Synology TLS-SNI-01 End of Life Email?

There is definitely something wonky going on with the synology. My Synology has been kept up to date on DSM versions (no longer than a week after a new versions is installed my system is updated) and I got the email.

According to Synology, it should not be possible for me to get this message, and yet I did. Since I have no way to check or verify the Synology cert renewal process, I am not at all confident that on 20 Feb I won’t be left without a valid cert.

I have a real domain name with a real IP and real DNS, not the synology.me stuff.

Anyone have a clue as to what I can do on the Synology to check this before hand? Or just force renew the cert now so at least I have a couple of month leeway instead of 7 days? Their sync-letsencrypt utility is bare bones and doesn’t even document it’s own command line switches.

Hmm…
Do you control the firewall?
If so, you could test a forced renewal with https port blocked to your DSM server (forcing http).
If that succeeds now then it will succeed after 2/13.

This is exactly what I’m doing: I’m going to force renew the day before deprecation of TLS-SNI-01 and then I’ll do it again a couple of days after. This will give me a couple of months to sort things out if the 2nd renewal fails.

It seems Synology, at least the front line techs, are not prepared for people using something other than synology.me which is strange to me.

I like the idea of testing with https blocked. I might give that a go.

1 Like

Hi majors!
How do you force an update of the certificate? Thanks

  1. Go into the Control Panel of your Synology
  2. Click Security
  3. Click Certificate
  4. Click the certificate you want to renew
  5. Click the drop down menu that is attached to “Add” (weird, I know, you’re not adding.)
  6. Choose renew certificate

Good luck!

1 Like

As root, or using sudo:

ls /usr/syno/etc/certificate/_archive

You will see INFO, DEFAULT, and something else. You need the something else. If you have multiple something elses, you will need to do this for each one.

/usr/syno/sbin/syno-letsencrypt renew -c <something>

1 Like

That is weird. Didn’t think to look there
Thank you

1 Like

Nice to meet a fellow Synology user that is using advanced features. Here is what Synology tech support told me and I am disappointed that they can’t give a definitive date on status of supporting TLS-ALPN-01. Instead they are recommending unencrypted protocols which make the platform vulnerable needlessly. Here is what Synology said to me and I am in their partner product sales program.

"We are aware of the change with Let’s Encrypt, however this will not affect your certificates.

There are 2 kinds of validations when applying for Let’s Encrypt certificates in DSM 6.0+: dns01 and http01 validations. You should not see any issues with your certificates.

Note: tls-sni-01 validation was supported in DSM 6.2, but Let’s Encrypt unfortunately disabled this validation on 2018/1/9 because of security problems.

We don’t have any information regarding whether TLS-ALPN-01 will be supported. I will submit a request to add this functionality to our systems to developers. I can’t currently give a timeline for its inclusion."

I am interested in getting away from the Synology DDNS and would like to learn more about other options. At one time I was an ISP/ASP provider and operated my own DNS servers and had my own C-block but now I am reduced to the lowly dependency of a dual cable model Comcast setup using residential as well as their business service which gives me a few more public addresses.

I would love to have a set of fixed IP addresses along with a robust DNS protocol that’s encrypted and does recursive PTR to reduce spoofing. I also missed the type of reports I used to get running my own DNS zone files.

Any new service alternatives are much appreciated since my ISP/ASP knowledge base is from 1996-2012.

Thanks
Chuck

Here is what Synology tech support provided to me late Friday:

"We are aware of the change with Let’s Encrypt, however this will not affect your certificates. There are 2 kinds of validations when applying for Let’s Encrypt certificates in DSM 6.0+: dns01 and http01 validations. You should not see any issues with your certificates.

Note: tls-sni-01 validation was supported in DSM 6.2, but Let’s Encrypt unfortunately disabled this validation on 2018/1/9 because of security problems.

We don’t have any information regarding whether TLS-ALPN-01 will be supported. I will submit a request to add this functionality to our systems to developers. I can’t currently give a timeline for its inclusion"

No date/time provided so it appears it took them a bit by surprise. I am concerned about using anything that does not use encryption.

I will update you with more info if they reach out to me again but I am pretty sure they just want to close tickets lol.

Chuck

I'm not sure I follow this line of thinking.
Encryption doesn't make a server secure - it just reduces the visibility down to one-to-one conversations.
If your server allows UserA to enter into your system via HTTP then HTTP is misconfigured.
If your server allows UserA to enter into your system via HTTPS then you are secure?
Who is UserA? Should they have been allowed? [those are security questions - HTTPS alone can't answer]

The unencrypted protocol use should ONLY be for cert authentication and renewals.
If they are allowing "other things" to happen over HTTP, then they are NOT doing things correctly.
But you are always at the mercy of the product in use (on their R&D, programming, etc. for both HTTP and HTTPS)

IF YOU ARE EXTREMELY PARANOID (I mean "security conscious" [like me :slight_smile:] then proxy the HTTP traffic through another system and only allow the authentications to reach the DSM)

They still support it in DSM 6.2 but assert “but Let’s Encrypt unfortunately disabled this validation on 2018/1/9 because of security problems.”

Let me clarify the concern for using unencrypted messaging. It is called a network sniffer or RMON function. If the bad guys have that in place on key communication channels they can log it, data mine it and possibly use it it in conjunction with other data mined.

Most of my past work for compliance required encryption of information in transit.

Perhaps you can explain that even if that information is intercepted it may not present a security risk?

In my past work all messaging and data in transit required encryption and for good reason! I experienced a number of targeted cybercrime events when I was in IT security so maybe it’s cyber PTSD lol.

Thanks for your input.

My point is that nothing should ever happen over HTTP [we kind of agree there].
EXCEPT where things have to happen over HTTP [like cert authentication].

So, OK then I will allow cert authentication - BUT ONLY CERT AUTHENTICATION & NOTHING ELSE.
Yes I am that guy - don’t touch my tin foil hat - LOL
With an HTTP only proxy that redirects all connections to HTTPS you are done.
Trap that proxy system in a /30 DMZ (with proper firewall rules of course) and it can’t do anything else to anyone else.

I’m not quite that extensive, but I get where you’re coming from. Cert auth is the only thing that’ll be on port 80 for me. Everything else is sent to https.

And this is why I have a problem with what they are saying, Synology does not support dns01 validations unless they are done through their own synology.me service. This leads me to think who ever is responding with this doesn’t know what they are talking about.

Also, this is not a sudden change, it's been planned for 6 months? Longer?

On my non-Synology servers, letsencrypt validation happens over https because I do not allow http connections.

The security issue was reported to Let's Encrypt 2018-01-09. TLS-SNI-01 was immediately disabled, then temporarily reenabled for renewals a few days later. The specific end date was announced in October.

2 Likes

I have a DDNS via duckdns and the Let’s Encrypt Certificate was working well with an every 3 months update ever since. My certificate will expire 29th January. For several weeks now the certificate’s update process does not work anymore. I can see something happening as the failure message is popping up delayed when I close ports 80 and 443 in my router or in DSM. But whatever I have tried, the certificate is not being updated.

I have got LE’s warning email as well, a few weeks ago.

As the update ran fine all the time before I would think Synology has a problemwith their processes in DSM. Also, because I got problems several times with the Synology DS Cam App on my mobile after the LE certificate was updated and Synology “forgot” this could happen from time to time and did not clear the app’s cache after updating the certificate on DSM. This at least was fixed, but I still remember the annoying times trying to find out want went wrong after the update.

I can only hope they will soon look into this matter. Anyone else having problem, could you please share solutions or start bothering Synology to getting active on this matter?

Thanks, Dennis

This information might be useful for you guys:

Excerpt from the official Synology Support:

The Let’s Encrypt built-in Synology supports TLS-SNI-01, HTTP-01 and DNS-01 validation.

Although TLS-SNI-01 validation is reaching end-of-life, the Synology Let’s Encrypt will not be affected.

If you have enabled Synology DDNS and use the name to apply for the certificate, the process will go through HTTP-01 validation first.

Once Synology DDNS server is not ready, or there is any failure during HTTP-01 validation, the process will fall back to DNS-01 validation.

For non-Synology name service, it uses HTTP-01 which requires port 80 accessibility.

Thus, we suggest you keep port 80 open for validation if you do not use Synology DDNS name to apply the certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.