Using Synology with Let's Encrypt to Secure my Dynamic IP Address


I running DS116 Synology with DSM 6.1.3-15152 Update 6
I use the free certificate from Let’s Engrypt “

My present situation is as follow
01 I Have a Domain registration by TransIp (NOT Active)
02 I have a Comodo Positive SSL Certificate ""
03 I have a dynamic IP address that can change any time.

Can somebody help me how to convert my certificate to Let’s Encrypt included dynamic IP support?

Hope there is somebody to help me out…

Thx Rob, The Netherlands


Hi Rob

When you create a help topic it asks you the following questions. We do need your domain name

Please fill out the fields below so we can help you better.

Note: you must provide your domain name to get help.

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.



Done, Do HELP need the domain name running?



I’m not sure what you’re asking.

Having a dynamic IP address is okay. You don’t need to replace your certificates when your IP changes, whether you’re using Comodo or Let’s Encrypt.*

Do you want to get a Let’s Encrypt certificate for You can do that. The Comodo certificate doesn’t matter. You can have certificates from two CAs at the same time.

* Some CAs offer certificates for IP addresses. Let’s Encrypt doesn’t. I don’t know if Comodo does. But you probably don’t have one.


Thanks for your help… I will explain more…

My Domain registration is registered by TransIP. They expect an FIX IP address and don’t support dynamic IP address. So any time my IP address change I have to do that manual fill in the new IP address. I looking for a solution of this my dynamic IP address…

Synology and Let’s encrypt certificate base on DDNS that is running in my NAS. For my this is OK. This cover my dynamic IP addressing problem. Only I cannot run my “rvwing,eu” from comodo certificate. I like use “

Thx Rob


Hi Rob

Have a look at this article:

Synology has a plugin that allows for use of the HTTP Challenge

This requires port 80 to be open which one of your domains does not (


#7 is actually pointed at (Google Public DNS’s DNS resolver) at the moment.


OK I have redirect my DNS (TransIp) to IP, take a while to be active
Port 80 and 443 is always open…

Synology has a plugin that allows for use of the HTTP Challenge
OK I will look for it, can this plugin prevent my dynamic IP?

Now “” is activated and checked is ok



Hi Andrie

Set my DNS (TransIP) to “” I checked and is OK.
Request Synology support for to get the Plugin that allows for use of the HTTP Challenge.
Have to wait for an answer…

Thx Rob


Synology supports Let’s Encrypt without the need for any plugin. The process to request a certificate via the Synology web interface is described here:

Please note that your custom domain must be pointed at your Synology server to obtain certificates with the Synology client. If the A record for your domain is pointed at a different server, you should install a client such as certbot on that server to obtain a certificate for it.


Synology supports Let’s Encrypt without the need for any plugin.
I did already register “” with Let’s Encrypt in the past.

Let’s Encrypt don’t covered my dynamic IP address in an Static IP.
I have to change my IP all the time I don’t want…

So I reverse my TransIP > DNS > Setting as it was before that my situation NOW.

I like Let’s Encrypt but I don’t know how to fix my dynamic IP address
Is certbot take care of my static IP address?

Thx Rob72



Lets Encrypt is not a DNS provider

It will try to resolve your domain name to an IP (static or dynamic depending on your provider) and it will try to talk to that IP to get the validation



For Let’s Encrypt’s purposes, the site’s A and AAAA records only matter for a few seconds once every 2-3 months, while the certificate is being renewed. (With DNS-01 validation, which uses a TXT record, they never matter.)

While you probably need the DNS records to be correct 24/7 so people can visit your website, for Let’s Encrypt’s purposes, it doesn’t matter 99.9999% of the time.


To Allen

What I learn, the best option is to use my external access name.
Let’s Encrypt create the certificate name ""
This solve my problem included dynamic IP address.

Can use only my domain “” with an Static IP address.

Thx for your assistance, greet…
Best regards, Rob73 The Netherlands


You can go into TransIP’s control panel to your domain’s DNS settings and add a CNAME record pointing a subdomain, e.g., to if you want.

(You can’t use the naked this way with TransIP, because it does not support ALIAS records/CNAME flattening like some other DNS providers do.)


Hello Patches

I Use DNS Setting with a wildcard CNAME ""
E-Mail give conflicting certificate problems
After 24 hours it STOP working?

Thx Rob (73), The Netherlands


I’m not sure why a wildcard (*) record would affect your email, as it should affect everything but the apex domain. :thinking:

But this is why I suggested using a subdomain like, because I knew for certain that this wouldn’t break any services you have with TransIP.


I test all, it is working at the moment that I made the changes, BUT after 24 hours the wildcard and subdomain setting are rejected. So I am start from the scratch. I will stop this in this forum. To all users thanks for your time and understanding etc… was good to learn difference DNS setup on the END it is NOT working, Be happy and continue with next topic

Best regards Rob (73) the Netherlands


If you’re still having trouble getting your DNS in shape, I would suggest contacting TransIP’s technical support. They would be able to easily restore their default records if you’re still having trouble with their services like e-mail and they would also be able to identify why you are having trouble setting up a subdomain CNAME record for synology with their infrastructure.


Hello Patches, thanks for your reply and advice.

TransIP answer, Standard the record should start with a type A record with a static IP Address. In this case it is NOT present. Instead I use type CNAME that ref to my “External Access” as a subdomain. It is a simple solution, NOT professional example E-Mail server can’t run on it. For me it is an compromise and working fine…