Solved SSL Certificate Error

Currently reading
Solved SSL Certificate Error

200
41
NAS
DS718+
I am currently using LE certificate on a DS718+, currently tied to a Synology quickconnect address. There are no issues when accessing the DS from the quickconnect address, however when at the office locallY using the local IP or local host name we get the certificate error. Usually no big deal because we can click to proceed and nothing is affected. However, I observed an issue yesterday where Synology Drive had not been sync'd for about two weeks. On two windows client computers running the synology drive application there were errors regarding the SSL certificate. I had to edit the connection by re-entering the user name and password, it then throws a message about the certificate and you click proceed. I guess after a while you have to do this over and over again? But I never received a notification that there was a connection error and the sync was paused.

We connect those local Windows workstations using the local host name of the DS718+. Is there anyway to include the local host name and local IP to the LE certificate? I would rather not use the quickconnect address when local, since this is only used by me to connect remotely.

The same issue would apply when you open a web browser on the LAN and enter either the local ip and/or host name. Even though you can just click to proceed, is there anyway to include these into the certificate?

Thanks guys!
 

Rusty

Moderator
NAS Support
2,262
676
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
You can add various ip address and host names in your certificate using the SAN field when you request that specific certificate.
 
200
41
NAS
DS718+
You can add various ip address and host names in your certificate using the SAN field when you request that specific certificate.
Is there anyway to edit the existing certificate for that? Or do I have to delete it out and re-add the cert?
 

Rusty

Moderator
NAS Support
2,262
676
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Is there anyway to edit the existing certificate for that? Or do I have to delete it out and re-add the cert?
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.
 
200
41
NAS
DS718+
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.
PL
You can’t edit the existing one.

Well it can be done in general but it dependable what entity and CA is behind it. The point is that you have to rekey the cert and if you have done that via dsm ui I see no way of doing this.
OK thanks, If I want to add an IP and Host name into the SAN field, how do you separate multiple items - semicolon?
 
200
41
NAS
DS718+
OK so it is failing if I type in the host name and IPs in the SAN field, is my format incorrect?

DS718;192.168.10.100;192.168.10.101

I found this article here, it does not appear that you can do this for local addresses or name.
 
Last edited:
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.
 
200
41
NAS
DS718+
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.
I have everything going over https, http has been turned off so I will always have the certificate message
 
416
146
NAS
DS216+II, DS118, DS718+
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
Android
Any reason you can't just not use SSL for the local connections? If the traffic isn't going over the internet, I'm not sure what the point of using SSL would be.
I have everything going over https, http has been turned off so I will always have the certificate message
I think what Akahan is trying to say is, why encrypt the network traffic if nothing is going over the Internet. So, in your case, use http instead.

Drive sync via the applications isn't http traffic btw. Both encrypted and unencrypted traffic goes over port 6690.
 
200
41
NAS
DS718+
I think what Akahan is trying to say is, why encrypt the network traffic if nothing is going over the Internet. So, in your case, use http instead.

Drive sync via the applications isn't http traffic btw. Both encrypted and unencrypted traffic goes over port 6690.
I also use DSM remotely and local, I would have to expose http for this as well then as opposed to right now it’s just completely off.

Also if a computer gets compromised somehow and let’s say the attack vector can see the NAS traffic, wouldn’t it be better to just have everything encrypted?

There may also be a client where they have to be PCI compliant because of credit card information etc, therefore all transmissions need to be not only segmented but encrypted as well.

Is it that there are just no solutions to not have a cert error for local? If so then it is what it is, but if it’s some what capable of doing I’d rather not resort to work arounds.
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
You can't put the IP address or the machine name in a cert. But you could get yourself a domain name, e.g., localdomain.com, generate a cert for that domain name, and use that domain name to connect internally.
 
200
41
NAS
DS718+
You can't put the IP address or the machine name in a cert. But you could get yourself a domain name, e.g., localdomain.com, generate a cert for that domain name, and use that domain name to connect internally.
I currently have a ddns Synology.me with the let’s encrypt cert attached; this works fine remotely.

If I use that address internally will it route locally only, Or will the traffic go out and come back in? I know the ddns/dns lookup will route out, but what about the actual data transmissions.
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
It will stay internal.
 
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
If NAT loopback doesn't work, it won't work AT ALL to attempt to reach devices on your LAN from within the LAN using the WAN address; so it doesn't matter.
 
200
41
NAS
DS718+
It will stay internal.
OK cool. So I just ran a trace route command (tracert) from a computer on the local LAN. I only got one hop back which resulted in the local IP and hostname of the NAS. So I guess this was never an issue to begin with. RESOLUTION: just always use the DDNS name that you have the cert attached to whether local or remote.

I also ran a trace route from my laptop over a vpn, using the Synology DDNS name (Let's Encrypt cert attached to) and I also got one hop with the local IP and hostname.

EDIT:
A while back I also added the DDNS name into the DNS Server settings of a Verizon Fios router. You can only set a name to an IP (can't do reverse). So for now I have removed that entry to see if the DDNS name w/ cert will still resolve locally without going out of the local lan.

Should I keep that entry in the DNS server settings? Not sure how loopback works, but if it happens automatically then I would think I can remove the DNS entry pointing to the local address.
 
Last edited:
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
It’s very easy to verify. Start transferring an extremely large file or folder full of files from one machine on your LAN to another using the WAN address of the destination , and during the transfer disconnect your router from the WAN. The transfer will continue because none of the packets are going out onto the Internet. Once the router has found the destination machine, it uses its MAC address, not its IP address to transfer the data.
 
Last edited:
319
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
Sorry, missed your EDIT - assuming your DDNS is working (that is, it can be reached from other machines elsewhere on the internet), then you don't need it in the DNS settings of your router. Your machines will be able to find it the same way everyone else does. And it'll have no effect on whether the DATA you're sending will traverse the internet or not.
 
200
41
NAS
DS718+
Sorry, missed your EDIT - assuming your DDNS is working (that is, it can be reached from other machines elsewhere on the internet), then you don't need it in the DNS settings of your router. Your machines will be able to find it the same way everyone else does. And it'll have no effect on whether the DATA you're sending will traverse the internet or not.
Firstly, Thanks for all your help!

I removed the DDNS name pointing to the local IP of the nas in the DNS settings of the FIOS router. When I did that I ran the trace route and I saw multiple hops (about 12) whereas prior it was just the one local hop to the NAS.

Does this mean much, Or is that traffic still local when removing the DDNS name from DNS settings of the router?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Trending threads

Top