Windows 10 Synology NAS SSL not working Chrome

leojbourne · March 1, 2021, 3:18pm

In Windows 10 Pro 20H2 19042.804 64 bit the Chrome and Edge browsers shows invalid certificate, "Windows does not have enough information to verify this certificate." However, in Opera browser it shows black lock and says certificate is valid. Access is via the standard Synology xxx.synology.me or quickconnect.to/xxx domains. Since Opera works, it appears that Windows 10 trust center, which is linked to Edge and Chrome, doesn't honor Let's Encrypt certificates properly. Is there a fix?

Any help on this would be appreciated.

JuergenAuer · March 1, 2021, 3:27pm

Hi @leojbourne

nobody has the time to speculate. Your domain name is required.

leojbourne · March 1, 2021, 4:22pm

leojbourne.synology.me

JuergenAuer · March 1, 2021, 4:25pm

There is no answer.

Only timeouts, so it's impossible to check your certificate / configuration.

leojbourne · March 1, 2021, 4:30pm

I am able to access it from my PC in various browsers, but not secure except in Opera. Chrome shows the cert info but it is not trusted by Windows. I do not know why you are timing out. The target is a Synology NAS attached to my router. I am using a laptop attached to the router via Ethernet cable.

leojbourne · March 1, 2021, 4:32pm

If you need info perhaps I can provide it from the Chrome cert description.

JuergenAuer · March 1, 2021, 4:34pm

It doesn't work.

Not with ipv4, not with ipv6:

D:\temp>nslookup leojbourne.synology.me.
Name: leojbourne.synology.me
Addresses: 2602:fe43:f3f:fc00::4
205.220.234.10

D:\temp>curl -4 https://leojbourne.synology.me/
curl: (7) Failed to connect to leojbourne.synology.me port 443: Timed out

D:\temp>curl -6 https://leojbourne.synology.me/
curl: (7) Failed to connect to leojbourne.synology.me port 443: Timed out

PS: Share a screenshot (with Advanced) from the Chrome error.

leojbourne · March 1, 2021, 4:40pm

I am not highly computer literate. Please clarify "advanced". It will take me a little time to figure out how send the screenshots to you.

JuergenAuer · March 1, 2021, 4:42pm

If Chrome sees a certificate error, there is a small information - with "Advanced" (or translated).

Visit

https://expired.badssl.com/

or some of the other subdomains under https://badssl.com/

Then you should see that button.

leojbourne · March 1, 2021, 4:48pm

I had put the site as trusted to stop the warning. I took it out of the trusted sites, but now I don't get the full warning anymore with the button. It may require a restart.

leojbourne · March 1, 2021, 4:50pm

I reenabled the warning.

leojbourne · March 1, 2021, 4:53pm

JuergenAuer · March 1, 2021, 4:55pm

There is your reason.

That's a Synology certificate, not a Letsencrypt certificate.

So ask in a Synology forum.

PS: You have created a Letsencrypt certificate - https://crt.sh/?q=leojbourne.synology.me

But that's not the certificate your port 5001 uses.

Looks like you have to install the certificate.

leojbourne · March 1, 2021, 4:56pm

The Synology setup gets the certificate from Let's Encrypt.

JuergenAuer · March 1, 2021, 4:58pm

But it's not installed, there is a (may be) self signed Synology certificate. So the error is expected.

See "Issuer" in your screenshot.

leojbourne · March 1, 2021, 5:02pm

Thank you very much for your kind assistance. I will pursue this with Synology. For some reason it looks like they are somehow relabeling the cert. Opera doesn't mind, but Chrome and Edge do. Kindly see if you can reach quickconnect.to/leojbourne since the other domain site times out.

leojbourne · March 2, 2021, 3:07am

The Synology NAS installed Let's Encrypt certificate configuration points by default to synology.com instead of .synology.me or a trust chain, which makes certain browsers show invalid certificate. This setting is in an obscure location.

Login to the NAS as administrator, and then click Control Panel, then Security, then the Certificate tab, then highlight the desired certificate (usually it should be the default at the top of the list), then the Configure tab, then at the right side click each of the down arrows for the various apps and instead of the current synology.com pick .synology.me. Click the OK button and suddenly Chrome and Edge will start showing a lock icon for secure transmission. It is possible that a discussion of the setting appears somewhere in the Synology instructions, but I didn't see it. Maybe this information will help someone.

I appreciate the quick, expert assistance from the forum.

leojbourne · March 2, 2021, 3:10am

For some reason things in angle brackets are removed when posting, and I had the word "account" in angle brackets before synology.me, but it did not show. The format is the standard accountxxx.synology.me.

JuergenAuer · March 2, 2021, 10:12am

That's not obscure. Synology isn't a CA, so only a not public trusted self signed certificate is possible.

Yep. That installs the correct certificate.

Certificate creation and certificate installation are always two different steps.

system · April 1, 2021, 10:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.