HTTPS and DDNS not working

Currently reading
HTTPS and DDNS not working

79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi

I have set DDNS and a Let's Encrypt Certificate on my Syno (the certificate is the one automatically installed after setting up DDNS)

When trying to access the DDNS using xx.synology.me:50XX nothing happen.

I tried adding https:// before but it did not help. Under Network -> DSM Settings "Automatically redirect HTTP connection to HTTPS for DSM Desktop" is checked.

If I try to access the DSM via IP address it's detected as not safe

Screenshot 2020-12-03 at 15.26.16.png


Port 80 of my router is open. In the firewall settings of my Syno

Screenshot 2020-12-03 at 15.07.37.png



Screenshot 2020-12-03 at 15.08.05.png


Screenshot 2020-12-03 at 15.28.25.png


what am I doing wrong?
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Are you sure that’s a Let’s Encrypt certificate? It should say: issued by Let’s Encrypt Authority.

You should:
Control Panel > Security > Certificate tab > Add > Add new certificate
and choose “Get a certificate from Let’s Encrypt”
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Are you sure that’s a Let’s Encrypt certificate? It should say: issued by Let’s Encrypt Authority.

You should:
Control Panel > Security > Certificate tab > Add > Add new certificate
and choose “Get a certificate from Let’s Encrypt”
It's actually what I did. Could be this the issue?

Screenshot 2020-12-03 at 16.56.51.png
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
No. Not necessarily. Does it say “default certificate“ and “issued by let’s encrypt authority”

Did you forward port 443 (for https traffic)?
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
No. Not necessarily. Does it say “default certificate“ and “issued by let’s encrypt authority”

Did you forward port 443 (for https traffic)?
Yeah I have it on my router and I have also allow it on the Firewall setting on the NAS both Port 80 and 443
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Are you using your FQDN (e.g. mynas.synology.me) or the IP address?
I mean, what do you type in your browser’s bar when trying to access?
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Are you using your FQDN (e.g. mynas.synology.me) or the IP address?
I mean, what do you type in your browser’s bar when trying to access?
If I type my FQDN id does not work. it says: ERR_CONNECTION_REFUSED

The only way I have to access the DSM is by using the IP Address.

When I check the certificate in Chrome it's says that is issued by Let's Encrypt.

Screenshot 2020-12-03 at 17.50.02.png
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If I type my FQDN id does not work. it says: ERR_CONNECTION_REFUSED

I believe you’ll need to fix this (I don’t know your setup to recommend anything yet). Or if you’re on your LAN, use the IP address on http and you shouldn’t receive the warning.

The browser verifies if the host header matches the fully qualified domain name (FQDN) on the certificate. if it doesn’t (when you use the IP address) it gives a warning.

I assume you created the certificate for your FQDN.
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If you’ve correctly forwarded your ports on the router, try accessing your DS from outside using the FQDN. Turn off your phone’s WiFi (if you’re at home/office where your DS is) and use the phone’s data (e.g 4G) to test.
Turn the firewall off briefly to test.
 

Rusty

Moderator
NAS Support
2,874
876
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If I type my FQDN id does not work. it says: ERR_CONNECTION_REFUSED
This could be a firewall problem as @WST16 said but it could also mean that your router does not support NAT loopback feature. Accessing FQDN address from inside LAN.

Best to test via 4G (outside your lan). If you still get the same error, its either port forward or firewall problem on some level (router/NAS).
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
If you’ve correctly forwarded your ports on the router, try accessing your DS from outside using the FQDN. Turn off your phone’s WiFi (if you’re at home/office where your DS is) and use the phone’s data (e.g 4G) to test.
Turn the firewall off briefly to test.
This could be a firewall problem as @WST16 said but it could also mean that your router does not support NAT loopback feature. Accessing FQDN address from inside LAN.

Best to test via 4G (outside your lan). If you still get the same error, its either port forward or firewall problem on some level (router/NAS).
So, when trying to connect using my phone as hotspot to my FQDN the link is not loaded. I mean it keeps loading. I checked on Web Hosting Search Tool, Reviews & More at WhoIsHostingThis.com - WhoIsHostingThis.com and it shows my IP address and my ISP

Do I need to forward the HTTP and HTTPS port of my DSM as well? I mean not just 80 and 443 but also the port 5000 and 5001 (that I changed btw).
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Do I need to forward the HTTP and HTTPS port of my DSM as well? I mean not just 80 and 443 but also the port 5000 and 5001 (that I changed btw).

Yes. If you’re trying to access DSM. Forward the https port…

I suggest that you start a step at a time.
  • Turn off the firewall
  • Make sure that whatever port you’ve configured to access DSM is forwarded on the router. The port you’re looking for is under Control Panel > Network > DSM Settings > https
  • When trying to access DSM, Add the port number (e.g. myds.synology.me:12345)
You can also use this free iOS app after you forward the ports:
We’re doing the above for testing, to check if you have managed installing the LE certificate.You’ll need to refine things later.
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Last edited:
Yes. If you’re trying to access DSM. Forward the https port…

I suggest that you start a step at a time.
  • Turn off the firewall
  • Make sure that whatever port you’ve configured to access DSM is forwarded on the router. The port you’re looking for is under Control Panel > Network > DSM Settings > https
  • When trying to access DSM, Add the port number (e.g. myds.synology.me:12345)
You can also use this free iOS app after you forward the ports:
We’re doing the above for testing, to check if you have managed installing the LE certificate.You’ll need to refine things later.
so I was able to access it via FQDN (also when not in the same LAN). The HHTPS is also active. If I type the FQDN url on my phone I can access the Syno. This is actually not good, for a security point of view right? Or am I wrong?

Is it possible to set synology available via HTTPS only in LAN?
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
This is actually not good, for a security point of view right? Or am I wrong?
We want to check LE for now. So it’s good. You can close it later. Try the app too while you’re at it remotely. It will give you information about the certificate.


Is it possible to set synology available via HHTPS only in LAN?
Yes. But there are caveats. You’ll need a router that supports this as mentioned by @Rusty. Or an internal DNS. The easiest is to access it internally via https;//ip and to tell your browser to ignore the warning..
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
We want to check LE for now. So it’s good. You can close it later. Try the app too while you’re at it remotely. It will give you information about the certificate.



Yes. But there are caveats. You’ll need a router that supports this as mentioned by @Rusty. Or an internal DNS. The easiest is to access it internally via https;//ip and to tell your browser to ignore the warning..
So this is what I get from the app

IMG_0198.PNG


IMG_0199.PNG
 
1,684
719
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
That’s good.

With this we’ve confirmed that your LE is setup correctly for https (your main ask in the thread title).

If you don’t need remote access, remove the forwards on the router or disable them for now.

Your easiest option to use https internally is to tell the browser to “trust” the site (your DSM web interface for now) when using the IP address. That doesn’t degrade the security. It’ll still be https traffic.
 

Rusty

Moderator
NAS Support
2,874
876
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
so I was able to access it via FQDN (also when not in the same LAN). The HHTPS is also active. If I type the FQDN url on my phone I can access the Syno. This is actually not good, for a security point of view right? Or am I wrong?
Well looks like I made a mistake early on by thinking you have forwarded the ports already. Guess that works now but am I do understand that you want https access only inside lan and not over the internet? If so you can just close the ports right now (apart from 80 for LE renewal), and listen to @WST16 advice regarding dns or ignoring https warnings.

UPDATE: @WST16 we will have to coordinate these responses :D
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Well looks like I made a mistake early on by thinking you have forwarded the ports already. Guess that works now but am I do understand that you want https access only inside lan and not over the internet? If so you can just close the ports right now (apart from 80 for LE renewal), and listen to @WST16 advice regarding dns or ignoring https warnings.

UPDATE: @WST16 we will have to coordinate these responses :D
I see :D thanks! I closed the port in the router. Do I need to disable them in the NAS firewall as well?

Another question: When connecting to the smb (Local or in remote via VPN) do I have to declare the port :50XX after the ip address? If I do when using VPN it cannot connect
 

Shadow

Subscriber
608
209
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Another question: When connecting to the smb (Local or in remote via VPN) do I have to declare the port :50XX after the ip address? If I do when using VPN it cannot connect

SMB works on port 445. You should not have to declare any ports for that on any app that uses SMB..
 
79
3
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
all right :) BTW the fact that the certificate says Issued by "R3" looks odd also to a Synology Support that opened a Ticket for it.

It should be Let's Encrypt actually

Screenshot 2020-12-04 at 11.51.10.png
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top