Question ssl certificate

Currently reading
Question ssl certificate

40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi everyone,

I've got a domain exclusively for short links. Currently I'm using it under http but want to use it under https. What makes more sense, buying a ssl certificate and install it in synology or install certbot in my syno 918+ and generate a certificate via let's encrypt?

Any advice will be appreciated.
 

Shadow

Subscriber
467
161
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
I dont get the part about 'certbot'. Doesn't the Syno gui have something bulltin already for lets encrypt (no wildcard certs).
 
Upvote 0

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi everyone,

I've got a domain exclusively for short links. Currently I'm using it under http but want to use it under https. What makes more sense, buying a ssl certificate and install it in synology or install certbot in my syno 918+ and generate a certificate via let's encrypt?

Any advice will be appreciated.
Both make sense, its just a matter of what fits your needs better.
 
Upvote 0
What's wrong with starting with free, 90 days valid Let's Encrypt certificates?
If you get a grip on automaticly renewing it and placing it wherever its needed: LE certificates are just fine.

Like Shadow wrote, the ui has a build in LE client that takes care of creation and renewal of single/multi-domain certificates. The certificates are placed in a well known folder and you can create scripts to copy them wherever they are needed - you should find enough script snippets in this forum to automate the process.

If you need wildcard certificates you need to use a different client. I am sure you can find enough details about this in this forum as well.

If automated renewal and replacement of the certificate is to complicated for you, you can still go out and buy a certificate. Though, if you need wildcard certifcates, it is going to cost.

Hint: you can run traefik as reverse proxy, which has a build in letsencrypt client for the http- and dns-challenge, which makes dealing with certificates childs play.
 
Upvote 1
40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
I dont get the part about 'certbot'. Doesn't the Syno gui have something bulltin already for lets encrypt (no wildcard certs).
This is because via built in let's encrypt does not work for third domains, only with domains given by synology.
-- post merged: --

What's wrong with starting with free, 90 days valid Let's Encrypt certificates?
If you get a grip on automaticly renewing it and placing it wherever its needed: LE certificates are just fine.

Like Shadow wrote, the ui has a build in LE client that takes care of creation and renewal of single/multi-domain certificates. The certificates are placed in a well known folder and you can create scripts to copy them wherever they are needed - you should find enough script snippets in this forum to automate the process.

If you need wildcard certificates you need to use a different client. I am sure you can find enough details about this in this forum as well.

If automated renewal and replacement of the certificate is to complicated for you, you can still go out and buy a certificate. Though, if you need wildcard certifcates, it is going to cost.

Hint: you can run traefik as reverse proxy, which has a build in letsencrypt client for the http- and dns-challenge, which makes dealing with certificates childs play.
What's wrong? because bult in let's encrypt doesn't work for third domains, only for domains given by synology.
 
Upvote 0
I can not realy agree on your claim that the build in LE-client would not support other domains. When I was still using it to create my certs it worked for my own domains... Though that was for http01-challenge. For dns01-Challenge you might be right.
 
Upvote 0
40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
I can not realy agree on your claim that the build in LE-client would not support other domains. When I was still using it to create my certs it worked for my own domains... Though that was for http01-challenge. For dns01-Challenge you might be right.
That is something I can´t argue I have no such technical knowledge, but it just didn't work for me. Meanwhile, thanks for the hint added.
 
Upvote 0
http01-challenge: LE tries to verify the ownership by accessing a "well-known" file on every domain you specified over http on port 80. Thus: you need to make sure your DS is reachable on port 80 from the internet.

dns01-challenge: LE injects a txt entry in your DNS records (of course the api of your dns provider needs to be supported by the LE client) and verifies it's existance - depending on the dns provider this can take up to 10 minutes and more! For custom domains, this one will only work with a 3rd party LE client.
 
Upvote 0
40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
http01-challenge: LE tries to verify the ownership by accessing a "well-known" file on every domain you specified over http on port 80. Thus: you need to make sure your DS is reachable on port 80 from the internet.

dns01-challenge: LE injects a txt entry in your DNS records (of course the api of your dns provider needs to be supported by the LE client) and verifies it's existance - depending on the dns provider this can take up to 10 minutes and more! For custom domains, this one will only work with a 3rd party LE client.
Ok in order this not to happen, I need install certbot to get certificates to third-party domains.
-- post merged: --

Both make sense, its just a matter of what fits your needs better.
In order to install certbot there is the need to know under what kind of linux to install it. What is the linux of synology?
 
Upvote 0
209
44
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
I've been running into SSL issues too. At first I purchased a domain name from google domains, it was good because google domains also offered a built in ddns client. I setup the ddns on the NAS, using ddns.mydomain.com, i then added some sub domain names and setup reverse proxy and i was able to connect to what i needed. I then tried to sign up w/ Lets Encrypt and kept getting a failed error, check to see if domain is valid. After checking lets encrypt community, i saw some posts that mentioned google domains does NOT support LE api. I canceled with google domains and got refunded. I just signed up with DreamHost. I created the same domain name, created a cname record ddns.mydomain.com which points to a ddns name (xyz.synology.me). The connections with that and reverse proxy are working, but again i cannot get a ssl cert from LE.

When it asks for domain name, i am entering my domain name without any sub domains. I entered my email and for the SAN name I entered some various subdomain names ddns.mydomain.com, abc.mydomain.com. At one brief point i got a different error in which i had never seen before, which was something about too many tries. This i thought was good, because at least now i knew i was connecting w/ LE. I'm wondering if this is the issue because the domain name ip is registered with dreamhost, where as the sub domain names are resolving with my public isp ip address. Is it because of the ip address miss match? For now I have removed any kind of redirects on the domain (mydomain.com redirecting to ddns name which was separate and in addition to adding the cname of a subdomain to the ddns name).

I'm kind of scratching my head on this. And I have 0 experience when it comes to these certificate things. I also have ports 80 & 443 forwarded. Also I noted that LE website had a page with supported domain registrar's, google domains was not on that list, but dreamhost was so this has to be possible to setup.
 
Upvote 0
Ok in order this not to happen, I need install certbot to get certificates to third-party domains.
What does "Ok in order this not to happen,... " mean what exactly not to happen?

I'm wondering if this is the issue because the domain name ip is registered with dreamhost, where as the sub domain names are resolving with my public isp ip address. Is it because of the ip address miss match?
No it is not a problem, neither for the dns01-challenge, nor the http01-challenge. What LE-client did you use?

At one brief point i got a different error in which i had never seen before, which was something about too many tries.
see: Rate Limits - Let's Encrypt - Free SSL/TLS Certificates


Generally:
We do have two different challange types for our disposal, which have two completely different sets of requirements and problems allong the processing chain. So far neither of you shared which challenge they are aiming for.

The less precise the details you provide are, the higher the chances that no one will be able to help you and make people quickly loose interest in this thread.
 
Upvote 0
40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
What does "Ok in order this not to happen,... " mean what exactly not to happen?


No it is not a problem, neither for the dns01-challenge, nor the http01-challenge. What LE-client did you use?


see: Rate Limits - Let's Encrypt - Free SSL/TLS Certificates


Generally:
We do have two different challange types for our disposal, which have two completely different sets of requirements and problems allong the processing chain. So far neither of you shared which challenge they are aiming for.

The less precise the details you provide are, the higher the chances that no one will be able to help you and make people quickly loose interest in this thread.
What does "Ok in order this not to happen,... " mean what exactly not to happen?
Related about the challenge you described in that post. To overcome this, I thought to install certbot as described in LE site.
No it is not a problem, neither for the dns01-challenge, nor the http01-challenge. What LE-client did you use?
What do you mean exactly by LE-client?
-- post merged: --

I've been running into SSL issues too. At first I purchased a domain name from google domains, it was good because google domains also offered a built in ddns client. I setup the ddns on the NAS, using ddns.mydomain.com, i then added some sub domain names and setup reverse proxy and i was able to connect to what i needed. I then tried to sign up w/ Lets Encrypt and kept getting a failed error, check to see if domain is valid. After checking lets encrypt community, i saw some posts that mentioned google domains does NOT support LE api. I canceled with google domains and got refunded. I just signed up with DreamHost. I created the same domain name, created a cname record ddns.mydomain.com which points to a ddns name (xyz.synology.me). The connections with that and reverse proxy are working, but again i cannot get a ssl cert from LE.

When it asks for domain name, i am entering my domain name without any sub domains. I entered my email and for the SAN name I entered some various subdomain names ddns.mydomain.com, abc.mydomain.com. At one brief point i got a different error in which i had never seen before, which was something about too many tries. This i thought was good, because at least now i knew i was connecting w/ LE. I'm wondering if this is the issue because the domain name ip is registered with dreamhost, where as the sub domain names are resolving with my public isp ip address. Is it because of the ip address miss match? For now I have removed any kind of redirects on the domain (mydomain.com redirecting to ddns name which was separate and in addition to adding the cname of a subdomain to the ddns name).

I'm kind of scratching my head on this. And I have 0 experience when it comes to these certificate things. I also have ports 80 & 443 forwarded. Also I noted that LE website had a page with supported domain registrar's, google domains was not on that list, but dreamhost was so this has to be possible to setup.
I understand your drama. This is why I want to try to install certbot as described in LE site, or even pay a ssl certificate if all fails. This is the both way to go as replied to me by Rusty (post way up).
On the other hand I don't no yet what kind of linux synology is running, in order to make the right choice as seen below:
firefox_RnBWD8dXAf.png
 
Upvote 0
209
44
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I have seen this rate limit post, although its pretty hard to know if I am even hitting any rate limits considering the Synology's error message is saying failed to connect.

So far neither of you shared which challenge they are aiming for.
I personally would have no clue which challenge is being used. Wouldnt this be determined in the synology programming, since I am attempting to get the certificate from their GUI. There's nothing on synology that states which challenge they use.


Late last night I was able to create A records on my domain name that point directly to my public ip address. At that time I was finally able to get a different error message than failed to connect. This time it said maximal limit of certs for the domain. I'm currently going to wait out some time because now it probably is a rate limit issue. But prior to that when I had created a subdomain name using a CNAME record pointed to my dyndns address the error was failed to connect make sure domain is correct. I created a support ticket with Synology and they were able to debug the log which said the domain wasn't resolving to anything. My next assumption here is that after setting up my domain and creating the records, I went in to quick to try and apply for the Let's Encrypt cert. This would cause it to fail because the domain name wasn't resolving to anything just yet (on the nas maybe?!?). When I would do a command line ping and nslookup from the computer the ping's would return with my public ip (even when using the subdomain name that point to the ddns address), and NSlookup was resolving to the domain name and public ip as well. My guess is that this wasnt propagated everywhere on the internet yet, so when synology attempts to create the cert its failing because the domain is not resolving or unreachable.
 
Upvote 0
40
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Build-in LE-client in Syno's certificate manager, build-in Traefik or any other Let's Encrypt client.


May I ask you to search the forum for discussions arround letsencrypt.

Good luck!
Build-in LE-client in Syno's certificate manager, build-in Traefik or any other Let's Encrypt client.
Thanks, good I will search further on this in particular.

May I ask you to search the forum for discussions arround letsencrypt.
Alright, I will dig around for more info.
 
Upvote 0
209
44
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
So far neither of you shared which challenge they are aiming for.

I just read that synology uses the http challenge method. I guess my suspicion is isp is blocking port 80. Synology domain uses dns challenge so it doesn’t need port 80 open.

a check of can you seems.org doesn’t say that it’s blocked, it just says connection timed out

source: acmesh-official/acme.sh
 
Upvote 0
209
44
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Alright, I was able to resolve the issue.





So after endless hours i ended up firing up my vdsm of 7.0 that i am previewing & testing and tried it from there. In 7.0 the error message wasn't so vague as dsm 6 ("Failed to connect to Lets Encrypt check to ensure domain is valid") the error message specifically said failed and to check port 80. thats when i contacted my isp via chat

Sure enough they were blocking/filtering port 80. After about 30 mins on hold with chat while they figured out how to fix it, port 80 was opened and i was able to register my domain name and SAN's with LE in synology.


DSM 6 should really have the error message more clear, this costed me days.
 
Upvote 0

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Alright, I was able to resolve the issue.





So after endless hours i ended up firing up my vdsm of 7.0 that i am previewing & testing and tried it from there. In 7.0 the error message wasn't so vague as dsm 6 ("Failed to connect to Lets Encrypt check to ensure domain is valid") the error message specifically said failed and to check port 80. thats when i contacted my isp via chat

Sure enough they were blocking/filtering port 80. After about 30 mins on hold with chat while they figured out how to fix it, port 80 was opened and i was able to register my domain name and SAN's with LE in synology.


DSM 6 should really have the error message more clear, this costed me days.
in /var/log/messages you will find more details for sure and there issues like this are stated. Still, I agree that it wouldn't hurt them to write that same error in the pop up window.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top