As of DSM release 6.2.3 Synology supported wildcard certificates. However these are only supported on Synology domains because there is a technical limitation. Wildcard certificates can ONLY be verified by DNS and not by HTTP. Since Synology has no control over DNS records for customers own domains they cannot perform this DNS verification when registering for a domain through letsencrypt. But (pause) where there is a will...
For the un-initiated... In order to perform this verification you need to be able to update DNS entries using some kind of API (pfSense has extensive support for this). You need a way to request it from letencrypt (acme.sh), prove you own it (DNS API), configure DSM to use it (???) and renew it (cleanly). Some of these are difficult in a closed system like Synology.
After posting
this to Synology forums I have since found that acme.sh actually has
synology_dsm deployment hook to add certs into the DSM configuration. This was courtesy of this excellent blog post detailing LE wildcard certificate generation for user owned domains
Automatically renew Let's Encrypt certificates on Synology NAS using DNS-01 challenge
Now in my case I am using Google DNS (not-gsuite) which has
no API support at all. But all is not lost, as they introduced a new cert.sh parameter called --domain-alias. You can use a CNAME to point the proof-of-ownership DNS record
_acme-challenge to a host of your choice. In this case... the DDNS name I setup under the Synology domain mystuff.synology.me. But hold on, doesn't that mean I have to now run a DNS server under DSM to answer an incoming DNS query? Well... not quite grin.
Now acme.sh supports are little thing called acme dns. This is a simple DNS server written in go language specifically for handling ACME challenges. So at this moment I am cross compiling this for my Synology then using acme.sh and --domain-alias plan to issue wildcard cert for my Google hosted domain running on my Synology DSM with auto renewal.
