Solved SSL Certificate for LAN

Currently reading
Solved SSL Certificate for LAN

13
1
NAS
ds218+
Operating system
  1. Linux
For several reasons I do not expose my Synology NAS DiskStation to the Internet and only run Photo Station for LAN users:

URL: https://nas.lan/photo
local IP segment: 192.168.0.10/24

When they connect, they all get a warning, that the connection is suspicious and the certificate is not valid (of course).

How can I best fix it? I do have my own domain registered and I do have a public IP on my router (but I don't want to over complicate things).

Tx and wishing you a Happy New Year!
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
If they're connecting from within the LAN, why use https? Just use http, and then you don't need to deal with certificates at all.
 
13
1
NAS
ds218+
Operating system
  1. Linux
If they're connecting from within the LAN, why use https? Just use http, and then you don't need to deal with certificates at all.

The answer is "layered security". If any of the client systems on the LAN get compromised, and installed with bots/malware, they can easily read the HTTP traffic on the LAN. Then connecting to my admin interface on DSM and Photo Station will expose the usernames and passwords in plaintext.
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.
 

Rusty

Moderator
NAS Support
2,353
701
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
As posted, but be sure that your router supports nat loopback for this to work
 
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.
 
13
1
NAS
ds218+
Operating system
  1. Linux
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Yes, this looks interesting, I need to learn about these technologies in more detail (dns-rebind, dns challange).

Tx
 
1,063
355
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Create your own cert...
 
13
1
NAS
ds218+
Operating system
  1. Linux
Using the DNS configuration at the registrar of your domain name, point the domain name to your WAN address. Install a let's encrypt certificate corresponding to both lan and nas.lan (where lan = your domain name and you have a reverse proxy set to direct traffic to nas.lan to the right device) on the NAS, and have users contact the NAS via the name nas.lan rather than the numeric IP address.

I am not sure that I want to open up the HTTP/S ports for my nas.mydomain.eu externally. I have no reverse proxy per se, only NATed internal network and then I would have to set up port forwarding.
 
13
1
NAS
ds218+
Operating system
  1. Linux
You could completly stay within the borders of your local lan, if you add sudomains to your public domain that resolve to local lan ips... In case your router has dns-rebind protection, just add those subdomains in the exclusion list and you are ready to go.

If you are able to use letsencrypts dns challenge to create a wildcard domain certificate, you could use it on those subdomains as well.

Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
You wouldn’t have to open up to the internet except briefly when obtaining your certificate.
 
13
1
NAS
ds218+
Operating system
  1. Linux
Last edited:
Do I understand it correctly as follows?

www.mydomain.eu. IN A x.y.z.w ; This is my web server
nas.local.mydomain.eu. IN A 192.168.1.100 ; This is my nas server

Or do you simply mean to add hosts under
mydomain.eu.
to resolve to local IPs?

I will probably implement a script for automatic renewal using Certbot ACME.

Tx
 
Just add sub domains and resolve their A-Record to a local ip.

You might want to use dns-01 challange for wildcard certificates rather than http-01 challenge for sub domain specific certificates. One of the advantages of dns-01 is that you don't need to expose any ports to the internet, as it will inject a txt entry into your domain and verifiy it's existance. When using dns-01 you need to put into account that updates on dsn won't be visible immediatly and you will need to use a delay before checking (certbot provides an option for this). In my first attempts I failed to pass the dns-01 challenge verification, becaues I was to impatiant... Certbot provides a list of recommended delays for supported dns api providers. Make sure your script renews the certificates a couple of days before the current expires.

Hint: a wildcard certificate is only valid for the same level, e.g. a certificate for *.domain.tld is not valid for *.sub.domain.tld
 
33
5
NAS
DS1019+, DS412+
Create your own cert...
How much detail would you need to add on the certificate for it to work?
 
1,063
355
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
How much detail would you need to add on the certificate for it to work?
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.
 
13
1
NAS
ds218+
Operating system
  1. Linux
If you need is the same as the OP's... a dirt-simple way to avoid the "insecure" browser warning with a self-signed cert can be followed here...

I've done this and can attest to the fine "padlock" on my LAN IP URL.

This is a simple and yet effective solution for my lan (photo station, dsm administration).
Thanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top