Info Wild Card certs on Synology DDNS

Currently reading
Info Wild Card certs on Synology DDNS

1,106
362
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
I recall discussion stating that Synology DDNS does not support LE wildcard certs... But this recent Community post
Synology Community

suggests otherwise, showing a redacted list of Synology DDNS addresses associated with an LE cert which includes wildcard use.

Specifically...
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thought they had brought in support of wildcards for mydevice.synology.me but not for personal domains. Can't remember if it was on DSM, SRM, both, or if my memory is failing.
 

Rusty

Moderator
NAS Support
2,516
758
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
wild is supported for syno domains on dsm as of recently
 
1,519
649
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
This is good news. Is it only with synology.me domain or any domain provided as a choice? Anyone knows?

D4D75916-037E-44DB-AC0C-8975527ACEFB.jpeg
 

Rusty

Moderator
NAS Support
2,516
758
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Only with any synology domain they offer
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
SRM seems to have current support for LE wildcard. But wasn't DSM waiting for v7?
 

Rusty

Moderator
NAS Support
2,516
758
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
But wasn't DSM waiting for v7?
Hmm you are correct.


Not sure whats going on there then... Well synology.me LE certs with SAN support are def long time supported on DSM, but considering that I don't use wild via synology.me I can't say this for sure (regarding DSM).

On SRM I haven't tried to issue one considering that I have no intentions to expose anything on there or to have a cert on a device that's hidden.
 
1,106
362
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Personally, this sux for me as I renewed my cert the day before stumbling across this feature.
 
1,519
649
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Personally, this sux for me as I renewed my cert the day before stumbling across this feature.
On DSM 7.0?

I’m confused. So it’s supported on SRM but not the current DSM. However, it’s supported on DSM 7.0 (beta or something)?!
Is that what it is?
 
326
125
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
@fredbert, I don't think SRM has support for obtaining a wildcard LE certificate for any domain names other than Synology DDNS. If you hover your cursor over the informational "i" next to the subject alternative name field, that's what it says, anyway.
 

fredbert

Moderator
NAS Support
Subscriber
1,700
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That's what I thought from the Synology announcements and I haven't bother trying to use a different certificate than the one I setup ages ago.
 
1,519
649
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
So the gist of it is that no one knows what’s going on. Excellent :)
I left a note to self about something in this thread. Thanks.
 
326
125
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
In any case, there’s nothing to stop you from generating a wildcard cert from LE using zerossl.com, for example, and installing it on the Synology.
 
326
125
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Unfortunately, within the past few days, zerossl has decided to charge a fee for an account that enables you to register wildcard LE certs.
 

Rusty

Moderator
NAS Support
2,516
758
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Yeah... no...
 
6
0
NAS
DS918+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
As of DSM release 6.2.3 Synology supported wildcard certificates. However these are only supported on Synology domains because there is a technical limitation. Wildcard certificates can ONLY be verified by DNS and not by HTTP. Since Synology has no control over DNS records for customers own domains they cannot perform this DNS verification when registering for a domain through letsencrypt. But (pause) where there is a will...

For the un-initiated... In order to perform this verification you need to be able to update DNS entries using some kind of API (pfSense has extensive support for this). You need a way to request it from letencrypt (acme.sh), prove you own it (DNS API), configure DSM to use it (???) and renew it (cleanly). Some of these are difficult in a closed system like Synology.

After posting this to Synology forums I have since found that acme.sh actually has synology_dsm deployment hook to add certs into the DSM configuration. This was courtesy of this excellent blog post detailing LE wildcard certificate generation for user owned domains Automatically renew Let's Encrypt certificates on Synology NAS using DNS-01 challenge

Now in my case I am using Google DNS (not-gsuite) which has no API support at all. But all is not lost, as they introduced a new cert.sh parameter called --domain-alias. You can use a CNAME to point the proof-of-ownership DNS record _acme-challenge to a host of your choice. In this case... the DDNS name I setup under the Synology domain mystuff.synology.me. But hold on, doesn't that mean I have to now run a DNS server under DSM to answer an incoming DNS query? Well... not quite grin.

Now acme.sh supports are little thing called acme dns. This is a simple DNS server written in go language specifically for handling ACME challenges. So at this moment I am cross compiling this for my Synology then using acme.sh and --domain-alias plan to issue wildcard cert for my Google hosted domain running on my Synology DSM with auto renewal.
 
6
0
NAS
DS918+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
Last edited:
Since posting this I have submitted a feature request to Synology to solve this issue.

Wildcard User Domains

In a nutshell, Synology can check if the user has a DNS record in their domain for _acme-challenge pointing to their Synology domain via CNAME. The user has to have already have setup Synology domain under External -> DDNS. Once that is in place they can issue a wildcard certificate for the user's domain. acmesh-official/acme.sh see domain-alias.
 
@rtfmoz: though, isn't the real problem that Synology did not integrate dns-api implementations, like most other Letsencrypt clients do? What makes Synology's LE client so special that its impossible to integrate it?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top