple something elses, you will need to do this for each one.

/usr/syno/sbin/syno-letsencrypt renew -c <something>


ACME TLS-SNI-01 on Synology NAS
#20

That is weird. Didn’t think to look there
Thank you