Solved SSL Certificate Error

Currently reading
Solved SSL Certificate Error

248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I am currently using LE certificate on a DS718+, currently tied to a Synology quickconnect address. There are no issues when accessing the DS from the quickconnect address, however when at the office locallY using the local IP or local host name we get the certificate error. Usually no big deal because we can click to proceed and nothing is affected. However, I observed an issue yesterday where Synology Drive had not been sync'd for about two weeks. On two windows client computers running the synology drive application there were errors regarding the SSL certificate. I had to edit the connection by re-entering the user name and password, it then throws a message about the certificate and you click proceed. I guess after a while you have to do this over and over again? But I never received a notification that there was a connection error and the sync was paused.

We connect those local Windows workstations using the local host name of the DS718+. Is there anyway to include the local host name and local IP to the LE certificate? I would rather not use the quickconnect address when local, since this is only used by me to connect remotely.

The same issue would apply when you open a web browser on the LAN and enter either the local ip and/or host name. Even though you can just click to proceed, is there anyway to include these into the certificate?

Thanks guys!
 

Rusty

Moderator
NAS Support
2,824
862
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
You can add various ip address and host names in your certificate using the SAN field when you request that specific certificate.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
You can add various ip address and host names in your certificate using the SAN field when you request that specific certificate.

Is there anyway to edit the existing certificate for that? Or do I have to delete it out and re-add the cert?
 

Rusty

Moderator
NAS Support
2,824
862
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Is there anyway to edit the existing certificate for that? Or do I have to delete it out and re-add the cert?
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.
PL
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.

OK thanks, If I want to add an IP and Host name into the SAN field, how do you separate multiple items - semicolon?
 

Rusty

Moderator
NAS Support
2,824
862
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
OK so it is failing if I type in the host name and IPs in the SAN field, is my format incorrect?

DS718;192.168.10.100;192.168.10.101

I found this article here, it does not appear that you can do this for local addresses or name.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.

I have everything going over https, http has been turned off so I will always have the certificate message
 

Shadow

Subscriber
607
208
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.

I have everything going over https, http has been turned off so I will always have the certificate message

I think what Akahan is trying to say is, why encrypt the network traffic if nothing is going over the Internet. So, in your case, use http instead.

Drive sync via the applications isn't http traffic btw. Both encrypted and unencrypted traffic goes over port 6690.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I think what Akahan is trying to say is, why encrypt the network traffic if nothing is going over the Internet. So, in your case, use http instead.

Drive sync via the applications isn't http traffic btw. Both encrypted and unencrypted traffic goes over port 6690.

I also use DSM remotely and local, I would have to expose http for this as well then as opposed to right now it’s just completely off.

Also if a computer gets compromised somehow and let’s say the attack vector can see the NAS traffic, wouldn’t it be better to just have everything encrypted?

There may also be a client where they have to be PCI compliant because of credit card information etc, therefore all transmissions need to be not only segmented but encrypted as well.

Is it that there are just no solutions to not have a cert error for local? If so then it is what it is, but if it’s some what capable of doing I’d rather not resort to work arounds.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
You can't put the IP address or the machine name in a cert. But you could get yourself a domain name, e.g., localdomain.com, generate a cert for that domain name, and use that domain name to connect internally.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
You can't put the IP address or the machine name in a cert. But you could get yourself a domain name, e.g., localdomain.com, generate a cert for that domain name, and use that domain name to connect internally.

I currently have a ddns Synology.me with the let’s encrypt cert attached; this works fine remotely.

If I use that address internally will it route locally only, Or will the traffic go out and come back in? I know the ddns/dns lookup will route out, but what about the actual data transmissions.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
It will stay internal.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
If NAT loopback doesn't work, it won't work AT ALL to attempt to reach devices on your LAN from within the LAN using the WAN address; so it doesn't matter.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
It will stay internal.

OK cool. So I just ran a trace route command (tracert) from a computer on the local LAN. I only got one hop back which resulted in the local IP and hostname of the NAS. So I guess this was never an issue to begin with. RESOLUTION: just always use the DDNS name that you have the cert attached to whether local or remote.

I also ran a trace route from my laptop over a vpn, using the Synology DDNS name (Let's Encrypt cert attached to) and I also got one hop with the local IP and hostname.

EDIT:
A while back I also added the DDNS name into the DNS Server settings of a Verizon Fios router. You can only set a name to an IP (can't do reverse). So for now I have removed that entry to see if the DDNS name w/ cert will still resolve locally without going out of the local lan.

Should I keep that entry in the DNS server settings? Not sure how loopback works, but if it happens automatically then I would think I can remove the DNS entry pointing to the local address.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
It’s very easy to verify. Start transferring an extremely large file or folder full of files from one machine on your LAN to another using the WAN address of the destination , and during the transfer disconnect your router from the WAN. The transfer will continue because none of the packets are going out onto the Internet. Once the router has found the destination machine, it uses its MAC address, not its IP address to transfer the data.
 
335
131
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Sorry, missed your EDIT - assuming your DDNS is working (that is, it can be reached from other machines elsewhere on the internet), then you don't need it in the DNS settings of your router. Your machines will be able to find it the same way everyone else does. And it'll have no effect on whether the DATA you're sending will traverse the internet or not.
 
248
48
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Sorry, missed your EDIT - assuming your DDNS is working (that is, it can be reached from other machines elsewhere on the internet), then you don't need it in the DNS settings of your router. Your machines will be able to find it the same way everyone else does. And it'll have no effect on whether the DATA you're sending will traverse the internet or not.

Firstly, Thanks for all your help!

I removed the DDNS name pointing to the local IP of the nas in the DNS settings of the FIOS router. When I did that I ran the trace route and I saw multiple hops (about 12) whereas prior it was just the one local hop to the NAS.

Does this mean much, Or is that traffic still local when removing the DDNS name from DNS settings of the router?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top