Solved SSL Certificate for LAN

Currently reading
Solved SSL Certificate for LAN

13
1
NAS
ds218+
Operating system
  1. Linux
For several reasons I do not expose my Synology NAS DiskStation to the Internet and only run Photo Station for LAN users:

URL: https://nas.lan/photo
local IP segment: 192.168.0.10/24

When they connect, they all get a warning, that the connection is suspicious and the certificate is not valid (of course).

How can I best fix it? I do have my own domain registered and I do have a public IP on my router (but I don't want to over complicate things).

Tx and wishing you a Happy New Year!
 
421
166
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
If they're connecting from within the LAN, why use https? Just use http, and then you don't need to deal with certificates at all.
 
13
1
NAS
ds218+
Operating system
  1. Linux
If they're connecting from within the LAN, why use https? Just use http, and then you don't need to deal with certificates at all.

The answer is "layered security". If any of the client systems on the LAN get compromised, and installed with bots/malware, they can easily read the HTTP traffic on the LAN. Then connecting to my admin interface on DSM and Photo Station will expose the usernames and passwords in plaintext.
 
421
166
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.
 
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.
 
13
1
NAS
ds218+
Operating system
  1. Linux
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Yes, this looks interesting, I need to learn about these technologies in more detail (dns-rebind, dns challange).

Tx
 

Telos

Subscriber
2,839
898
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
Create your own cert...
 
13
1
NAS
ds218+
Operating system
  1. Linux
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.

I am not sure that I want to open up the HTTP/S ports for my nas.mydomain.eu externally. I have no reverse proxy per se, only NATed internal network and then I would have to set up port forwarding.
 
13
1
NAS
ds218+
Operating system
  1. Linux
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server
 
421
166
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
You wouldn’t have to open up to the internet except briefly when obtaining your certificate.
 
13
1
NAS
ds218+
Operating system
  1. Linux
Last edited:
Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server

Or do you simply mean to add hosts under
mydomain.eu.
to resolve to local IPs?

I will probably implement a script for automatic renewal using Certbot ACME.

Tx
 
Just add sub domains and resolve their A-Record to a local ip.

You might want to use dns-01 challange for wildcard certificates rather than http-01 challenge for sub domain specific certificates. One of the advantages of dns-01 is that you don't need to expose any ports to the internet, as it will inject a txt entry into your domain and verifiy it's existance. When using dns-01 you need to put into account that updates on dsn won't be visible immediatly and you will need to use a delay before checking (certbot provides an option for this). In my first attempts I failed to pass the dns-01 challenge verification, becaues I was to impatiant... Certbot provides a list of recommended delays for supported dns api providers. Make sure your script renews the certificates a couple of days before the current expires.

Hint: a wildcard certificate is only valid for the same level, e.g. a certificate for *.domain.tld is not valid for *.sub.domain.tld
 
37
6
NAS
DS1019+, DS412+
Create your own cert...
How much detail would you need to add on the certificate for it to work?
 

Telos

Subscriber
2,839
898
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
How much detail would you need to add on the certificate for it to work?
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.
 
13
1
NAS
ds218+
Operating system
  1. Linux
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.

This is a simple and yet effective solution for my lan (photo station, dsm administration).
Thanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Tremendous stuff thank you fredbert.
Replies
4
Views
1,081
  • Question
Question ssl certificate
in /var/log/messages you will find more details for sure and there issues like this are stated. Still, I...
Replies
17
Views
2,269
OK. This is a remote location that I’m barely at. I’ll try that next time I’m there.
Replies
21
Views
19,443
Well said @fredbert. That's why I argued above that the author's logic can apply to many things in life...
Replies
10
Views
2,151
Ok, that is reassuring. I didn't know if it was required should the NAS need to be reset at a future...
Replies
2
Views
1,144
  • Question
I want to thank everyone for their replies. I've learned quite a bit. Ultimately, the client pivoted and...
Replies
6
Views
1,305
  • Question
The whole world agrees that https is the right and secure way to access web applications. The question is...
Replies
1
Views
176

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top