Invalid certificate inside the android app

Currently reading
Invalid certificate inside the android app

3
0
NAS
DS418Play
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hey guys hope maybe did encounter this issue and can help me with it.
I'm having an issue where the the android app dosen't recive the certificate from the nas the certificate is from Let's Encrypt, it only happens through the my domain for example photos.xxxx.com app dosen't recive the certificate and, if use the Alias method of synology (xxx.com/photos) as well it does the same thing.
going through the web browser it does show it does send a certificate.
If I log into the app trough the ip address the app it self does get an certificate which is super confusing why it does it.
Any help would be appreciated.
 
If I log into the app trough the ip address the app it self does get an certificate which is super confusing why it does it.
If you know how TLS (the successor of SSL) works, you wouldn't be confused :)

Unless the IP is present as Common Name (CN) or Subject Alternate Name (SAN) in the certificate, this will always be the case.

The hostname/domain/ip in the url either must match the CN or the SAN of the certificate. What sense would it make to verify the chain of trust for the TLS connection, if the identify of the server (determined by the url you used) does not even match the certificate it uses...

This is not specific to Synology or Letsencrypt, it is just how SSL/TLS works.
 
Unless the IP is present as Common Name (CN) or Subject Alternate Name (SAN) in the certificate, this will always be the case.

The hostname/domain/ip in the url either must match the CN or the SAN of the certificate. What sense would it make to verify the chain of trust for the TLS connection, if the identify of the server (determined by the url you used) does not even match the certificate it uses...

This is not specific to Synology or Letsencrypt, it is just how SSL/TLS works.
If the ip wasn't present in CN or SAN wouldn't the issue persist in the web browser as well?
I know that let's encrypt moved away from "DST Root CA X3" certificate and using one of their own, but still im clueless as why it's not working on the apps.

Could it be related to change that happend in let's encrypt?
 
Last edited:
If the ip wasn't present in CN or SAN wouldn't the issue persist in the web browser as well?
It must have been there and you must have stored it as "trust parmenently".
Feel free to read the TLS specs, more precisly how the chain of trust is established.

Probably I got your original post wrong:
Per my understanding the question was why the certificate is not concidered valid when the service is accessed using the ip in the url.

Generally your DS need to be on latest DSM 6.2.4 or any 7.0 version to have proper Letsencrypt handling.
Previous DSM versions come with an old openssl library (1.02-fips) which is not able to handle the algorithms used by the new Letsencrypt CA. New LE certificates required at least openssl libraries version 1.1.0 or greater.
 
Probably I got your original post wrong:
Per my understanding the question was why the certificate is not concidered valid when the service is accessed using the ip in the url.

Generally your DS need to be on latest DSM 6.2.4 or any 7.0 version to have proper Letsencrypt handling.
Previous DSM versions come with an old openssl library (1.02-fips) which is not able to handle the algorithms used by the new Letsencrypt CA. New LE certificates required at least openssl libraries version 1.1.0 or greater.
Maybe I'm just stupid or don't know how to write in english, anyways as I said befor I'm getting an error in side Synology Photos which is DSM 7 only so all the librarys.
Could it be that I didn't configure the domain properly or could it be something related to let's encrypt switching to thier own certificate?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Do you use any other Synology app over QC that manifests the same way? While this might be an issue on...
Replies
20
Views
1,765

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top