Still getting Certificate Isn't Private after using Let's Encrypt

Currently reading
Still getting Certificate Isn't Private after using Let's Encrypt

53
4
NAS
DS1522+, E10G22-T1-Mini RJ45 10G Ethernet Module
Last edited:
Hello, so I have two IP addresses one for internal direct connection between the NAS and the PC (connected via the 10GbE ethernet module and static IP) and another one for connection between the NAS and the router (DHCP IP). Both show up under Synology Assistant.

I used Let's Encrypt to authenticate a certificate with domain name created by myself. From DSM > Security > Certificate, I see my domain name and an expiration date of three months later. Under it, it has (Default certificate) (RSA/ECC) Synology DDNS Certificate. Double clicking on it shows that it was issued by R3. Does that mean my certificate and domain have been created and approved by Let's Encrypt successfully?

For the two IP addresses, regardless which one I use, I keep getting "Connection Isn't Private" (on Mac and PC) or "Potential Security Risk Ahead" on Firefox. Usually I type: https:// followed by the IP address Is this the proper way?

I also typed the domain name on the URL but the browsers keep me waiting and then gave me "The connection has timed out" error.

What is wrong?
 
I am a bit confused. I read that to avoid seeing "Connection Isn't Private" or "Potential Security Risk Ahead" warning messages, we need to create a certificate and have it approved by Let's Encrypt. That is why I did that. However, they still show up. After verification from Let's Encrypt, am I supposed to see a lock symbol on the URL without those warning messages?

If Cert's authenticates domain, why when I typed in the domain name, the browser just kept me waiting and after a pause, it gave me the "The connection has timed out" error without showing the NAS's login screen?

For strange reason, find.synology.com no longer works even Synology Assistant found the NAS. It worked when I set up the NAS in the first day.
 
am I supposed to see a lock symbol on the URL without those warning messages?

Depends. You will never see a "locked" padlock using a LAN IP. LAN IPs are not unique. You must use a domain with a cert for that... https://mynas.synology.me, along with an LE cert for that domain, and that cert configured as the default for the NAS. If another cert is your default, for example, the self-signed "synology.com" the padlock is unlocked.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://youtu.be/AqakuZfPuQo
 
Last edited:
Depends. You will never see a "locked" padlock using a LAN IP. LAN IPs are not unique. You must use a domain with a cert for that... https://mynas.synology.me, along with an LE cert for that domain, and that cert configured as the default for the NAS. If another cert is your default, for example, the self-signed "synology.com" the padlock is unlocked.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://youtu.be/AqakuZfPuQo


But I tried the approved domain which is set to be the default certificate.

Before I applied for the certificate, I watched that video. I just followed the steps again. At 4:50, he just typed the domain name and the login screen showed up. In my case, still doesn't work. When I clicked on a link from the browser, it shows ISRG Root X1>R3> mydomainname.synology.me
The expiration is 3 months from the date I generated it.
Then, there is a red circle with a cross saying that my certificate name does not match input. What is that? What input?

Then, under Trust, I can choose various options under

When using this certificate:
Secure Sockets Layer (SSL)
x.509 Basic Policy

Am I supposed to leave these three fields alone or select something?

Under Edit DDNS, am I supposed to leave External Address (IPv4) and (IPv6) as Auto?
 
Last edited:
So you are browsing to http://mydomainname.synology.me and the certificate is for mydomainname.synology.me? And you are still getting the untrusted alert?

Reading your initial post, you say you tried browsing to both the IP address (which one?) and mydomainname.synology.me (or whatever you used). Using the IP address generates the alert because the certificate is for mydomainname.synology.me not an IP address (certificates are not for IP addresses). If using mydomainname.synology.me and you don’t port forward TCP 443 on the router then it will fail. If you do port forward and it fails then it sounds that your router doesn’t support local loopback.
 
Last edited:
I tried browsing to both IP address and mydomainname.synology.me. You and others mentioned the cause of error using the former approach. In the latter approach, there are three cases even I do it from the PC directly connected to the NAS:

Case1. Typing http://mydomainname.synology.me on the URL
It got converted to mydomainname.synology.me automatically. Then I saw the spinning icon and got "Hmmm... can't reach this page"
mydomainname.synology.me took too long to respond.

Case2. Typing mydomainname.synology.me resulted in the same thing as Case1.

Case3. Typing https://mydomainname.synology.me The URL remained like this with the spinning icon. Then, I got "Hmmm... can't reach this page" mydomainname.synology.me took too long to respond.

mydomainname.synology.me is set as the default certificate of the NAS. Whenever I turn on or off the NAS, I get an email saying the connection to mydomainname.synology.me has been resumed or lost respectively.




Synology Tech Support told me to just turn on QuickConnect, get the certificate approved by Let's Encrypt and then disable it. He said that there is no need to do any port forwarding. So I don't port forward TCP443 on the router.

I have checked many videos on youtube but I have no idea what is wrong in my case. I know a lot of videos were made when the authors were using older versions of DSM. I am using DSM 7.1.1 Not sure if Synology made some changes.


Is my problem the "Current Setup" shown at 4:20 in the following video? For accessing the NAS through internal network, he recommended setting up a DNS server on the NAS which other videos do not mention.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

View: https://www.youtube.com/watch?v=VoF-qqKwIWw

If I set up a DNS server, will I accidently open ports and create a security risk for 3rd party to hack into my NAS?
 
Assuming you forwarded your HTTPS port (ex, 5001), and assigned your cert as default for DSM (check the cert config table to confirm), you should be using

https://mydomain.synology.me:5001

If that doesn't work, try it with cell data (not from your LAN). If cell data works, then it's likely you have a NAT hairpin issue as fredbert pointed out.

You don't need a DNS server.
 
What is the proper way to forward HTTPS port (ex, 5001)? Will doing that create a security risk?

At present, without forwarding typing https://mydomain.synology.me:5001 on the PC directly connected to it results in "Hmmm... can't reach this page ... took too long to respond." Same for accessing it from cell data on the phone.
 
Will doing that create a security risk?
I think this has been stated a number of times. There’s always risk when you allow Internet access to your LAN devices. But then there’s also risk with using the Internet and bringing in malware, e.g. using email, web browsing, using Internet-enabled ‘smart’/IOT devices, etc.

If you absolutely don’t want any incoming Internet access to the NAS then don’t configure any. If you want to use HTTPS then you need to use certificates to domains that won’t resolve to the LAN IP of the NAS, so just add an exception in your web browser to say that you know and trust the end device that you’re accessing. An SSL certificate won’t make the NAS any more secure when it accesses the Intelnet (e.g. to get DSM updates) since they won’t be used from the NAS.

BTW it sometimes helps to know the NAS and device types you are using. You can update these in your profile. I’m getting old and my memory isn’t always great remembering details between threads.
 
If you want to use the domain/cert, you must open a port. If you otherwise don't need external access, forward no ports, and use your LAN IP for internal connections, and disregard the browser alerts. Or use QuickConnect and let your connection flow through Synology's servers (which itself is potential security risk).

It's that simple.
 
Last edited:
I think this has been stated a number of times. There’s always risk when you allow Internet access to your LAN devices. But then there’s also risk with using the Internet and bringing in malware, e.g. using email, web browsing, using Internet-enabled ‘smart’/IOT devices, etc.

If you absolutely don’t want any incoming Internet access to the NAS then don’t configure any. If you want to use HTTPS then you need to use certificates to domains that won’t resolve to the LAN IP of the NAS, so just add an exception in your web browser to say that you know and trust the end device that you’re accessing. An SSL certificate won’t make the NAS any more secure when it accesses the Intelnet (e.g. to get DSM updates) since they won’t be used from the NAS.

BTW it sometimes helps to know the NAS and device types you are using. You can update these in your profile. I’m getting old and my memory isn’t always great remembering details between threads.

I guess I need to know the following to decide:

1. If I don't want to open/forward port, then I just make an exception in my web browser. In this case, is the only danger is that when somebody hacks into my home network, that person could obtain all sorts of information including userid and password?

2. In case I want to use HTTPS even within home network, do I have to open/forward port only during the certificate approval stage or have the port/port forwarding open all the time?

I am using a 1522+. Just updated my profile. Thanks
 
  1. It’s no different to using a self-signed certificate. It still uses HTTPS only you’ve decided to trust the connection rather than the browser doing it. You‘ll be using the NAS IP address rather than the domain name.
  2. To use domain name you’ll have to keep the port forwarding.
 
For the past few days I keep getting "Connection to mydomainname has been lost since.." emails. Just for today, I got three such emails even the machine is on all afternoon. What could be wrong?

My NAS also has the problem that it shut itself off for no reason twice in a week.

Did I get a lemon?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Thanks for your help, appreciate it. Definitely helped to reset the time manually in SSH session, then the...
Replies
5
Views
2,888
Thanks for this! My diskstation date/time was set to 2001 for some reason, even though 'Synchronize with...
Replies
8
Views
14,594
  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
545
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
935
  • Question
Thanks for the input Telos. Yes I have had that on my mind for some time. Found some potential guides on...
Replies
2
Views
1,069

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top