Question Synology DDNS wild card cert w/LE

Currently reading
Question Synology DDNS wild card cert w/LE

Telos

Subscriber
2,838
897
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
My response was triggered by the whole port 80/443 discussion. It gave the impression that those ports would be involved in the verification processes when creating a wildcard certificate; they are not.
Let me throw in my ignorance and muddy the waters. As I understand, per Synology postings, ports 80/443 are required when creating LE certs for non-Synology domains.

That said, yes, I was attempting to create a wildcard cert for a Synology domain, however at the same time, I had a non-Synology SAN going along for the ride. My understanding then was to keep 80/443 open when creating a new cert.

As far as LE cert renewals go, if the LE cert is purely Synology, no open ports are required. However, where other non-Synology domains are involved, opening port 80 (or 443) for renewal is mandatory.
 
From my experience:
- Subdomain level LE certificates use HTTP01 challenge, which requires port 80 for creation and update.
- Wildcard level LE certificates require DNS01 challenge

I would assume that a subdomain level LE certificate for Synology still uses HTTP01 challenge and thus requires the ports, while wildcard certificates can never use HTTP01 challenge.

I actualy never though about adding a SAN that points to a different domain.. i have no experience in how it affects the verification process.
 
421
166
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
When I have created wildcard certs, they have been for non-Synology domains, and I have always used the DNS TXT method, so what one-eyed-king is saying is consistent w/my experience. To be clear, though, I've done it that way because I find it easier....I don't know what would have happened if I had tried the 80/443 method.
 
6
0
NAS
DS918+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
So why is this bound to Synology's own domain and why can't I use my domain name to acquire a wildcard certificate?

Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence they cannot do it. I am discussing workarounds in another post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Okeedokee... I guess it's off to explore Google Domains...
Replies
6
Views
2,050
Hello guys, I am sorry for my late response, but I was travelling due to work duties. Hello Rusty, I...
Replies
4
Views
316
Not sure how this post went under my radar, but thanks for sharing your solution with the members.
Replies
3
Views
711
If you disable your nas firewall, then it’s opened up to everything and anything, because you have no...
Replies
24
Views
1,397
  • Locked
  • Question
https://www.synoforum.com/threads/synology-nas-encryption-forensic-analysis-of-synology-nas-devices-by-elco...
Replies
1
Views
701
From a quick Google search I've deducted that they are the following keys: Y-237 is YubiKey 5 NFC & Y-255...
Replies
2
Views
1,997

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top