Menu Close

How to install Let’s Encrypt SSL Certificate on Synology NAS with DSM 6

I’ve been using my Synology NAS with HTTPS enabled for a while now but with a self-signed certificate it wasn’t all that secure. Today I decided to try the new feature in DSM 6 Beta 2 for installing a SSL certificate to better secure my NAS. Since the release of DSM 6 Beta 2 Let’s Encrypt is integrated.

In this part I will try to explain how you can easily secure your Synology NAS with a SSL certificate for free. In the examples below I will use the subdomain names: example.brainpulse.nl, example2.brainpulse.nl and example3.brainpulse.nl

Note: I’ll be using a Synology DS412+ running DSM 6.0-7274

For more information about Let’s Encrypt see https://letsencrypt.org

Prerequisites before starting

  • Create the DNS records for the domain names you want to use. This is an A record which points to your WAN IP address.
  • Create a port forward for port 80 from you router to the IP of your Synology NAS. I don’t know for sure but I think this is because of the automatic approval and is used for installing the certificate.
  • Make sure the Web Server is running. In the new DSM the webserver is moved to the Package Center. Install the package Web Station. You don’t have to enable the option personal website in the settings Screen of the Web Station.

Synology_WebStation_DSM6_beta

Getting started with Let’s Encrypt and DSM 6 Beta 2

Next go to the Control Panel –> Security and click on the tab Certificate

Synology_DSM6_Certificates_1

Click on “Add” to begin creating a SSL Certificate

Synology_DSM6_Certificates_2

Select the option “Add a new certificate” en click on “Next”

Synology_DSM6_Certificates_3

We are going to use the FREE SSL Certificates from Let’s Encrypt, did I already said they are free? Select the option “Get a certificate from Let’s Encrypt” en click on “Next”

Now you can insert the correct domain names you are going to use to connect to your DSM. You can also provide alternative names to the certificate so you can use the same certificate. For the purpose of this example I will use the creative names: example2.brainpulse.nl and example3.brainpulse.nl

DSM 6 Beta 2 - Let's Encrypt DSM 6 Beta 2 - Let's Encrypt

Click on “Apply”, there should be a screen stating Processing. Please wait… or when you didn’t follow the steps correctly meaby the following error.

DSM 6 Beta 2 - Restarting Webserver

DSM 6 Beta 2 - Let's Encrypt error

When you get the this error make sure you didn’t made any typo’s, you created the correct DNS records, and your NAS is accessible via port 80.

When everything is okay your Synology NAS will restart the web server automatically.

The result!

When finished, your Synology NAS now has a valid SSL Certificate from the Let’s Encrypt Authority X1, please note that the issued certificates are only valid for 90 days. After that I think there will be an automatic renewal?

DSM 6 Beta 2 - Example Let's Encrypt SSL Certificate

DSM 6 Beta 2 - Example Let's Encrypt SSL Certificate properties

Synology_DSM6_Certificates_10

Please leave a comment if you found this post usefull.

* Update: 27-03-2016:

Today I reviewed my current certificate! To my suprise the certificate was automatically renewed. The only downside is that I cannot find an entry log in DSM’s Log Center.

214 Comments

  1. john

    Thanks for the write-up, it will prove to be helpful.

    One question though….

    “Create the DNS records for the domain names you want to use. This is an A record which points to your WAN IP address.”

    What do you mean an ‘A’ record? What setting in control panel will I find this?

    • StefanDingemanse

      Hi John,

      Sorry for the delayed response. By creating an A record I mean that you have to create this record for your public domain name. So you have to log in at your hosting provider where you registered your domainname and create the record.

      Let me know if you still don’t know where you have to create this A record.

  2. Bred callhigan

    You wrote: .”After that I think there will be an automatic renewal?”

    Does anybody know if the renewal is fully automated?

    • StefanDingemanse

      Hi Bred,

      I don’t know yet. My certificate will expire on the 22th of April. I will let you know of this renewal is full automated.

    • StefanDingemanse

      Hi Bred!

      Today I reviewed my current certificate! To my suprise the certificate was automatically renewed. The only downside is that I cannot find an entry log in DSM’s Log Center.

      p.s. last week DSM 6.0 RC was released, maybe the fixed this in the latest release.

  3. Bred callhigan

    You wrote: .”After that I think there will be an automatic renewal?”

    Does anybody know if the renewal is fully automated?

    • StefanDingemanse

      Hi Bred,

      I don’t know yet. My certificate will expire on the 22th of April. I will let you know of this renewal is full automated.

    • StefanDingemanse

      Hi Bred!

      Today I reviewed my current certificate! To my suprise the certificate was automatically renewed. The only downside is that I cannot find an entry log in DSM’s Log Center.

      p.s. last week DSM 6.0 RC was released, maybe the fixed this in the latest release.

  4. TheRain

    Thanks for the tutorial. I now have a certificate that goes with mynas.synology.me.

    I do have a few questions though:

    * when I type in mynas.synology.me in the browser, it directs me to http://mynas.synology.me. How can I force it to direct to https://mynas.synology.me ?
    * when I manually type in https://mynas.synology.me (within my local network), I’m forwarded to the local IP address of my NAS (like 192.168.0.111). The browser gives me (rightfully) the warning that the SSL certificate isn’t correct (since 192.168.0.111 doesn’t match https://mynas.synology.me). Is there a way to prevent the NAS the forwarding to a local IP address?
    * When I go to mynas.quickconnect.to, I’m directed to the DSM login page (excellent!). But when I go to (http or https) mynas.synology.me, I get the default “Web Station is activated. Go to the “Web Service” part in DSM to….. (etc)…”. I haven’t enabled personal websites. However, when I go to https://mynas.synology.me:5001, I do get the login page. What do I need to change, so that I’m also taken directly to the DSM login page?

    I hope you (or a reader) can help me with this. Many thanks in advance and have a great day!

    • StefanDingemanse

      Hi,

      1) The setting to force https you can find here: Control Panel –> Network –> DSM Settings. There you got the option “Automatically redirect HTTP connections to HTTPS”.
      2) Do you also got this on another PC? It looks like the local HOSTS file of your PC has bad modified.
      3) I think I have modified the following settings, but im not sure. Control Panel –> External Access –> Advanced. I only filled in the Hostname, the other two fields are empty.

      Hope I answered a few of your questions man!

  5. TheRain

    Thanks for the tutorial. I now have a certificate that goes with mynas.synology.me.

    I do have a few questions though:

    * when I type in mynas.synology.me in the browser, it directs me to http://mynas.synology.me. How can I force it to direct to https://mynas.synology.me ?
    * when I manually type in https://mynas.synology.me (within my local network), I’m forwarded to the local IP address of my NAS (like 192.168.0.111). The browser gives me (rightfully) the warning that the SSL certificate isn’t correct (since 192.168.0.111 doesn’t match https://mynas.synology.me). Is there a way to prevent the NAS the forwarding to a local IP address?
    * When I go to mynas.quickconnect.to, I’m directed to the DSM login page (excellent!). But when I go to (http or https) mynas.synology.me, I get the default “Web Station is activated. Go to the “Web Service” part in DSM to….. (etc)…”. I haven’t enabled personal websites. However, when I go to https://mynas.synology.me:5001, I do get the login page. What do I need to change, so that I’m also taken directly to the DSM login page?

    I hope you (or a reader) can help me with this. Many thanks in advance and have a great day!

    • StefanDingemanse

      Hi,

      1) The setting to force https you can find here: Control Panel –> Network –> DSM Settings. There you got the option “Automatically redirect HTTP connections to HTTPS”.
      2) Do you also got this on another PC? It looks like the local HOSTS file of your PC has bad modified.
      3) I think I have modified the following settings, but im not sure. Control Panel –> External Access –> Advanced. I only filled in the Hostname, the other two fields are empty.

      Hope I answered a few of your questions man!

  6. Giacomo

    Hi Stefan,
    I’m going crazy trying to understand why it doesn’t work. I have the Web station running, the port 80 opened, I created a subdomain nas.mydomain.com and redirected it to my Synology public IP https://NasIP:5001. Still I receive the “failed to connect to let’s encrypt” message. If I type my subdomain URL the redirection works perfectly. I really don’t understand what is going wrong.

    • StefanDingemanse

      Hi Giacomo,

      Hi Giacomo, it looks like you followed all the correct steps. The only difference I can see is that you are using port 5001. My redirect from the outside to local is https –> https (443 –> 443).

      Next week I will try to create the ports you are using to find out if I also get the same error.

      • Giacomo

        Hi Stefan,

        Thanks a lot for the answer, unfortunately even redirecting to the port 443 doesn’t solve the problem 🙁

    • Xander

      Your can’t use LAN hostnames and IPs with Let’s Encrypt.

      The diskstation creates a temporary verification file in your web dir, then Let’s Encrypt attempts to read that file from outside. All domains in your certificate request are validated this way, when one of them cannot be accessed from the internet you get that “failed to connect” error.

      • Giacomo

        Sorry for the late reply and thanks for the answer! Pardon my ignorance but I’m not sure to fully understand what you mean, what should I do to make it work according to what you said?

        Thanks a lo Xander!

  7. Giacomo

    Hi Stefan,
    I’m going crazy trying to understand why it doesn’t work. I have the Web station running, the port 80 opened, I created a subdomain nas.mydomain.com and redirected it to my Synology public IP https://NasIP:5001. Still I receive the “failed to connect to let’s encrypt” message. If I type my subdomain URL the redirection works perfectly. I really don’t understand what is going wrong.

    • StefanDingemanse

      Hi Giacomo,

      Hi Giacomo, it looks like you followed all the correct steps. The only difference I can see is that you are using port 5001. My redirect from the outside to local is https –> https (443 –> 443).

      Next week I will try to create the ports you are using to find out if I also get the same error.

      • Giacomo

        Hi Stefan,

        Thanks a lot for the answer, unfortunately even redirecting to the port 443 doesn’t solve the problem 🙁

    • Xander

      Your can’t use LAN hostnames and IPs with Let’s Encrypt.

      The diskstation creates a temporary verification file in your web dir, then Let’s Encrypt attempts to read that file from outside. All domains in your certificate request are validated this way, when one of them cannot be accessed from the internet you get that “failed to connect” error.

      • Giacomo

        Sorry for the late reply and thanks for the answer! Pardon my ignorance but I’m not sure to fully understand what you mean, what should I do to make it work according to what you said?

        Thanks a lo Xander!

  8. Gerard

    Thanks. I had one error after installing. Problem was an old certificate of synology. Removed it and everything works like a charm!

  9. Gerard

    Thanks. I had one error after installing. Problem was an old certificate of synology. Removed it and everything works like a charm!

  10. Wingie

    Hi Stefan,

    I just tried to get an certificate for my (sub)domains but i only get the error message as mentioned by you. I’ve checked everything twice and can’t find an error. I had the web station running on poort 80 and everything from is being redirected from my router to my NAS. I’ve also configured the reversed proxy for my different sub domains like sub.domain.eu -> port XX sub1.domain.eu -> NAS poort YY etc. This is working perfectly but does this interfere with the web station?

    I’ve also checked that i could access the web station via the internal ipadres (external won’t connect to web station because of the redirects the subdomains are pointed to.)

    Another thing i first tried to use my external domain name (hosted somewhere else) as the main domain name and added all my subdomains in the alternative name field separated with a ;.

    Any hints, clues where to find logging to see what’s going wrong.

      • ovancant

        You have to check that Webstation is accessible from outside your LAN on port 80 (HTTP) and 443 (HTTPS). You can check this by first generating a self-signed certificate. Your browser will give you a security warning for HTTPS, but you can ignore it.
        My problem was that my Internet provider was actually blocking port 443 as it is used by some malwares (for remote bot control). I thought for a long time that my router was the culprit but no. I requested that they open port 443 for me. They did, then no problem

  11. Wingie

    Hi Stefan,

    I just tried to get an certificate for my (sub)domains but i only get the error message as mentioned by you. I’ve checked everything twice and can’t find an error. I had the web station running on poort 80 and everything from is being redirected from my router to my NAS. I’ve also configured the reversed proxy for my different sub domains like sub.domain.eu -> port XX sub1.domain.eu -> NAS poort YY etc. This is working perfectly but does this interfere with the web station?

    I’ve also checked that i could access the web station via the internal ipadres (external won’t connect to web station because of the redirects the subdomains are pointed to.)

    Another thing i first tried to use my external domain name (hosted somewhere else) as the main domain name and added all my subdomains in the alternative name field separated with a ;.

    Any hints, clues where to find logging to see what’s going wrong.

      • ovancant

        You have to check that Webstation is accessible from outside your LAN on port 80 (HTTP) and 443 (HTTPS). You can check this by first generating a self-signed certificate. Your browser will give you a security warning for HTTPS, but you can ignore it.
        My problem was that my Internet provider was actually blocking port 443 as it is used by some malwares (for remote bot control). I thought for a long time that my router was the culprit but no. I requested that they open port 443 for me. They did, then no problem

  12. Bart

    It works great for the normal DSM admin 🙂

    Now I would like to enable https for the package SABnzbd. In the settings it asks for: “HTTPS Certificaat”, “HTTPS Sleutelbestand” and “HTTPS Chain” bestand. How can I find the location of these three files?

    • Stefan Dingemanse

      Hi Bart,

      You can export the created certificates. After the export you will have an archive.zip. Inside this zip file you will find the following files.
      cert.pem
      chain.pem
      privkey.pem

      That’s the info you are looking for. You can change the extension to .cer and .key.

      • Patrick

        But then you have to export these files every three months, if we know the location in Linux, maybe we could enter that path at SABnzbd and Other apps.

  13. Bart

    It works great for the normal DSM admin 🙂

    Now I would like to enable https for the package SABnzbd. In the settings it asks for: “HTTPS Certificaat”, “HTTPS Sleutelbestand” and “HTTPS Chain” bestand. How can I find the location of these three files?

    • Stefan Dingemanse

      Hi Bart,

      You can export the created certificates. After the export you will have an archive.zip. Inside this zip file you will find the following files.
      cert.pem
      chain.pem
      privkey.pem

      That’s the info you are looking for. You can change the extension to .cer and .key.

      • Patrick

        But then you have to export these files every three months, if we know the location in Linux, maybe we could enter that path at SABnzbd and Other apps.

  14. Pingback:Geldig SSL Certificaat installeren in Synology DSM 6.0

  15. Pingback:Geldig SSL Certificaat installeren in Synology DSM 6.0

  16. Tristan

    Hi guys,

    Mine is about to expire. Just got an email from lets encrypt that it will expire in 17 days but on the NAS it says that it will expire in 2 months and 17 days. Any idea when DSM will renew it automatically?

  17. Tristan

    Hi guys,

    Mine is about to expire. Just got an email from lets encrypt that it will expire in 17 days but on the NAS it says that it will expire in 2 months and 17 days. Any idea when DSM will renew it automatically?

  18. Sandeep

    Stefan,

    I would like to know how you can use your own domain (in this example, brainoulse.nl), have its subdomain point to the NAS, and keep updating the IP address of your ISP connection? These DynDNS (I use synology.me) try to help with this by updating the new IP regularly, but how can do this with a domain I own?

    If you point example1.brainpulse.nl to your domain, then in External Access -> Advanced, do you set this as the hostname?

    Mvg
    Sandeep

    • Stefan Dingemanse

      Hi Sandeep,

      I live in the Netherlands and my current ISP is KPN. My external IP has never changed so far, I thought that you only get an new IP when there are problems with your router and it has to be replaced or network related errors.

      If my external IP would change I have to change my current DNS settings for my domains to the new IP.

  19. Sandeep

    Stefan,

    I would like to know how you can use your own domain (in this example, brainoulse.nl), have its subdomain point to the NAS, and keep updating the IP address of your ISP connection? These DynDNS (I use synology.me) try to help with this by updating the new IP regularly, but how can do this with a domain I own?

    If you point example1.brainpulse.nl to your domain, then in External Access -> Advanced, do you set this as the hostname?

    Mvg
    Sandeep

    • Stefan Dingemanse

      Hi Sandeep,

      I live in the Netherlands and my current ISP is KPN. My external IP has never changed so far, I thought that you only get an new IP when there are problems with your router and it has to be replaced or network related errors.

      If my external IP would change I have to change my current DNS settings for my domains to the new IP.

  20. Paul

    Excellent post; very helpful.. combined with the setup support of Synology EZ-Internet set-up (including port forwarding) was very easy!

  21. Paul

    Excellent post; very helpful.. combined with the setup support of Synology EZ-Internet set-up (including port forwarding) was very easy!

  22. Bryan

    I’m using DSM version 6.0-7321 Update 3. After following the instructions above my connections to https://:5001 were not using my newly created certificate. To fix this I had to go to “Security –> Certificate” select my newly created certificate and click the “Configure” button. On this page, next to “Default” and “FTPS” I used the drop down box to select my new certificate so that connections to DSM would utilize my new certificate instead of the default one (synology.com). This fixed my issue so I wanted to pass it along to help others.

    Also, I like the advice of selecting:
    “Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded)” under
    Network –> DSM Settings.

    • Mike Garrett

      I too found that (using Firefox) my new Let’s Encrypt certificate was ignored – Firefox continued to see the Synology default certificate – and did not like that one. I tried to delete the Synology certificate, but the “Delete” button was greyed out. Eventually I solved this by marking the Let’s Encrypt certificate as the default, at which point I could delete the Synology certificate. After that Firefox used the Let’s Encrypt certificate and everything was good.

      I’d suggest that Synology expand the DSM Help in this area, based on Stefan’s really helpful article.

      • Jéremy

        Hi, I have the same issue. Synology keeps the SSL certificate from Synology and not my newly created certificate.
        I deleted the old one. Should i wait some time or do a reboot ?

  23. Bryan

    I’m using DSM version 6.0-7321 Update 3. After following the instructions above my connections to https://:5001 were not using my newly created certificate. To fix this I had to go to “Security –> Certificate” select my newly created certificate and click the “Configure” button. On this page, next to “Default” and “FTPS” I used the drop down box to select my new certificate so that connections to DSM would utilize my new certificate instead of the default one (synology.com). This fixed my issue so I wanted to pass it along to help others.

    Also, I like the advice of selecting:
    “Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded)” under
    Network –> DSM Settings.

    • Mike Garrett

      I too found that (using Firefox) my new Let’s Encrypt certificate was ignored – Firefox continued to see the Synology default certificate – and did not like that one. I tried to delete the Synology certificate, but the “Delete” button was greyed out. Eventually I solved this by marking the Let’s Encrypt certificate as the default, at which point I could delete the Synology certificate. After that Firefox used the Let’s Encrypt certificate and everything was good.

      I’d suggest that Synology expand the DSM Help in this area, based on Stefan’s really helpful article.

      • Jéremy

        Hi, I have the same issue. Synology keeps the SSL certificate from Synology and not my newly created certificate.
        I deleted the old one. Should i wait some time or do a reboot ?

  24. Jon

    Thanks – great post!

    Using this method I was able to get SSL working to my WebStation using a 3rd level subdomain from dyn.com. Works like a charm.

    • Jon

      By the way – the Let’s Encrypt is awesome. I ran my new Cert through the SSL Labs Server Test and it was graded ‘A’, which is better than the older built-in synology one, even taking into account the name mismatch issue.

      https://www.ssllabs.com/ssltest

  25. Jon

    Thanks – great post!

    Using this method I was able to get SSL working to my WebStation using a 3rd level subdomain from dyn.com. Works like a charm.

    • Jon

      By the way – the Let’s Encrypt is awesome. I ran my new Cert through the SSL Labs Server Test and it was graded ‘A’, which is better than the older built-in synology one, even taking into account the name mismatch issue.

      https://www.ssllabs.com/ssltest

  26. Kray

    I’ve got this all setup and working, however, now when I try and access my domain using HTTPS, instead of getting to the DSM Login, I get a Synology page that says:
    “Sorry, the page you are looking for is not found.”

    I’m using https://mydomain.com:5001

    I am also not able to login using the DS File app on iOS. “Can’t connect to server” message.

    Have you seen this before? Any idea how to fix it?

    • Trey0

      With DS File (HTTPS checked) you have to use your domain address on port 5001 and not anymore pour quickconnect ID.
      Put mydomain.com:5001 in the address field and it will work.

      If you uncheck HTTPS connection in DS File you can continue to use your quickconnect ID to authenticate.

      If you sue your domain name, the port number may change depending on your mobile devise, your DS File version and your DSM version (https://www.synology.com/en-uk/knowledgebase/DSM/tutorial/General/What_network_ports_are_used_by_Synology_services) :
      Android devices:
      – DS file 4.x and a DiskStation running DSM 4.3 and later: 5000, 5001 (HTTPS)
      – DS file version prior to 4.0 or a DiskStation running DSM 4.2 or earlier: 5005, 5006 (HTTPS)
      TCP
      iOS devices:
      – DS file 5.x and a DiskStation running DSM 4.3 and later: 5000, 5001 (HTTPS)
      – DS file version prior to 4.0 or a DiskStation running DSM 4.2 or earlier: 5005, 5006 (HTTPS)
      Windows Phone: 5000, 5001 (HTTPS)

  27. Kray

    I’ve got this all setup and working, however, now when I try and access my domain using HTTPS, instead of getting to the DSM Login, I get a Synology page that says:
    “Sorry, the page you are looking for is not found.”

    I’m using https://mydomain.com:5001

    I am also not able to login using the DS File app on iOS. “Can’t connect to server” message.

    Have you seen this before? Any idea how to fix it?

    • Trey0

      With DS File (HTTPS checked) you have to use your domain address on port 5001 and not anymore pour quickconnect ID.
      Put mydomain.com:5001 in the address field and it will work.

      If you uncheck HTTPS connection in DS File you can continue to use your quickconnect ID to authenticate.

      If you sue your domain name, the port number may change depending on your mobile devise, your DS File version and your DSM version (https://www.synology.com/en-uk/knowledgebase/DSM/tutorial/General/What_network_ports_are_used_by_Synology_services) :
      Android devices:
      – DS file 4.x and a DiskStation running DSM 4.3 and later: 5000, 5001 (HTTPS)
      – DS file version prior to 4.0 or a DiskStation running DSM 4.2 or earlier: 5005, 5006 (HTTPS)
      TCP
      iOS devices:
      – DS file 5.x and a DiskStation running DSM 4.3 and later: 5000, 5001 (HTTPS)
      – DS file version prior to 4.0 or a DiskStation running DSM 4.2 or earlier: 5005, 5006 (HTTPS)
      Windows Phone: 5000, 5001 (HTTPS)

  28. KarlB

    OK. I spent the whole day trying to get this to work. Pulling my hair out. New domain name with A record pointing to home WAN ip. I opened port 80 in my router. Tested it with http://www.yougetsignal.com/tools/open-ports/ and port 80 is opened. I can browse to the NAS with my domain name, though I dare not log in since it is an unsecure connection. I follow all the steps above to the letter, and I keep getting the same error “Failed to connect to LetsEncrypt. Please make sure the domain name is valid.” What am I missing??? Any help would be greatly appeciated!

    • Ted Rogers

      You can log in you know…it is encrypted end-to-end, it’s just not validated. All of this is really just to have a nice green tick instead of a red cross. Still, it’s annoying me that I can’t get it to work either!

  29. KarlB

    OK. I spent the whole day trying to get this to work. Pulling my hair out. New domain name with A record pointing to home WAN ip. I opened port 80 in my router. Tested it with http://www.yougetsignal.com/tools/open-ports/ and port 80 is opened. I can browse to the NAS with my domain name, though I dare not log in since it is an unsecure connection. I follow all the steps above to the letter, and I keep getting the same error “Failed to connect to LetsEncrypt. Please make sure the domain name is valid.” What am I missing??? Any help would be greatly appeciated!

    • Ted Rogers

      You can log in you know…it is encrypted end-to-end, it’s just not validated. All of this is really just to have a nice green tick instead of a red cross. Still, it’s annoying me that I can’t get it to work either!

  30. Michel Matton

    Hoi Stefan,

    Thanks for the extensive post and answers on the various questions.
    I would like to add one or two questions.
    Is it possible to use the QuickconnectId as the domain for the certificate or is it required to register a real domain.
    And second if the above is not possible, do you know perhaps how to register a domain on a Ziggo ipadress in the Netherlands 😉

    Mvg, Michel

  31. Michel Matton

    Hoi Stefan,

    Thanks for the extensive post and answers on the various questions.
    I would like to add one or two questions.
    Is it possible to use the QuickconnectId as the domain for the certificate or is it required to register a real domain.
    And second if the above is not possible, do you know perhaps how to register a domain on a Ziggo ipadress in the Netherlands 😉

    Mvg, Michel

  32. Jack

    For anyone getting the same error as I did (“The operation failed. Please login to DSM again and retry”) – make sure that the option Control Panel –> Network –> DSM Settings -> “Automatically redirect HTTP connections to HTTPS” is switched OFF while installing the certificate as described above. You can turn it back on after the certificate is installed.

  33. ASD

    Dear Stefan,

    just wondering it this article is only “how to..” install certificate for secured webpage or it has also something to do with certificate that you can use for accessing your DSM via mobile apps (DS video, DS files… etc)

    becasu in the mobile apps you have a option for enabling the “https” way or also hidden under setting icon another option “verify certificate”

    Note:
    – i do not host any webpage
    – i only use basic functions + mobile access, but i am interesting to enable the most secured way without any other extra services that are not needed.

    Thank you for you reply in advance

    Regards,
    ASD

  34. Ted Rogers

    I always get “Maximal Certificate Requests for this domain name” error. I already have the default self-signed synology.com cert in there, which is fine on LAN, but no good externally.

    If I try to replace the default cert, I still get the same error.

    If I add new, I get same error.

    I’ve tried every combination of my various noip hostnames and email addresses; nothing works.

    Any ideas?

    I don’t think you need Web Station turned on BTW. It does the same for me when it’s on or off.

  35. Ted Rogers

    I always get “Maximal Certificate Requests for this domain name” error. I already have the default self-signed synology.com cert in there, which is fine on LAN, but no good externally.

    If I try to replace the default cert, I still get the same error.

    If I add new, I get same error.

    I’ve tried every combination of my various noip hostnames and email addresses; nothing works.

    Any ideas?

    I don’t think you need Web Station turned on BTW. It does the same for me when it’s on or off.

  36. blackburn

    Hi,

    I wont to block 80 ports in my router and i don’t know if this configuration can work when certificat update after 90 days

    thanks

  37. Jeff

    KarlB – I went through a similar amount of pain on this, after registering a new domain, adding the A records and opening all the ports on the firewall. My NAS simply responded “The operation failed. Please log into the DSM and try again”
    You might be experiencing the same issue as me, I was being far too ambitious when attempting to make the certificate request. I found that it only worked when I removed all the SAN (subject alternative name) records and launched the request having nothing but the primary domain I really needed to register in the Domain name field. I too was trying to add the quickconnect address (so Michel, I’m guessing this will not work for you either), along with a couple of other aliases. I’m sure there is a rational explanation for this, but I have what I need for now…on to other problems!
    Good luck.

  38. Jeff

    KarlB – I went through a similar amount of pain on this, after registering a new domain, adding the A records and opening all the ports on the firewall. My NAS simply responded “The operation failed. Please log into the DSM and try again”
    You might be experiencing the same issue as me, I was being far too ambitious when attempting to make the certificate request. I found that it only worked when I removed all the SAN (subject alternative name) records and launched the request having nothing but the primary domain I really needed to register in the Domain name field. I too was trying to add the quickconnect address (so Michel, I’m guessing this will not work for you either), along with a couple of other aliases. I’m sure there is a rational explanation for this, but I have what I need for now…on to other problems!
    Good luck.

    • Ted Rogers

      I wondered about this too…I’m going to try a simple affair as Jeff says, and then just close port 80 for a month+ and see what happens.

    • Ted Rogers

      I wondered about this too…I’m going to try a simple affair as Jeff says, and then just close port 80 for a month+ and see what happens.

  39. Ted Rogers

    Well, no matter what I do I still get the “Maximal Certificate Requests reached for this domain name” error.

    I’ve tried:

    1. Single DDNS (A-type) and completely new email, no other SAN’s (Subject Alternative Names).
    2. With and without Web Station running.
    3. Port 80 open all the time and confirmed by port checker, and well access to my test website via Web Station.
    4. Replace existing certificate option with and without make default option.

    Stumped! Nothing is working and it shouldn’t be this difficult. Any suggestions?

  40. Ted Rogers

    Well, no matter what I do I still get the “Maximal Certificate Requests reached for this domain name” error.

    I’ve tried:

    1. Single DDNS (A-type) and completely new email, no other SAN’s (Subject Alternative Names).
    2. With and without Web Station running.
    3. Port 80 open all the time and confirmed by port checker, and well access to my test website via Web Station.
    4. Replace existing certificate option with and without make default option.

    Stumped! Nothing is working and it shouldn’t be this difficult. Any suggestions?

    • Ted Rogers

      Okay, it’s sorted.

      For me, not a single no-ip free DNS would work – although other paid or free DNS may work.

      The only one that works is the Synology Account DNS that comes with my Syno, and I’m not allowed any other SANs.

      Thank goodness for that! It was a very painful experience, and Synology should update their help to prevent this in future.

    • Ted Rogers

      Okay, it’s sorted.

      For me, not a single no-ip free DNS would work – although other paid or free DNS may work.

      The only one that works is the Synology Account DNS that comes with my Syno, and I’m not allowed any other SANs.

      Thank goodness for that! It was a very painful experience, and Synology should update their help to prevent this in future.

  41. Martin

    works like a charm. Getting a domain name, edit it myself in DNS at hosting provider to my home IP adress, wait some hours for sycnhronisation of DNS servers, forward local router port 80 to NAS local IP adress, install Synology webstation, and create a new certificate at Let’s Encrypt….. #midfullness 🙂

    Thanks for the tips!

  42. Martin

    works like a charm. Getting a domain name, edit it myself in DNS at hosting provider to my home IP adress, wait some hours for sycnhronisation of DNS servers, forward local router port 80 to NAS local IP adress, install Synology webstation, and create a new certificate at Let’s Encrypt….. #midfullness 🙂

    Thanks for the tips!

  43. Rowlers

    I also got the message “Failed to connect to Let’s Encrypt. Please make sure your Diskstation and router have port 80 open…”.

    Apparently my Diskstation’s Firewall was blocking traffic even though I configured port forwarding for port 80. Open Control Panel —-> Security —-> Firewall —> Untick “Enable Firewall”.

    This way I was able to retrieve my certificate. I turned my Firewall back on afterwards.

  44. Rowlers

    I also got the message “Failed to connect to Let’s Encrypt. Please make sure your Diskstation and router have port 80 open…”.

    Apparently my Diskstation’s Firewall was blocking traffic even though I configured port forwarding for port 80. Open Control Panel —-> Security —-> Firewall —> Untick “Enable Firewall”.

    This way I was able to retrieve my certificate. I turned my Firewall back on afterwards.

  45. JB

    Hi This is really a good & helpful guide~ Thanks indeed!

    I tried many times before found this article, it doesn’t work… the different is just I didn’t install the Web Station. But now, even I installed the Web Station, it’s still doesn’t work…

    It just prompt with a dialog showing the message: The operation failed. Please login in to DSM again and retry.

    I am using DSM 6.0.1-7393 Update 1 on Synology 1511… tried many times, but still no pass…. haiz…..

    • GM

      Getting the same problem as JB. “The operation failed. Please login in to DSM again and retry.”

      I suspect it’s not my internal setting, since I am able to get a SSL cert for the Synology provided DDNS.
      I can then forward my own domain name to the Synology DDNS, but this seems a backwards way to go about it.

      Look forward to other ideas, if they are available.

  46. JB

    Hi This is really a good & helpful guide~ Thanks indeed!

    I tried many times before found this article, it doesn’t work… the different is just I didn’t install the Web Station. But now, even I installed the Web Station, it’s still doesn’t work…

    It just prompt with a dialog showing the message: The operation failed. Please login in to DSM again and retry.

    I am using DSM 6.0.1-7393 Update 1 on Synology 1511… tried many times, but still no pass…. haiz…..

    • GM

      Getting the same problem as JB. “The operation failed. Please login in to DSM again and retry.”

      I suspect it’s not my internal setting, since I am able to get a SSL cert for the Synology provided DDNS.
      I can then forward my own domain name to the Synology DDNS, but this seems a backwards way to go about it.

      Look forward to other ideas, if they are available.

  47. Martijn

    Thanks for the useful article.

    Would you happen to know how to manually retry the renewal? I had my port 80 closed at the 30 day mark, and I’m unsure if DSM will automatically retry again.

    According to the file /usr/syno/etc/letsencrypt/letsencrypt.default the renewal is attempted at 30 days before expiration. I can’t find which process or cronjob to trigger to retry.

    Thanks!

  48. Martijn

    Thanks for the useful article.

    Would you happen to know how to manually retry the renewal? I had my port 80 closed at the 30 day mark, and I’m unsure if DSM will automatically retry again.

    According to the file /usr/syno/etc/letsencrypt/letsencrypt.default the renewal is attempted at 30 days before expiration. I can’t find which process or cronjob to trigger to retry.

    Thanks!

  49. nasmaster

    You forgot to mention that if you want to avoid putting the custom (recommended) port number that the NAS listens to https://domain.com:5001 every time you want o access the NAS… if you want to access by just typing the domain name domain.com , go to Control Panel –> Network —> DSM Settings —> go to the section Domain and enable “Enable customized domain (enter domain.com) and enable “Enable HSTS” and then apply! After that access your secured NAS by typing domain.com and it will take you to the secure page, awesome!

    • StanP.

      This works on my first DiskStation, but on my second DiskStation if I put in my just my custom domain name without the port number I get directed to the Webstation landing page. Any resolution for that?

    • Andrew

      I tried this and then found that I couldn’t access my NAS through the domain I had entered – [my name].synology.me.

      The only way I could get back in and turn off this setting was using the QuickConnect URL.

  50. nasmaster

    You forgot to mention that if you want to avoid putting the custom (recommended) port number that the NAS listens to https://domain.com:5001 every time you want o access the NAS… if you want to access by just typing the domain name domain.com , go to Control Panel –> Network —> DSM Settings —> go to the section Domain and enable “Enable customized domain (enter domain.com) and enable “Enable HSTS” and then apply! After that access your secured NAS by typing domain.com and it will take you to the secure page, awesome!

    • StanP.

      This works on my first DiskStation, but on my second DiskStation if I put in my just my custom domain name without the port number I get directed to the Webstation landing page. Any resolution for that?

    • Andrew

      I tried this and then found that I couldn’t access my NAS through the domain I had entered – [my name].synology.me.

      The only way I could get back in and turn off this setting was using the QuickConnect URL.

  51. jamie

    OK. Driving me nuts. Accessing my NAS from a registered domain for years figured I would switch to a signed cert. Seems straight forward but I keep getting the ‘lets encrypt can’t connect’ error even though I have port 80 and 443 open. I have tried disabling the firewall and redirection of port 80 to 443 as suggested in posts above but no matter what or even how long I leave it between trying these changes (tried letting 24 hours past in-case Lets encrypt of something caches a connection) it just won’t connect back.

  52. jamie

    OK. Driving me nuts. Accessing my NAS from a registered domain for years figured I would switch to a signed cert. Seems straight forward but I keep getting the ‘lets encrypt can’t connect’ error even though I have port 80 and 443 open. I have tried disabling the firewall and redirection of port 80 to 443 as suggested in posts above but no matter what or even how long I leave it between trying these changes (tried letting 24 hours past in-case Lets encrypt of something caches a connection) it just won’t connect back.

  53. Rommel

    This is absolutely useful! Thanks so much.
    If it is of any help to others I had to delete the self signed default certificate for it to work. I tried by making the Let’s Encrypt the default one but didn’t work. Once I removed the other one it worked immediately.

    Thanks again,
    Rommel

  54. Rommel

    This is absolutely useful! Thanks so much.
    If it is of any help to others I had to delete the self signed default certificate for it to work. I tried by making the Let’s Encrypt the default one but didn’t work. Once I removed the other one it worked immediately.

    Thanks again,
    Rommel

  55. Lorenzo

    Hi Stefan, this is probably the most useful post on the matter, still I can’t understand some basics as I’m not a tech guy:

    – Have a DS416play connected to the Internet via dynamic IP
    – My goal would only be having a way to access NAS with HTTPS
    – No static IP, no domain name, no website, except for the quickconnect ID or any other DynDns service I can use for free

    – Can I use the yyy.Quickconnect.to address as server name?

    I’m only getting “The operation failed. Please log in to DSM and retry” message everytime.

    Any help would be appreciated, in the meantime I’m connecting via HTTP….
    thanks,
    Lo.

  56. Lorenzo

    Hi Stefan, this is probably the most useful post on the matter, still I can’t understand some basics as I’m not a tech guy:

    – Have a DS416play connected to the Internet via dynamic IP
    – My goal would only be having a way to access NAS with HTTPS
    – No static IP, no domain name, no website, except for the quickconnect ID or any other DynDns service I can use for free

    – Can I use the yyy.Quickconnect.to address as server name?

    I’m only getting “The operation failed. Please log in to DSM and retry” message everytime.

    Any help would be appreciated, in the meantime I’m connecting via HTTP….
    thanks,
    Lo.

  57. Brad

    I had a lot of problems. I had it set to subdomain.domain.com on port 80 and 443 just fine. But I kept getting a vague error creating the certificate.
    I eventually turned off web service (Never saw anyone else say this was needed)
    Went to ControL Panel->Network Settings -> DSM Settings:
    Disable “Automatically redirect http connections to https”
    Check Enable customized domain: (enter domain name in box: subdomain.domain.com)
    rebooting (takes a while…)
    Then it worked first time. So for me it wasn’t the port forwarding or problem with a public (common) domain..

    You can also see some letsencrypt error messages if you ssh into the box,
    sudo tail -f /var/log/messages

    Hope that helps someone.

  58. Brad

    I had a lot of problems. I had it set to subdomain.domain.com on port 80 and 443 just fine. But I kept getting a vague error creating the certificate.
    I eventually turned off web service (Never saw anyone else say this was needed)
    Went to ControL Panel->Network Settings -> DSM Settings:
    Disable “Automatically redirect http connections to https”
    Check Enable customized domain: (enter domain name in box: subdomain.domain.com)
    rebooting (takes a while…)
    Then it worked first time. So for me it wasn’t the port forwarding or problem with a public (common) domain..

    You can also see some letsencrypt error messages if you ssh into the box,
    sudo tail -f /var/log/messages

    Hope that helps someone.

  59. JR Heuwing

    THX, for the tutorial. Finally i can synchronize the calendars without wifi or VPN connection. For safety reasons i only wanted an secure connection and that is now possible.

  60. JR Heuwing

    THX, for the tutorial. Finally i can synchronize the calendars without wifi or VPN connection. For safety reasons i only wanted an secure connection and that is now possible.

  61. Mginius

    Thank you very much. Really useful step-to-step guide!
    It’s worth to note that current stable version 6.0 (DSM 6.0.2-8451 Update 1) requires you to set-up the newly created certificate as “default” (button “Configure”, press on every “synology.com” menu and choose the new one).
    I think you need this adding step to tell the NAS to use the new certificate, opposite to the self-signed pre-built “synology.com” one.

    Thanks again for your guide! You saved my hours.

  62. Mginius

    Thank you very much. Really useful step-to-step guide!
    It’s worth to note that current stable version 6.0 (DSM 6.0.2-8451 Update 1) requires you to set-up the newly created certificate as “default” (button “Configure”, press on every “synology.com” menu and choose the new one).
    I think you need this adding step to tell the NAS to use the new certificate, opposite to the self-signed pre-built “synology.com” one.

    Thanks again for your guide! You saved my hours.

  63. Pingback:Let’s Encrypt with Synology NAS when you can’t open port 80 – Something better to do

  64. Pingback:Let’s Encrypt with Synology NAS when you can’t open port 80 – Something better to do

  65. Ricsi

    Hi!

    Could you successfully renew the certificate since? Because for me it was not renewed on the 4th. I have tried manually, but it always says that I shoul enable port80, but it is enabled.

    Do you have any idea?

    Thank you!

    Ricsi

  66. Ricsi

    Hi!

    Could you successfully renew the certificate since? Because for me it was not renewed on the 4th. I have tried manually, but it always says that I shoul enable port80, but it is enabled.

    Do you have any idea?

    Thank you!

    Ricsi

  67. Paul Barrett

    No, that was no good, you made it far too easy. It only took me 5 minutes from start to finish. Nothing went wrong and I was not required to edit anything. 🙂

    Brilliant – thanks

  68. Russ Davis

    Just so everyone knows, if you’re using the synology DDNS service as a CNAME for your custom domain name, it won’t work.

    You have to put a physical A record with the WAN ip address.

  69. Russ Davis

    Just so everyone knows, if you’re using the synology DDNS service as a CNAME for your custom domain name, it won’t work.

    You have to put a physical A record with the WAN ip address.

  70. Brian

    HI,
    I’ve read all the post but no one seems to be answering the following.
    1. Port 80 open on my NAS is a risk, Do i need have this open after the setup?
    2. Likewise, the WebServer…is this actually needed post installation?

  71. Brian

    HI,
    I’ve read all the post but no one seems to be answering the following.
    1. Port 80 open on my NAS is a risk, Do i need have this open after the setup?
    2. Likewise, the WebServer…is this actually needed post installation?

  72. Pawel Raszewski

    1. Forward PORT 80 on a public interface of your router to PORT 80 on NAS. DO NOT forward public port 80 on NAS port 5000 or 5001 because it is not going to work!

    2. Delete old expired cert if you have one

    3. Request a new cert and it should work

  73. Pawel Raszewski

    1. Forward PORT 80 on a public interface of your router to PORT 80 on NAS. DO NOT forward public port 80 on NAS port 5000 or 5001 because it is not going to work!

    2. Delete old expired cert if you have one

    3. Request a new cert and it should work

  74. StanG

    FYI:
    Webserver package is not necessary. I just did it without. I only have DSM, File Station and Surveillance Station.

  75. StanG

    FYI:
    Webserver package is not necessary. I just did it without. I only have DSM, File Station and Surveillance Station.

  76. Andreas

    I get that error
    „Verbindung zu Let’s Encrypt fehlgeschlagen. Bitte stellen Sie sicher, dass auf Ihrer Diskstation und Ihrem Router Port 80 für die Internet-Domainprüfung durch Let’s Encrypt geöffnet ist. Jegliche sonstige Netzwerkkommunikation mit Let’s Encrypt erfolgt zum Schutz Ihrer Diskstation über HTTPS.“

    Although
    – when I check using https://www.yougetsignal.com/tools/open-ports/, my ports 80 and 443 for my IP are open,
    – when I open nas.mydomain.de, nas.mydomain.de:80, or https://nas.mydomain.de:443 in a Browser from outside the LAN, I get to the web station,
    – when I open nas.mydomain.de:5000 or https://nas.mydomain.de:5001, I get to the DSM interface,
    – forced SSL is switched off,
    – web station is installed and active,
    – in fritz.box, ports 80 and 443 are routed to 80 and 443 on the NAS, while the fritzbox remote access is on a different, high port

    I have no clue what could possibly be wrong…

  77. Andreas

    I get that error
    „Verbindung zu Let’s Encrypt fehlgeschlagen. Bitte stellen Sie sicher, dass auf Ihrer Diskstation und Ihrem Router Port 80 für die Internet-Domainprüfung durch Let’s Encrypt geöffnet ist. Jegliche sonstige Netzwerkkommunikation mit Let’s Encrypt erfolgt zum Schutz Ihrer Diskstation über HTTPS.“

    Although
    – when I check using https://www.yougetsignal.com/tools/open-ports/, my ports 80 and 443 for my IP are open,
    – when I open nas.mydomain.de, nas.mydomain.de:80, or https://nas.mydomain.de:443 in a Browser from outside the LAN, I get to the web station,
    – when I open nas.mydomain.de:5000 or https://nas.mydomain.de:5001, I get to the DSM interface,
    – forced SSL is switched off,
    – web station is installed and active,
    – in fritz.box, ports 80 and 443 are routed to 80 and 443 on the NAS, while the fritzbox remote access is on a different, high port

    I have no clue what could possibly be wrong…

  78. drew

    I’m using dynamic dns servcie and planning to have some subdomains.
    Will this work if I specify the subject Alternative Name as a wildcard, for example:
    *.mydomain.synology.me
    Would appreciate the answer.

  79. drew

    I’m using dynamic dns servcie and planning to have some subdomains.
    Will this work if I specify the subject Alternative Name as a wildcard, for example:
    *.mydomain.synology.me
    Would appreciate the answer.

  80. rob holding

    All I want to do is connect to my NAS using HTTPS as I keep getting the following error:

    Your connection is not private

    Attackers might be trying to steal your information from 192.168.1.246 (for example, passwords, messages or credit cards). Learn more
    NET::ERR_CERT_COMMON_NAME_INVALID

    Im sure this tutorial is very helpful when you know what your doing but I’m getting stuck at the first step:

    Create the DNS records for the domain names you want to use. This is an A record which points to your WAN IP address.

    Please can someone either tell me what I need to do or point me to where I can read about what an A record is and how to get a DNS record and how they relate to a my Synology NAS please.

    Many many thanks

  81. rob holding

    All I want to do is connect to my NAS using HTTPS as I keep getting the following error:

    Your connection is not private

    Attackers might be trying to steal your information from 192.168.1.246 (for example, passwords, messages or credit cards). Learn more
    NET::ERR_CERT_COMMON_NAME_INVALID

    Im sure this tutorial is very helpful when you know what your doing but I’m getting stuck at the first step:

    Create the DNS records for the domain names you want to use. This is an A record which points to your WAN IP address.

    Please can someone either tell me what I need to do or point me to where I can read about what an A record is and how to get a DNS record and how they relate to a my Synology NAS please.

    Many many thanks

  82. edozwart

    hi all,

    @Stefan, thanks for sharing this interesting topic!

    @Everybody:

    I tried a lot but it isn’t working yet, maybe you can help me out. I have the following situation:

    Nas 916+, installed latest DSM version
    Created my own domain using freenom (ml domain) and created an A record there which is pointing to my public ip of my router
    Opened both ports 80 and 443 and checked if they are open with (https://www.yougetsignal.com/tools/open-ports) and both are open (confirmed by this tool)
    Tried to enable/disable “http connection automatically re-routed…” but does not seem to work

    I realy would like to get this working because my camera recordings are not available from my phone if I use https instead of http.

    Can you help me out?

    Thanks already guys!

  83. edozwart

    hi all,

    @Stefan, thanks for sharing this interesting topic!

    @Everybody:

    I tried a lot but it isn’t working yet, maybe you can help me out. I have the following situation:

    Nas 916+, installed latest DSM version
    Created my own domain using freenom (ml domain) and created an A record there which is pointing to my public ip of my router
    Opened both ports 80 and 443 and checked if they are open with (https://www.yougetsignal.com/tools/open-ports) and both are open (confirmed by this tool)
    Tried to enable/disable “http connection automatically re-routed…” but does not seem to work

    I realy would like to get this working because my camera recordings are not available from my phone if I use https instead of http.

    Can you help me out?

    Thanks already guys!

  84. Fluefiske

    Hello Stefan

    I have a question about the path of the certificates, is this just a temporary path and does it changes after a renewal of the certificate?

    Tank you for your answer,

    Andr’e

  85. Fluefiske

    Hello Stefan

    I have a question about the path of the certificates, is this just a temporary path and does it changes after a renewal of the certificate?

    Tank you for your answer,

    Andr’e

  86. Adan SARKOZY

    Hi,

    I followed the steps, however, the browser showed the following message when I was trying to browse my website in HTTPS:

    Error Code: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID

    This happens on all of my browsers, Chrome, Firefox and Edge. I’ve followed the steps and created the A record for my domain. Couldn’t find out how to fix it, please help!

    Thanks for advance

  87. Adan SARKOZY

    Hi,

    I followed the steps, however, the browser showed the following message when I was trying to browse my website in HTTPS:

    Error Code: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID

    This happens on all of my browsers, Chrome, Firefox and Edge. I’ve followed the steps and created the A record for my domain. Couldn’t find out how to fix it, please help!

    Thanks for advance

  88. Peter

    Hi, thanks for posting this great article!
    I try to connect my NAS Synology server with Amazon Alexa. Synology has provided the audio station skill, so in principle I should be able to make the connection. An explanation is given by synology: https://www.synology.com/nl-nl/knowledgebase/DSM/tutorial/Multimedia/How_to_enable_Audio_Station_skill_on_Amazon_Alexa

    However, although I’m think I understand most of your explanation, I don’t seem to manage to create a trusted SSL certificate with Let’s encrypt, even though I can complete the process. The reason why I know is that when I try to tick the Enable Amazon Alexa service checkbox and have to fill out the corresponding hostname, I receive the pop up message “failed to apply settings. Please check the Internet connectivity, and ensure normal acces to your Diskstation from the internet”. When I type the domain name provided by NAS (rnuijten.synology.me), the page is not displayed (“Foutcode: INET_E_RESOURCE_NOT_FOUND”).

    It’s obvious that I did something wrong. Although I checked the prerequisites before starting you mentioned and I fear that I did something wrong there. My primary suspicion is that I did not properly created the DNS records (I created a Master zone with the abovementioned domain name). There might also be something wrong with the port forwarding: I have created a forwarding to port 80 in my router settings, but the standard setting to the audio station in Synology is port 5000. Finally, I have doubts whether the domain is used is valid and my provider Ziggo only gives my a dynamic IP address.

    Shortly, there is a lot to choose from when it comes to the propper settings and I must admit that I have actually no real technical experience, so I hope you can help me out here a bit )

  89. Peter

    Hi, thanks for posting this great article!
    I try to connect my NAS Synology server with Amazon Alexa. Synology has provided the audio station skill, so in principle I should be able to make the connection. An explanation is given by synology: https://www.synology.com/nl-nl/knowledgebase/DSM/tutorial/Multimedia/How_to_enable_Audio_Station_skill_on_Amazon_Alexa

    However, although I’m think I understand most of your explanation, I don’t seem to manage to create a trusted SSL certificate with Let’s encrypt, even though I can complete the process. The reason why I know is that when I try to tick the Enable Amazon Alexa service checkbox and have to fill out the corresponding hostname, I receive the pop up message “failed to apply settings. Please check the Internet connectivity, and ensure normal acces to your Diskstation from the internet”. When I type the domain name provided by NAS (rnuijten.synology.me), the page is not displayed (“Foutcode: INET_E_RESOURCE_NOT_FOUND”).

    It’s obvious that I did something wrong. Although I checked the prerequisites before starting you mentioned and I fear that I did something wrong there. My primary suspicion is that I did not properly created the DNS records (I created a Master zone with the abovementioned domain name). There might also be something wrong with the port forwarding: I have created a forwarding to port 80 in my router settings, but the standard setting to the audio station in Synology is port 5000. Finally, I have doubts whether the domain is used is valid and my provider Ziggo only gives my a dynamic IP address.

    Shortly, there is a lot to choose from when it comes to the propper settings and I must admit that I have actually no real technical experience, so I hope you can help me out here a bit )

  90. Dick

    This was very helpful. Finally I got rid of the annoying message telling me the website is not safe.
    Thanks very much!!

  91. Dick

    This was very helpful. Finally I got rid of the annoying message telling me the website is not safe.
    Thanks very much!!

  92. Alan

    Thanks for this. I was investigating the hard way… Did not even look to see if Synology supported LetsEncrypt.

  93. Alan

    Thanks for this. I was investigating the hard way… Did not even look to see if Synology supported LetsEncrypt.

  94. Richard

    Google is making changes regarding certificates and Chrome being trusted. It appears that Let’s Encrypt and Chrome 67 get flag as untrusted now.
    I checked my synology nas and the cert is good until next month. I had no issues prior to updating to Chrome 67
    Thought you should know

  95. Richard

    Google is making changes regarding certificates and Chrome being trusted. It appears that Let’s Encrypt and Chrome 67 get flag as untrusted now.
    I checked my synology nas and the cert is good until next month. I had no issues prior to updating to Chrome 67
    Thought you should know

  96. Pascal

    i have port 80 (external open) redirecting to internal 5000 which then in turn is automatically forwarded to internal 5001 (https dms synology)

    do i have to temporarily switch the internal landing port to 80 instead of 5000 in order for this to work? ‘cuz i’m getting this can’t connect error.

    sorry but i’m very hesitant to change these ports trying not to mess anything up.

    thx for the guide & possible response in advance

    • Vesela Houba

      That’s exactly what I had to do to make it work. Nginx inside synology is set-up to serve /.well-known/acme-challenge/ only on 80 and 443, not on 5000 and 5001

  97. Pascal

    i have port 80 (external open) redirecting to internal 5000 which then in turn is automatically forwarded to internal 5001 (https dms synology)

    do i have to temporarily switch the internal landing port to 80 instead of 5000 in order for this to work? ‘cuz i’m getting this can’t connect error.

    sorry but i’m very hesitant to change these ports trying not to mess anything up.

    thx for the guide & possible response in advance

    • Vesela Houba

      That’s exactly what I had to do to make it work. Nginx inside synology is set-up to serve /.well-known/acme-challenge/ only on 80 and 443, not on 5000 and 5001

  98. Pingback:Setup Home Assistant with Letsencrypt on Synology | Egebaek

  99. Pingback:Setup Home Assistant with Letsencrypt on Synology | Egebaek

  100. Eden

    how to get the certificate if I only have LAN access to NAS? I don’t have any website published in internet, but I do want to use https and get rid of the warning from Firefox or Chrome saying https://myNAS:5001 is not safe? and I have to add a exception for this.

    I have desperately searching for a solution, found here but still not solved…

    any suggestion?

    thanks in advance

    • Phil

      This is not a problem you can solve by this means. Let’s Encrypt SSL certificates are issued on a domain name basis, so if you don’t own a domain this is useless to you.
      Your best option IMO is to create a self-signed certificate on your NAS and use that. Have a look here: https://stackoverflow.com/a/15076602

  101. Eden

    how to get the certificate if I only have LAN access to NAS? I don’t have any website published in internet, but I do want to use https and get rid of the warning from Firefox or Chrome saying https://myNAS:5001 is not safe? and I have to add a exception for this.

    I have desperately searching for a solution, found here but still not solved…

    any suggestion?

    thanks in advance

    • Phil

      This is not a problem you can solve by this means. Let’s Encrypt SSL certificates are issued on a domain name basis, so if you don’t own a domain this is useless to you.
      Your best option IMO is to create a self-signed certificate on your NAS and use that. Have a look here: https://stackoverflow.com/a/15076602

  102. HANZ

    THX BRO, you tip worked. If you guys want to use a different port, just forward port 80 and 443 to get the cert, then change it after!! DAS IZ GOOD!!

  103. HANZ

    THX BRO, you tip worked. If you guys want to use a different port, just forward port 80 and 443 to get the cert, then change it after!! DAS IZ GOOD!!

  104. Jagdish Hathi

    Hi Stefan

    This is a great post. Many thanks.

    I have a DS214+ running DSM 6.2.1-23824 Update 6

    Not being very IT literate and before I start, I just wanted to check:

    1. Is the no-ip dynamic dns name a domain name I can use for installing the letsencrypt certificate? Is it an A record? I dont have a static ip address so I have to use a dynamic dns service.

    2. After installing the certificate, will I be able to map a network drive in file explorer on windows 10 professional to access the files over the internet?

    3. Do I have to do anything on my windows 10 machine to achieve this?

    Many thanks for your help

    Jagdish

    • Bob Koure

      First off, you need to own/control a domain for any of this to work.
      You should be able to use a dynamic name same as a static one. Do not put your current external IP into the cert (no point, it’ll change, eventually).
      For instance, if your domain is hathi.in, you can use dynamic DNS to make sure that hathi.in always resolves to your IP address. BTW, a DNS record that maps a symbolic name (in this case hathi.in) to an IP record is an ‘A’ record (think A for address).
      Once you map your domain to your IP, you can access your firewall from the internet. What protocols get through to your LAN are up to the firewall.

      Mapping a drive on your PC to a diskstation shared folder from outside your LAN is orthogonal to all this. Cert or not, I would suggest you NOT do this (SMB is insecure). I would suggest you instead setup your firewall or NAS as an OpenVPN server. Synology has one (which I’ve never used as I use a pfSense firewall).
      Install the OpenVPN client on your W10 box, connect to your domain, then you can connect to any of your diskstation shared folders (net use Z: \\[ds LAN address]\[folder name] /user:[your username] [password].
      If you don’t want to use a VPN, then sFTP or FTP/S – and having a ‘blessed’ domain cert will help with these – or you can create your own cert on the NAS, export it onto your W10 box, then install it (just click on the cert, follow the prompts).
      Diskstation also supports ‘OwnCloud’ (which I’ve never used) – and that uses Synology corporate certs and address lookup. Might be the easiest way to get external access.
      Hope at least some of this helps…

  105. Jagdish Hathi

    Hi Stefan

    This is a great post. Many thanks.

    I have a DS214+ running DSM 6.2.1-23824 Update 6

    Not being very IT literate and before I start, I just wanted to check:

    1. Is the no-ip dynamic dns name a domain name I can use for installing the letsencrypt certificate? Is it an A record? I dont have a static ip address so I have to use a dynamic dns service.

    2. After installing the certificate, will I be able to map a network drive in file explorer on windows 10 professional to access the files over the internet?

    3. Do I have to do anything on my windows 10 machine to achieve this?

    Many thanks for your help

    Jagdish

Leave a Reply

Your email address will not be published. Required fields are marked *