LE certificate for subdomain

198
37
NAS
DS920+, DS918+, DS214+, DS211j
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi,

I've set up a port forwarding in my firewall to redirect any traffic from my subdomain to my internal DS918+ running WebDAV server on port 5005.
Right now it is forwarding port 80 to the Diskstation which works well.
I wonder if I could use https protocol (p. 443), too, and installing a LE certificate on my DS?

Further setup: I'm owning a domain e.g. aaa.de and I'm using a DynDNS service (not within Synology DSM, shouldn't matter though) that points my (not statically external IP-address) to a sub-domain e.g. xyz.aaa.de.

As already told, this works of course and I can access the WebDAV server in my LAN. But I would like to register a LE certificate for this sub-domain. Is registering such a sub-domain possible at all and can I install this certificate on my DS and get SSL encryption?

cu,
Michael
 
Yes, you can. You can create a LE wild card cert for your domain that will allow you to have any number of subsite names at your disposal.

Considering that we don't have it as a resource on the forum, you can read a bit more about it here: Let's Encrypt + Docker = wildcard certs
 
The alternative to a wildcard certificate that you have to update yourself every three months (why doesn't Synology just support this??) would be to create a LE certificate in DSM and add the subdomains as alternative names. E.g.
  • Domain: mydomain.com
  • Subject Alternative Name: www.mydomain.com;audiostation.mydomain.com;another.mydomain.com
This is what I have for my certificates and have four certificates that address: DSM services; Applications Portal; Reverse Proxy; Web Station virtual hosts.

You have to then use the Configure button to assign the right certificate to each service.

These will be automatically updated every three months.
 
The alternative to a wildcard certificate that you have to update yourself every three months (why doesn't Synology just support this??) would be to create a LE certificate in DSM and add the subdomains as alternative names. E.g.
  • Domain: mydomain.com
  • Subject Alternative Name: www.mydomain.com;audiostation.mydomain.com;another.mydomain.com
This is what I have for my certificates and have four certificates that address: DSM services; Applications Portal; Reverse Proxy; Web Station virtual hosts.

You have to then use the Configure button to assign the right certificate to each service.

These will be automatically updated every three months.
Correct as well. I have gave up from Syno LE certs just because they don't support 3rd party domain wild cards at all. Also, with wild card, I can generate a subdomain name on the fly and that has proven more often than I thought it would, so wild is my choice. Just a few days ago I have renewed my certs, deployed them to all my NAS devices that needed it. Took maybe 5min in total.

Still, SAN option might be a direction for people that will not have a need for numerous subdomains or often changes for that matter.
 
It's whichever way saves most time and effort. For a fairly small, static setup with the odd new service then letting DSM manage LE certs with SANs is probably the way, but for a dynamic or large set then wildcard LE cert and a manual intervention is better.
 
Just a few days ago I have renewed my certs, deployed them to all my NAS devices that needed it. Took maybe 5min in total.

There were no client devices complaining about that the SSL cert was changed? I hate it that Drive sync does this on Windows and Android clients and just stop working with an error like 'Server certificate has changed or something'. If you then manually pause the sync and start it again, fixed.....
 
There were no client devices complaining about that the SSL cert was changed? I hate it that Drive sync does this on Windows and Android clients and just stop working with an error like 'Server certificate has changed or something'. If you then manually pause the sync and start it again, fixed.....
I haven’t noticed it on any client device that Is have/use as well as any app using it. Have it running like this for years.
 
There were no client devices complaining about that the SSL cert was changed? I hate it that Drive sync does this on Windows and Android clients and just stop working with an error like 'Server certificate has changed or something'. If you then manually pause the sync and start it again, fixed.....
Ditto. The iOS devices throw up the alert, which seems somewhat stupid. Not seen it on non-mobile platforms.
 
It doesn't require the Step 04 - Add a TXT record in your Cloudflare DNS. As we provide email and API key, the container can do it by himself. I had to remove this TXT record to make it work.

I'm now thinking about making the renewal automatic.
Do you know if we can easily access the place where the certificate and private key we have uploaded are stored?
If yes, I could script it and then just copy/paste the files to the right location.
 
It doesn't require the Step 04 - Add a TXT record in your Cloudflare DNS. As we provide email and API key, the container can do it by himself. I had to remove this TXT record to make it work
I used my LE container a few days ago using TXT record and it was just fine. Setting up INI file is one thing, and a DNS record was another. Never had a problem with using it and on top of this, without it, it would't work. Still, tnx for the heads, I'll keep this in mind.

Do you know if we can easily access the place where the certificate and private key we have uploaded are stored?
Ofc you can. A simple copy to this location will work /usr/syno/etc/certificate/system/default
 
I just read your tutorial Let's Encrypt + Docker = wildcard certs and I was wondering why do you recommend stopping the container until it's time to renew the certificate? I thought using DNS validation automatically would renew your certificates. That way, the only thing you would have to manually do is import the new certificate into DSM.
 
I just read your tutorial Let's Encrypt + Docker = wildcard certs and I was wondering why do you recommend stopping the container until it's time to renew the certificate? I thought using DNS validation automatically would renew your certificates. That way, the only thing you would have to manually do is import the new certificate into DSM.
That is correct. Reason is simple. Personally I don’t use it for anything else and I see no reason for it to be up for 3 months just so it could run a 1min task every 90 days.

If I was using it as a reverse proxy for example then yes, but in this case, I just fire it up when needed, swap the certs and shut it down.

Saying that, you can leave it running ofc if you want.
 
Last edited:
Hello,
I went through my first renewal and yes it was pretty straight forward.
I have started the container, copied the new files and reimported them.
Nevertheless, I would like to try to make it automatic anyway. And regarding this, I have few updates and questions.

First, based on some recommendations, I'm generating now my certificates with certbot container and not letsencrypt one which is not build/optimized exactly for that.

Code:
sudo docker run -it --rm --name certbot \
            -v "/volume1/docker/certbot:/etc/letsencrypt" \
            certbot/dns-cloudflare certonly \
            --dns-cloudflare \
            --dns-cloudflare-credentials /etc/letsencrypt/.secrets/cloudflare.ini \
            --server https://acme-v02.api.letsencrypt.org/directory \
            --keep-until-expiring \
            -d *.mydomain.xyz

With this command, the container will start and self destructed when everything is finished.
Now I need to automatize the installation in the Syno.

I have found that my certificate seems to be stored here: /usr/syno/etc/certificate/system/default as I'm using the default one everywhere.
Nevertheless, they seems also to be placed in /usr/syno/etc/certificate/ReverseProxy/ where there is 2 folders, probably matching my 2 reverse proxies.

Does anyone knows if the default location is the good one?
Does this default location spread automatically to others like for my ReverseProxy?
What about the file "cert.pem" which is there, with the same update date as the other but not uploaded by me?
Thanks for your help
 
Does anyone knows if the default location is the good one?
Does this default location spread automatically to others like for my ReverseProxy?
Correct

What about the file "cert.pem" which is there, with the same update date as the other but not uploaded by me?
You can copy your own copy that will be generated along with fullchain and key file. By default that file is created after you follow the manual import. It is created from fullchain and key file.
 
Hello @Rusty
I have made my script and it move correctly the new certificates to /usr/syno/etc/certificate/system/default.
Nevertheless, the new expired date is not display on the certificate when display in the configuration panel, neither spread in the ReverseProxy folder.
Is there a service I need to restart?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
682
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
1,496

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top