Solved SSL Certificate for LAN

Currently reading
Solved SSL Certificate for LAN

13
1
NAS
ds218+
Operating system
  1. Linux
For several reasons I do not expose my Synology NAS DiskStation to the Internet and only run Photo Station for LAN users:

URL: https://nas.lan/photo
local IP segment: 192.168.0.10/24

When they connect, they all get a warning, that the connection is suspicious and the certificate is not valid (of course).

How can I best fix it? I do have my own domain registered and I do have a public IP on my router (but I don't want to over complicate things).

Tx and wishing you a Happy New Year!
 
If they're connecting from within the LAN, why use https? Just use http, and then you don't need to deal with certificates at all.

The answer is "layered security". If any of the client systems on the LAN get compromised, and installed with bots/malware, they can easily read the HTTP traffic on the LAN. Then connecting to my admin interface on DSM and Photo Station will expose the usernames and passwords in plaintext.
 
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.
 
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.
 
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Yes, this looks interesting, I need to learn about these technologies in more detail (dns-rebind, dns challange).

Tx
 
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.

I am not sure that I want to open up the HTTP/S ports for my nas.mydomain.eu externally. I have no reverse proxy per se, only NATed internal network and then I would have to set up port forwarding.
 
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server
 
Last edited:
Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server

Or do you simply mean to add hosts under
mydomain.eu.
to resolve to local IPs?

I will probably implement a script for automatic renewal using Certbot ACME.

Tx
 
Just add sub domains and resolve their A-Record to a local ip.

You might want to use dns-01 challange for wildcard certificates rather than http-01 challenge for sub domain specific certificates. One of the advantages of dns-01 is that you don't need to expose any ports to the internet, as it will inject a txt entry into your domain and verifiy it's existance. When using dns-01 you need to put into account that updates on dsn won't be visible immediatly and you will need to use a delay before checking (certbot provides an option for this). In my first attempts I failed to pass the dns-01 challenge verification, becaues I was to impatiant... Certbot provides a list of recommended delays for supported dns api providers. Make sure your script renews the certificates a couple of days before the current expires.

Hint: a wildcard certificate is only valid for the same level, e.g. a certificate for *.domain.tld is not valid for *.sub.domain.tld
 
How much detail would you need to add on the certificate for it to work?
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.
 
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.

This is a simple and yet effective solution for my lan (photo station, dsm administration).
Thanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
1,003
Tremendous stuff thank you fredbert.
Replies
4
Views
1,918
  • Question
Question ssl certificate
in /var/log/messages you will find more details for sure and there issues like this are stated. Still, I...
Replies
17
Views
3,958
OK. This is a remote location that I’m barely at. I’ll try that next time I’m there.
Replies
21
Views
25,451
Well said @fredbert. That's why I argued above that the author's logic can apply to many things in life...
Replies
10
Views
3,358
Ok, that is reassuring. I didn't know if it was required should the NAS need to be reset at a future...
Replies
2
Views
3,546
  • Question
I want to thank everyone for their replies. I've learned quite a bit. Ultimately, the client pivoted and...
Replies
6
Views
2,875

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top