How to install an SSL Certificate on Synology NAS?
Is there a wat to automate this in the scheduled task? No need to force renew by yourself. What you need to run a schedule task to copy the certificates issued from container to DSM default cert path. We need to keep the container running, so the scheduled task to make acme. Again thank you Felix for your great article, it does help me understand how certificate issue and renewal can be done using DNS The reason I use -force is because the logic of acme.
You know some month has 30 days, some has 31 days. If you leave acme. Thank you. This is wonderful! Can I check, after all the setup, I can stop the docker container right? To answer your second question. Use this container you can issue any certificate as your wish. What you need to do is copy the relevant certificates out to the destination system this NAS or any other devices.
Referring to the documentation. If so, why need the docker exec commend in the scheduled task? No need to stop it. Please make sure you create monthly schedule task to force renew the certificate and rsync copy the certificate files to the right DSM cert directory.
You can take a look at my previous post of how to find the DSM certificate directory. But the new certificate is not recognized by the browser. These are still the old files.
Possible by modifying the script? Thanks for the write up. So, certificates get renewed perfectly. In my case a wildcard certificate. The certificate is set as the default certificate for all my services. Problem is, the updated certified does not get sent to browsers. It keeps showing the old, expired certificates. Rebooting the services or the entire synology does not help. The only thing which helps is adding a new, random certificate through the synology interface. Changing a service to use the new certificate.
Then revert that back to using the default certificate. Now the updated certificate for this single service is showing to browsers. So I need to do these steps for all the services.
Synology Diskstation SSL with Let’s Encrypt
Why Cloudflare? Initial Setup To get started you need to set up an account with Cloudflare, opting for their free service unless you want the web application firewall and other features.
Cloudflare will tell you the names of the servers to use as part of the setup process. This great tutorial explains one way to achieve this. By default, Cloudflare sets up a universal wildfire edge certificate for your domain wildfire meaning the certificate will be valid for any sub-domain you create , as well as providing an interface to generate an origin certificate should you need it.
In laymans terms, this means the traffic sent from a browser to our server via Cloudflare is encrypted and authenticated using trusted SSL certificates at each stage of the journey.
This is evidenced in the below diagram which shows padlocked encrypted traffic from the browser to the Cloudflare Servers the edge part of the connection , and similarly for the proxied traffic to our origin server. Of course, to validate all stages of the chain, you also need certificates that are signed by trusted certificate authorities CAs.
Until fairly recently, this would have required purchasing of a certificate, rather than the use a free self-signed certificate. Nevertheless, it is possible to set up a Synology provided sub-domain and generate your own auto-renewing trusted SSL certificate for this sub-domain within the Synology interface, as this video explains.
In fairness though, the same applies to the Cloudflare Origin Certificate. For the above reasons I chose instead to use an alternative Origin Certificate generated within Cloudflare for my domain. As shown below, you will have the option of letting Cloudflare generate a certificate, or using your own self-generated certificate I personally chose to let Cloudflare generate the certificate. Cloudflare also allows you to add entries for multi-level sub-domains not covered by the wildcard, as well as giving you a choice of expiry length I chose the default 15 years, but the more security conscious may wish to choose a lower value.
Once generated, Cloudflare will ask the format for your certificate signing request CSR and private key — choose PEM and proceed to copy the resulting text values into two separate text files.
Hence it is important to save this somewhere secure. The links to the certificate can be found on the following page. The certificates area will show all the certificates registered on your Synology NAS. You may also wish to make this the default certificate for the server. The following window will appear. It is then down to you to select the services you wish to assign to the origin certificate for example, Synology Drive Server and any Web Station virtual hosts.
This is desirable as firewall rules and lock out events may be effected if our server is not seeing the request IPs, potentially having undesirable security implications. Click on this and the following window will open where you need to enter this list of IP addresses provided by Cloudflare in CIDR format.
However, make sure you check that compulsory https does not cause issues with your server especially if enabling preload under HSTS, as you will not be able to remove compulsory https quickly if HSTS preload has been setup. It is important you understand the implications of this action for non-https traffic. Effectively your site will have to run everything over https, and it is not easy to reverse this quickly. Incorrect preload configuration can expose you more than it protects you as this article explains.
It is only something I would recommenced therefore, if you understand the implications. If you do decide to enable this, you must also register your domain with the following site which will require your Max Age Header to be set to at least 12 months. There is also an additional step you might wish to consider Authenticated Origin Pulls within the Origin Certificate settings page of Cloudflare. This is of course a very desirable feature, but it is quite complicated to setup within the current Synology interface.
You will probably also have to write scripts to trigger at boot and after updates, to ensure your edits are not rewritten when your Synology updates or reboots. Given this adds an additional level of complexity I am not going to cover the Authenticated Origin Pulls feature in this article.
Setting up Cloudflare with a Synology NAS
That is all you need from your pfSense. Chained router consideration You might be wondering what we have to do to make this work, when your Synology NAS is behind two routers as described in this post.
Fortunately, we have to do nothing about it.
Setting up Let’s Encrypt SSL certificates issued by pfSense on your Synology
Everything should work out of the box, as devices behind the chained routers have direct access to the devices connected to both routers. A wizard will be presented. As the first step, choose Add a new certificate and click on Next. In the next screen, fill in a meaningful Description e.
Installing a Free LetsEncrypt SSL certificate on DSM 5.x
Leave Intermediate certificate blank and click on OK to finish. You should see your certificate now installed on your Synology. Click on Configure, make sure your new certificate is selected for all Services and click on Ok button to save. Refresh your browser to see your new SSL certificate in action!
Instead, I am using my Homelab Utility Belt repo which has this and other scripts. I use Hover. A regular. Once you make the purchase, read on.
Install a Let’s Encrypt SSL certificate on a Synology NAS
However, there is a caveat to consider. If you have a consumer internet connection, you likely have a dynamic public IP address. This means if you point your domain to the public IP you are currently assigned, it will eventually change and your DNS record will be broken.
Point those records to your DDNS hostname.
Issue Synology Let's Encrypt Cert by acme.sh docker
Now when you browse to your domain name mydomain. I was incorrect in my testing and in writing the above paragraph. Example: mynas. Select the drop-down next to each package or service and change it to your new certificate and click OK.
This is more secure.