Way to combine several certificates created on synology NAS

I have created several certificates on synologyNAS trying to cover multiple language subdomains for wordpress language plugin for domain blog.songswell.com
is there away to combine them into one default certificate I don't think there is a certbot for synology


Welcome to the Let's Encrypt Community :slightly_smiling_face:

There are several ways to do this. I'm not sure how you have acquired your certificates thus far. I would highly recommend that you consider using an apex (songswell.com) and wildcard (*.songswell.com) certificate (that I affectionately call an A&W certificate). With that you can add as many translation (or other) subdomains as you desire and they will automatically be covered. This would require fulfilling two dns-01 challenges entailing the creation of two TXT records in your DNS where the host/name for both would be _acme-challenge.songswell.com. and the values would be different.

Your Complete Certificate History

Hello Griffen, so how can I do this. I created my certificates with my synology NAS and it won't allow a wildcard creation for my songswell.com domain. As you can see from my certificates I tried to include all my language subdomains yet it only will recognize one default certificate with 11 subdomains. I have 46 languages on my plugin! The synology server runs Linux but it's certificate creation is limited. The synology has no way to create a txt verification for your domain host, best joe


A certificate is for domain names, not devices. Thus when you acquire a certificate, you must prove that you control the domain name(s) for that certificate.

You might take a look at this:

Things to know:

  • the domain name (common name) is songswell.com
  • the subject alternative names (SANs) are songswell.com and *.songswell.com
  • you must use DNS TXT records to verify ownership of songswell.com and *.songswell.com

Hi @songswell

why is this a problem?

Create 5 certificates, 4 with 10 domain names, the last with the other 6 domain names. Job done.

You can use another client

to create a wildcard blog.songswell.com + *.blog.songswell.com and you can import that wildcard manual.

But you have to do that every 60 - 85 days, so it's painful.

Using the integrated NAS client automated renewal should work. So you can add additional languages.

1 Like

Thanks Griffin and Jeurgen for replies, as I am learning indeed the synology is creation limited and has worked fine until my need to make many language subdomains. As you see from certificate 3675832015 I have included 11 language subdomains and this is my "default" certificate. So if you go to https://de.blog.songswell.com (de for German) the site works with a lock on URL. This certificate will automatically update. I then went and created additional certificates like 3674574798 that has multiple subdomains. Since it is not the "default" certificate it doesn't work properly. If you go to https://ct.blog.songswell.com ( ct for Welsh) it doesn't work.
Is there a way to join certificates already created under blog.songswell.com so that all the language subdomains are under one "default" certificate 36758320151? best joe

1 Like

I am getting additional certificates to work that are not "default" created on synology. The domain name needs to be active in synology virtual host. I created new name records in my domain host fr pointing to songswell.com and es pointing to songswell.com. Then one can create certificates for fr.songswell.com and es.songswell.com and each can have 11 subdomains. When you configure in synology that certificate needs to be chosen for the ports used.


OT: It's es.blog.songswell.com - there is a valid certificate.

1 Like

Hello Juergen, you sent me a site that shows all my certificates made through the synology NAS. Is there a tool that modifies the certificates after they have been made. The problem with having multiple certificates is if a browser has a window open using one certificate and then switch to a language using another certificate it doesn't always work properly. best joe

1 Like

I actually gave you that. :slightly_smiling_face:

No.Once a certificate is generated it cannot be modified. If you need to change something, you need to generate a new certificate.

This sounds like a good reason to have all of the languages on the same certificate.

Hello Griffin, yes I correct myself. You first sent my output on my certificates. I agree as well I would be better just creating two new wildcard certificates that would simplify my problem. My domain host is namecheap and I have put Docker on my synology and I have loaded linuxserver/swag. I just need to learn how to send a request to Let's Encrypt for a DNS text record and then how to run docker to generate a certificate. It's a little confusing.

1 Like

Why would you need two wildcard certificates?

I believe you only need one wildcard certificate for songswell.com and *.songswell.com .

How about this?

Article looks amazing the devils in the details to get this to work:

C:\Users\medsp>ssh adminCertificate@ -p24
adminCertificate@'s password:
adminCertificate@NewDiskStation:~$ wget -0 /tmp/acme.sh.zip https://github.com/acmesh-official/acme.sh/archive/dev.zip # currently using dev branch sudo 7z x -o/usr/local/share/acme.sh-dev/ /temp/acme.sh.zip sudo mv /usr/local/share/acme.sh-dev/ /usr/local/share/acme.sh #currently using dev branch sudo chown -R adminCertificate /usr/local/share/acme.sh/ #use your newly created admin user
wget: invalid option -- '0'
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.

I tried his code to download acme.sh and this is wahat I got joe

1 Like

I'm making some progress. I tried the method suggested by Griffin by Markus but wasn't able to get it to work. I found https://vdr.one/how-to-create-a-lets-encrypt-wildcard-certificate-on-a-synology-nas/ and if you look at my certificates I have both new *.blog.songswell.com and .songswell.com certificates. The next step is how you create a what Griffin calls an A&W wildcard that will cover (.blog.songswell.com) both blog.songswell.com and all the language subdomains ex...fr.blog.songswell.com. If I now use *.blog.songswell.com as my default it covers all the language subdomains but not the "blog.songswell.com" domain

1 Like

The apex and wildcard (A&W) certificate covers the apex (songswell.com) and the wildcard (*.songswell.com). A similar concept would apply to blog.songswell.com and *.blog.songswell.com (though *.songswell.com would already cover blog.songswell.com).

I Just tried putting a new text record in my domain host for blog.songswell.com and tried to run this code : .acme.sh --renew -d *.blog.songswell.com -d blog.songswell.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --force

but it just overwrote my original *.blog.songswell.com certificate and didn't add blog.songswell.com as subject alternative

1 Like

I wouldn't recommend trying to renew and change a certificate at the same time.


acme.sh --issue --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please -d blog.songswell.com -d '*.blog.songswell.com'

Success! I ran an issue for -d *blog.songswell.com -d blog.songswell.co. and it gave me a text record for both together that I placed in the domain host. I reran the --issue and it gave me a certificate with subject alternative blog.songswell.com. Now if you go to blog.songswell.com and run through the language plug-in all the language subdomains are secure.

should I try to make one certificate *songswell.com with songswell.com, *blog.songswell.com, and blog.songswell.com all on one certificate?

1 Like

If they're all served by the same machine there's no harm in creating a combined certificate.

Keep in mind that Let's Encrypt tends to cache authorizations for 30 days, meaning that you likely won't be asked to reverify ownership of a particular domain name if you've already verified it within the last 30 days. This might help you understand better what you're experiencing.

You really need to get http to https redirects in place!

Success made *.songswell certificate with subject alternative *.blog.songswell.com and songswell.com

1 Like