What next after I have the CSR files for a Synology Router

My domain is: lay.VPNplus.to

I ran this command: N/A

It produced this output: N/A

My web server is (include version): N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I have a Synology RT1900AC Router running the latest version of Synology Router Management (updated last week). One of the options this router has is to create a CSR, as you can see from the screenshot I took https://imgur.com/a/FkXcN2U and to install a custom SSL certificate.
As of now, I have the server.csr and server.key files, but I am lost as to what to do with them to generate the SSL certificate I need to install.
I am not running a webserver, I just need to get SSL running on the router so that some applications like accesing the router remotely don’t give you the no ssl running error.
So basically all I need to know is what to do with these files so that I get the private key, the certificate, and the intermediate certificate that it asks me for to install a new SSL certificate, like this picture shows: https://imgur.com/a/ibH4gNk
Any help would be greatly appreciated.

1 Like

I assume that hostname actually resolves to your Synology router? Because Let's Encrypt requires proof of ownership of the domain and you can do so by either two (practically) methods: putting a certain file under the directory http://lay.VPNplus.to/.well-known/acme-challenge/ or adding a TXT record to _acme-challenge.lay.VPNplus.to. Either way, it requires control over a webserver running behind lay.VPNplus.to or access and control to the DNS service of that hostname.

Hi @IBMex

you need a Letsencrypt - client.

A program that communicates with Letsencrypt and gives you

  • a file if you have a webserver to save under /.well-known/acme-challenge
  • or a Hash-value you have to use as value of a dns-txt entry _acme-challenge.lay.VPNplus.to

You can run this client one one of these computers behind your router or on your local PC.

But first check this - Linux or Windows - client.

Ok, I got the DNS server running on the router (no web server), and can install a TXT record for the domain there, but I still don’t understand what I need to do with the CSR file to get that text that needs to go in that record, nor how I tell Let’s Encrypt to validate it once it is done.
Do you have the time to walk me thru it please?
Thanks in advance.

Which client would you recomend for windows 10 that will generate the Hash-Value for the DNS-TXT entry?
And do you happen to know if there is a guide to follow for this?
And thank you very much for sharing.

Check the list of clients. It depends on your experience which client is good. I use my own client.

I have 0 experience with SSL. This is my first rodeo, so your wisdom would help a lot, plus I am also assuming that not all clients do the Hash-Value, so a client that actually does that would be best.
Thanks again.

But is that TXT record resolvable from the world wide web? Obviously, if you ask the DNS server on your router directly, you'll get an answer. But does Let's Encrypt get one too? (Or anybody else on the internet.)

Yes, it is a internet accesible DNS server. We currently use it to access our internal network from the outside world, but just with HTTP, not HTTPS, hence the reason we want to install Let’s Encrypt.
What I don’t understand is how or where to get the Hash-Value from the CSR file to add the appropiate DNS TXT record for validation, and then how to tell Let’s Encrypt to go check it so that they can generate my certificate.
I haven’t been able to find out any information on that, so how do I go about doing that?

The IP address of your router is At least, you said the hostname was lay.VPNplus.to, so I assume that is the hostname of your router and thus also the IP address of said router.

The reason why I am asking about the accessibility of your DNS server is when I try to get the value of the TXT record of _acme-challenge.lay.VPNplus.to, or the NS records for lay.VPNplus.to, it tells me the authorative DNS servers for those hostnames is ddns-ns1.quickconnect.to. or ddns-ns2.quickconnect.to. Those two DNS servers have IP address resp., NOT your IP address.

Therefore, I'm worried that adding a TXT record to the DNS server of your router doesn't let anybody on the world wide web actually get that TXT record.

That "hash value" is a specific token you'd get from the ACME server of Let's Encrypt. You can read about how Let's Encrypt works on its site: How It Works - Let's Encrypt You can also read on the site about how to get started: Getting Started - Let's Encrypt But I assume you've already read those pages before you came here to ask for help, right? :wink: Please let us know what's not clear or what is hard to understand on those pages.

Then it's really important that you read the basics:

A client which supports dns-01 validation gives you the hash value.

But I have 0 experience with one of these windows clients, so I don't know which is the best client in your use case.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.