Import existing Letsencrypt certificate - question

Currently reading
Import existing Letsencrypt certificate - question

13
1
NAS
DS718+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
Hello,

I have done some research but can‘t really tell if this will work or not and also how to make it work.

What I have is a VPS that currently has existing letsencrypt certificates that I would want to import to symbology (I guess that is the easy part with the import function).

But will DSM also autorenew these then or do I have to build some manual workaround (and if so any suggestions).

Basically all I want to do is transfer my existing webpage hosted on a VPS to my symbology NAS and since I already have a letsencrypt cert use that one on the synology NAS since I am not sure if I can just create a new one with the same domain name (which would also be an option if that’s better, then I just need to figure out how to revoke the existing one so that I can create a new one).

Anyone that’s already done this before and can help?
 
Solution
No4 is because you are probably being proxied by CloudFlare. I am not.
Yes, exactly, that is what it was. Wildcard certificate is working now.

No3 is also solved and worked after I followed your tutorial HTTP to HTTPS again.

No2 works but I have decided to implement your HTTP to HTTPS because it is more universal.
and finally on...

No1 if I would have just created a second Virtualhost for www. mycustomdomain (CNAME www pointed at mycustomdomain) then it would have all worked as intended using the same Rewrite code that you are proposing just straight in the .htaccess that is located in my /web/wordpress directory.

So all good! Thank you so much! Topic solved!
Anyone that’s already done this before and can help?
Is this a 3rd party hosted domain? Wild card or named cert?

Import is easy as you said, and if you want to recreate it you can always do it via docker image for that and later on automatize it (considering you have a Docker capable NAS).

This article is for making a wild card LE cert for a 3rd party domain and use it on your Syno nas. The same principle would be for a non-wild card one (names cert with SAN support). Have a read and post back.

 
Upvote 0
Is this a 3rd party hosted domain? Wild card or named cert?

3rd party hosted domain - yes (if I understand it correctly)
To this point I have named certificates 1x for main domain and 1x for subdomain (running an application).

I do have a Docker capable NAS (DS718+).

Reading the tutorial maybe a wildcard cert wouldn’t be too bad and the way to go. Would have the advantage of me being able to do it all while leaving my current setup on the VPS basically untouched
Either way though, you are still importing the cert the way I would also import the name certs (correct?). Do these then get autorenewed by the Synology NAS?
 
Upvote 0
Either way though, you are still importing the cert the way I would also import the name certs (correct?)
Correct. You can automate it as well but I haven’t (read some other posts on the forum)

Do these then get autorenewed by the Synology NAS?
Using the docker method they will but then you will have to manually import (unless you automate). But the cert themselves will automate inside this docker container once under 30days.
 
Upvote 0
Correct. You can automate it as well but I haven’t (read some other posts on the forum)


Using the docker method they will but then you will have to manually import (unless you automate). But the cert themselves will automate inside this docker container once under 30days.
Thank you. I did not get to it yet. I ran into a couple of problems with the migration of my site from the vps to the NAS. Those are solved now.

I am basically at Step 4 of your tutorial:
Content = yourcustomdomain.something does the „yourcustomdomain“ include the domain extension (.com)?

It will probably take me a few days to finish this since I can only do it on and off.

I did however run into some other questions that I am unsure of if I should start a new topic on or post them here. I will describe them and then we can decide if it makes sense for them to have their own topic. They are somewhat related just not specifically to the letsencrypt question.

1. Migrating the VPS back the NAS I have created a CNAME record to point mydomain.com to mydynamicdns. However the www.mydomain.com does not. Do I create another CNAME record for that or is that an A record to mydomain.com. Additionally I am wondering if I need to create another Virtualhost on the Synology for the www Version. Sorry not that familiar with Apache, I have been using nginx on the VPS.

2. I already have an Docker application (app) running that I go to by mydynamicdns:1234 that one is then routed to localhost:1235 with a reverse proxy (Synology). With 1234 being open in the firewall and router and 1235 being the port of the docker container.
With now having mydomain.com point to mydynamicdns can I somehow make this docker container app show up by using app.mydomain.com with no ports? Basically how do I get from mydynamicdns:1234 to app.mydomain.com?

Again thank you so much for helping! Still trying to figure this all out. I do have to say the NAS has been doing wonderful so far. As a fallback I still have the VPS until we are all done! Rusty, you have already been a big help!
 
Upvote 0
I am basically at Step 4 of your tutorial:
Content = yourcustomdomain.something does the „yourcustomdomain“ include the domain extension (.com)?
yes

However the www.mydomain.com does not. Do I create another CNAME record for that or is that an A record to mydomain.com
If you are pointing to a DDNS name then I guess you don't have a static IP on your NAS location (the public one). If that is the case then you cant use A record to point to your current public IP because it will change at some point and you will have a problem. So for the WWW, just use another CNAME point to your DDNS (on the nas side) and then follow this tutorial to redirect your www requests.


Usually typing www.yourdomain.something means use HTTP (on port 80). If you will be hosting your services on https (443) you will need to redirect those 80 calls to 443.

Additionally I am wondering if I need to create another Virtualhost on the Synology for the www Version. Sorry not that familiar with Apache, I have been using nginx on the VPS.
That's how I did it in this tutorial yes.

2. I already have an Docker application (app) running that I go to by mydynamicdns:1234 that one is then routed to localhost:1235 with a reverse proxy (Synology). With 1234 being open in the firewall and router and 1235 being the port of the docker container.
With now having mydomain.com point to mydynamicdns can I somehow make this docker container app show up by using app.mydomain.com with no ports? Basically how do I get from mydynamicdns:1234 to app.mydomain.com?
With your LE coming along you will just need to use that reverse proxy method to push https://mypublicdomain.com to your NAS IP address on the docker local port of that application. You will need a simple CNAME entry for your app towards your ddns (NAS destination) and you are done. You can consult this article on the matter:

 
Upvote 0
Last edited:
Thank you, that was fast! You gave me a lot to read now. Let me go through all of that and see if I can figure it all out. If not I will come back with my questions.
 
Upvote 0
So I think I made it through Step 7 before heading into Step 8 I have the following files in /etc/letsencrypt/live/mydomain
  1. priv-fullchain-bundle.pem
  2. privkey.ptx
  3. README
Then I have /etc/letsencrypt/archive/mydomain
  1. cert1.pem
  2. chain1.pem
  3. fullchain1.pem
  4. privkey1.pem
So I think it was working. The log says it obtained certs and server ready.

Now for the import (Step 8) I am not exactly sure which files to use. This .ptx is new to me.

I started with getting the wild card certificate because the way I see it this is the basis for all the other tutorials that you have sent me. So I want to migrate the non-www version to my NAS basically done, finish setting up this wildcard certificate and then I will go on to the HTTP to HTTPS tutorial that you have sent. I hope that is the right sequence. From there I may need your help again. We will see.

Thank you!
 
Upvote 0
Upvote 0
Last edited:
I really appreciate that. Thank you!

Quick question in the meanwhile: the normal Wordpress hardening like no Directory Browsing, disabling php file execution in directories, image hotlinking etc. is done how in Apache? In Nginx I do all of that in the config. If I see that correctly I would do that through .htaccess files here? I know this is kind of for once it is all working but already interested.
Is there a way to run fail2ban on the NAS? I do have the Synology firewall configured and up and running.
-- post merged: --

And Step 8 completed ... YAY!

It shows a *.mydomain.com certificate.

So now I can go on to the next one 🥳
 
Upvote 0
Last edited:
Ok, I tried long and hard but I can’t figure this out.
I have managed to get http://mycustomdomain working. Due to Cloudflare it looks like https://mycustomdomain

I do have a CNAME record in cloudflare for @ (root), WWW and APP pointing to mydynamicdns.

For that I have a virtualhost file mycustomdomain, Port 80/443 pointed to Wordpress.
  1. What I want to achieve is that http://mycustomdomain is redirected to https://mycustomdomain (using the *.mydomain.com certificate that we created).
  2. Additionally I want basically redirect all traffic to non-WWW and HTTPS.
  3. I have an application hosted in docker (localhost 1234; container port 80) and I would like to reach that application using app.mycustomdomain (again all Traffic redirected to https)
I am just having a really hard time understanding Apache. I have tried multiple different versions of your redirect but end up with 502 Errors most of the time.

I don’t understand the rewrite rule to begin with or why we are making this extra directory.

why:
Code:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


Should I use this to achieve NON-WWW and HTTPS:
Code:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

Others are proposing...: why is that?
Code:
RewriteEngine On
RewriteCond% {HTTPS}! = On
RewriteRule ^ (. *) $ Https: //% {HTTP_HOST}% {REQUEST_URI} [L, R = 301]

I am so confused...
Does the port in Step 5 matter at all or is it random?
Why the two reverse Proxies?
Why not directly put it in the .htaccess of wordpress or is the separate one only for making the redirects for separate applications (e.g. docker)?
Why not just use one reverse proxy no virtual host file at all for the docker app? Or is that for the https rewrite?

And an unrelated question: how do I see if https works, right now when I use https it shows that it is encrypted (in browser but shows certificate by Cloudflare). So how do I know if it also uses my letsencrypt wildcard certificate between Cloudflare and my NAS? Cloudflare Setting for SSL is Full.

Can you help please? (Sorry for the many questions)
 
Upvote 0
Ok, I managed to do 3. following your Reverse Proxy tutorial.

Again it shows https by Cloudflare and redirects to https when using http.
Don’t know why? Do you know if it configures that in NGINX by itself when you set the certificate under SECURITY>>Certificates>>Configure.

So now all I am missing is the WWW to NON-WWW and http to https of mycustomdomain (Wordpress)
 
Upvote 0
Don’t know why? Do you know if it configures that in NGINX by itself when you set the certificate under SECURITY>>Certificates>>Configure.
Hmm well for me it shows my certificate (wild card one) not CF. You have configured all RP entries to use that certificate via the Security/Certificate tab yes?

Does the port in Step 5 matter at all or is it random?
I guess you mean the HTTP to HTTPS article. That port is the port for the virtual host that holds the htaccess file that has the rewrite commands/rule inside it. So that port needs to be used in your RP entries when redirecting your specific app/service from 80 to 443 (HTTP to HTTPS).

Why the two reverse Proxies?
One is HTTP to HTTPS and another is getting from your custom domain name to your local app/service port on your NAS.

Why not directly put it in the .htaccess of wordpress or is the separate one only for making the redirects for separate applications (e.g. docker)?
Isn't that what it's being done here?

Why not just use one reverse proxy no virtual host file at all for the docker app?
Testing shows that a single rewrite RP rule will not affect all other RP entries (at least in my testing).

So how do I know if it also uses my letsencrypt wildcard certificate between Cloudflare and my NAS? Cloudflare Setting for SSL is Full.
I also have it on Full. As I said before, I see only my wild card cert in the inspect SSL dialog box, so not sure what you are seeing CF one.

So now all I am missing is the WWW to NON-WWW and http to https of mycustomdomain (Wordpress)
With a WWW cname on CF and a http-to-https redirect this should work just fine.
 
Upvote 0
Last edited:
Hmm well for me it shows my certificate (wild card one) not CF. You have configured all RP entries to use that certificate via the Security/Certificate tab yes?
Yes, done that. When I go on the padlock it says: „verified by Cloudflare“

And when I view the actual certificate it says:
sni.cloudflaressl.com with the certificate Issuer Cloudflare, Inc.
Do you think this might be due to the dynamicdns

Isn't that what it's being done here?
What I meant was why not put the rewrite rule directly into /web/Wordpress/.htaccess instead of creating a separate directory „redirectHTTPS“ with a single .htaccess file in it and creating an additional Virtualhost.

What I meant by that:

Ubuntugeek said:
Why not just use one reverse proxy no virtual host file at all for the docker app?

is why not just do it like you did it in the Reverse Proxy Tutorial. Basically I just have one single reverse proxy setup at the moment coming in on HTTPS, Port 443 to app1.mycustomdomain and routing that to HTTP, localhost, Port 1234 (Docker Container Port). It works. Why is that not enough?

Regarding the WWW and Non-WWW when I type in the www. mycustomdomain I currently get a 403 Error eventhough I have a CNAME WWW entry. But I also don’t want the WWW version I just want it to redirect to the Non-WWW version. I currently only have one Virtualhost setup. Non-WWW of mycustomdomain, Port 80/443 with root directory /web/wordpress.
The only time I actually get to my website is when I type exactly http:// mycustomdomain. (Which interestingly I end up at https:// mycustomdomain even though I have not configured an https rewrite rule yet). Everything else will get an error and also not be rewritten, so for example if I include „www“ then I end up with an error.

Again, thank you so much. I really want to make this work and I am sure we can. If it helps is there anything else I can provide. The reverse Proxy makes sense to me, the HTTP to HTTPS and the Apache Rewrites are my problem. Maybe in combination with the dynamicdns.
 
Upvote 0
Should the CNAME records be
1. www to mycustomdomain
2. @ to mydynamicdns
3. app1 to mydynamicdns

Or should it be
1. www to mydynamicdns
2. @ to mydynamicdns
3. app1 to mydynamicdns
 
Upvote 0
What I meant was why not put the rewrite rule directly into /web/Wordpress/.htaccess instead of creating a separate directory „redirectHTTPS“ with a single .htaccess file in it and creating an additional Virtualhost.
Because those tutorials were ment for general usage not WP specific.

Basically I just have one single reverse proxy setup at the moment coming in on HTTPS, Port 443 to app1.mycustomdomain and routing that to HTTP, localhost, Port 1234 (Docker Container Port). It works. Why is that not enough?
Because without http to https rewrite people would have to enter exact url to get to the page.
With those in place I redirect them to https (were the app actually lives) and append www as well.

Also this needs to be done for any RP entry for me to work with all my custom apps.
The only time I actually get to my website is when I type exactly http:// mycustomdomain. (Which interestingly I end up at https:// mycustomdomain even though I have not configured an https rewrite rule yet).
This might be some sort of WP rewrite. Can’t tell not using it.
 
Upvote 0
Because those tutorials were ment for general usage not WP specific.


Because without http to https rewrite people would have to enter exact url to get to the page.
With those in place I redirect them to https (were the app actually lives) and append www as well.
I understand now so this would work in general.
You are right it just works with that specific url then the way I done it.

Unfortunately I am still not fully there yet though as to making it work. I may get back later today and post some more info, maybe you can take a look at that.

Regarding WP I can look at a WP specific tutorial then. And maybe just adjust the WP .htaccess file directly to do the redirect.

But if you could help me some more with the general http to https for my docker app it would be great.
 
Upvote 0
Hello Rusty,

let me try to explain better where I am at. Maybe you can help me a little bit better from there.

This is what I have setup so far.

1. Virtualhost Apache for Wordpress:
virtualhost.png


The root folder is this one:
wordpress2.png


This particular .htaccess file is also the one I was talking about when it comes to the HTTP to HTTPS redirect for Wordpress in particular. This is the one that serves my main site.
So I would put whatever redirect I need to put into there, correct?

I read in someones tutorial that the rewrite should look like this, is that correct?

Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This deviates a however a little bit from the redirect you are proposing in your HTTP to HTTPS tutorial.
So much for Wordpress. It does work now. What still does not work is to redirect WWW to NON-WWW but I may have to figure that out myself.

On to the part I still need help with...

2. This is my current reverse proxy:
reverse proxy.png


It works however it is like you said just working if I use exactly the correct domain url as soon as I use http it does not work anymore.

3. Now for your HTTP to HTTPS what I would like yo use and what I would like your help with all I have done so far is created this directory with this .htaccess. I am lost on the rest. Maybe you could walk me through the rest of the steps here using my example reverse proxy from above.
redirect2.png
htaccess.png

I am lost on the Virtualhost as well as the two reverse proxies to make app1 work and direct it to localhost:1234.

4. To show you what I mean by the SSL Cert I was talking about with Cloudflare, this is what I see looking at mycustomdomain:
cloudflare.png

Where I marked it red it does look like my wildcard certificate with *.mycustomdomain (I am just not sure if that is all correct like that, I am used to seeing at least somewhere in there a letsencrypt but I may be wrong, not that familiar with Cloudflare).

I hope this really helps to clear up things and I hope you still have the patience to walk me through the 2. - 4. here.

Thank you so much!
 
Upvote 0
No4 is because you are probably being proxied by CloudFlare. I am not.
Yes, exactly, that is what it was. Wildcard certificate is working now.

No3 is also solved and worked after I followed your tutorial HTTP to HTTPS again.

No2 works but I have decided to implement your HTTP to HTTPS because it is more universal.
and finally on...

No1 if I would have just created a second Virtualhost for www. mycustomdomain (CNAME www pointed at mycustomdomain) then it would have all worked as intended using the same Rewrite code that you are proposing just straight in the .htaccess that is located in my /web/wordpress directory.

So all good! Thank you so much! Topic solved!
 
Upvote 0
Solution

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

EDIT: Ok, not sure why. But after destroying the LE docker container and re-created it using a MACVLAN IP...
Replies
8
Views
6,154

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top