Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Info Wild Card certs on Synology DDNS

Telos

Subscriber
4,312
1,477
NAS
DS4l8play, DS202j, DS3623xs+, DSM 8.025847-𝘣𝘦𝘵𝘢
I recall discussion stating that Synology DDNS does not support LE wildcard certs... But this recent Community post
Synology Community

suggests otherwise, showing a redacted list of Synology DDNS addresses associated with an LE cert which includes wildcard use.

Specifically...
etaWA7m.png
 
But wasn't DSM waiting for v7?
Hmm you are correct.


Not sure whats going on there then... Well synology.me LE certs with SAN support are def long time supported on DSM, but considering that I don't use wild via synology.me I can't say this for sure (regarding DSM).

On SRM I haven't tried to issue one considering that I have no intentions to expose anything on there or to have a cert on a device that's hidden.
 
Personally, this sux for me as I renewed my cert the day before stumbling across this feature.
 
@fredbert, I don't think SRM has support for obtaining a wildcard LE certificate for any domain names other than Synology DDNS. If you hover your cursor over the informational "i" next to the subject alternative name field, that's what it says, anyway.
 
In any case, there’s nothing to stop you from generating a wildcard cert from LE using zerossl.com, for example, and installing it on the Synology.
 
... for $480 USD/year. Yikes!
 
As of DSM release 6.2.3 Synology supported wildcard certificates. However these are only supported on Synology domains because there is a technical limitation. Wildcard certificates can ONLY be verified by DNS and not by HTTP. Since Synology has no control over DNS records for customers own domains they cannot perform this DNS verification when registering for a domain through letsencrypt. But (pause) where there is a will...

For the un-initiated... In order to perform this verification you need to be able to update DNS entries using some kind of API (pfSense has extensive support for this). You need a way to request it from letencrypt (acme.sh), prove you own it (DNS API), configure DSM to use it (???) and renew it (cleanly). Some of these are difficult in a closed system like Synology.

After posting this to Synology forums I have since found that acme.sh actually has synology_dsm deployment hook to add certs into the DSM configuration. This was courtesy of this excellent blog post detailing LE wildcard certificate generation for user owned domains Automatically renew Let's Encrypt certificates on Synology NAS using DNS-01 challenge

Now in my case I am using Google DNS (not-gsuite) which has no API support at all. But all is not lost, as they introduced a new cert.sh parameter called --domain-alias. You can use a CNAME to point the proof-of-ownership DNS record _acme-challenge to a host of your choice. In this case... the DDNS name I setup under the Synology domain mystuff.synology.me. But hold on, doesn't that mean I have to now run a DNS server under DSM to answer an incoming DNS query? Well... not quite grin.

Now acme.sh supports are little thing called acme dns. This is a simple DNS server written in go language specifically for handling ACME challenges. So at this moment I am cross compiling this for my Synology then using acme.sh and --domain-alias plan to issue wildcard cert for my Google hosted domain running on my Synology DSM with auto renewal.
 
Last edited:
Since posting this I have submitted a feature request to Synology to solve this issue.

Wildcard User Domains

In a nutshell, Synology can check if the user has a DNS record in their domain for _acme-challenge pointing to their Synology domain via CNAME. The user has to have already have setup Synology domain under External -> DDNS. Once that is in place they can issue a wildcard certificate for the user's domain. acmesh-official/acme.sh see domain-alias.
 
@rtfmoz: though, isn't the real problem that Synology did not integrate dns-api implementations, like most other Letsencrypt clients do? What makes Synology's LE client so special that its impossible to integrate it?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Thread Tags

Tags Tags
synology

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top