Question LE Cert | Synology DDNS Wildcard

Currently reading
Question LE Cert | Synology DDNS Wildcard

Telos

Subscriber
1,318
440
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
It's been often said that the Synology doesn't support wildcard use. I see that limit in the LE Cert tool on my NAS.

Is this specific for the Synology LE Cert registration, alone, or also for the Synology DDNS domains?

For example, if I manage to get the LE Cert process working on Docker, can I register *.secretword.synology.me and expect it to work?
 
Last edited:
For example, if I manage to get the LE Cert process working on Docker, can I register *.secretword.synology.me and expect it to work?
I am (still) using Traefik 1.7.x and its build in LE integration. The precondition for wildcard certificate creation is a supported registrar (as in the dns-api is supported by certbot/traefik). During the creation of a wildcard certificate a "txt" entry is added to your Domain and verified by the LE client.

I highly doubt that synology provides access to the dns-api, do they?

I have a couple of domains registered and my registrar is supported - works flawless with Traefik's LE integration.

Update: I forget to mention that Syno's LE integration does only support the HTTP-01 challenge, which does not allow to creat wildcard certifcates. You will either need Certbot or Traefik for this. If you are working with docker-compose, Traefik is a feasable option. Afaik the required labels are not maintainable from the ui. TBH, I just made a couple of tests with Traefik on the DS, but have no long term experience with it. My long term experience is only with dedicated Swarm clusters - Traefik works like a champ in this setup.
 

Rusty

Moderator
NAS Support
3,179
954
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I highly doubt that synology provides access to the dns-api, do they?
No, they don't. Even so, with a wild card cert you will need to own the root domain as well (or have control over it) and none of us does, so registering a wild card sub domain on *.synology.me is not an option.

As King said, LE container, Traefik, are your docker alternatives for now, until DSM7 comes out.

In DSM7 there will be a native support for this as noted in the release notes for the Preview version:

Security
  • Added support for Let’s Encrypt wildcard certificates when using Synology DDNS service.
 

Telos

Subscriber
1,318
440
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
egistering a wild card sub domain on *.synology.me is not an option.
I was considering the wild card sub-domain on *.mynas.synology.me. Is that doable directly w/LE?
 
Like i write, the current client only support HTTP-01 challenge. The client does not accept * or *.domain.tld as SAN.
I would recommend to wait for DSM7's buildin feature....
 

Rusty

Moderator
NAS Support
3,179
954
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Agreed. All in all you will not be able to register anything for any combination for synology.me
 

Telos

Subscriber
1,318
440
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Okeedokee... I guess it's off to explore Google Domains...
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top