• Hello Guest! SynoForum.com is celebrating its 5th anniversary! 🥳🎉 Read more...

Info Wild Card certs on Synology DDNS

Currently reading
Info Wild Card certs on Synology DDNS

DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
I recall discussion stating that Synology DDNS does not support LE wildcard certs... But this recent Community post
Synology Community

suggests otherwise, showing a redacted list of Synology DDNS addresses associated with an LE cert which includes wildcard use.

But wasn't DSM waiting for v7?
Hmm you are correct.

Not sure whats going on there then... Well synology.me LE certs with SAN support are def long time supported on DSM, but considering that I don't use wild via synology.me I can't say this for sure (regarding DSM).

On SRM I haven't tried to issue one considering that I have no intentions to expose anything on there or to have a cert on a device that's hidden.
@fredbert, I don't think SRM has support for obtaining a wildcard LE certificate for any domain names other than Synology DDNS. If you hover your cursor over the informational "i" next to the subject alternative name field, that's what it says, anyway.
As of DSM release 6.2.3 Synology supported wildcard certificates. However these are only supported on Synology domains because there is a technical limitation. Wildcard certificates can ONLY be verified by DNS and not by HTTP. Since Synology has no control over DNS records for customers own domains they cannot perform this DNS verification when registering for a domain through letsencrypt. But (pause) where there is a will...

For the un-initiated... In order to perform this verification you need to be able to update DNS entries using some kind of API (pfSense has extensive support for this). You need a way to request it from letencrypt (acme.sh), prove you own it (DNS API), configure DSM to use it (???) and renew it (cleanly). Some of these are difficult in a closed system like Synology.

After posting this to Synology forums I have since found that acme.sh actually has synology_dsm deployment hook to add certs into the DSM configuration. This was courtesy of this excellent blog post detailing LE wildcard certificate generation for user owned domains Automatically renew Let's Encrypt certificates on Synology NAS using DNS-01 challenge

Now in my case I am using Google DNS (not-gsuite) which has no API support at all. But all is not lost, as they introduced a new cert.sh parameter called --domain-alias. You can use a CNAME to point the proof-of-ownership DNS record _acme-challenge to a host of your choice. In this case... the DDNS name I setup under the Synology domain mystuff.synology.me. But hold on, doesn't that mean I have to now run a DNS server under DSM to answer an incoming DNS query? Well... not quite grin.

Now acme.sh supports are little thing called acme dns. This is a simple DNS server written in go language specifically for handling ACME challenges. So at this moment I am cross compiling this for my Synology then using acme.sh and --domain-alias plan to issue wildcard cert for my Google hosted domain running on my Synology DSM with auto renewal.
Last edited:
Since posting this I have submitted a feature request to Synology to solve this issue.

Wildcard User Domains

In a nutshell, Synology can check if the user has a DNS record in their domain for _acme-challenge pointing to their Synology domain via CNAME. The user has to have already have setup Synology domain under External -> DDNS. Once that is in place they can issue a wildcard certificate for the user's domain. acmesh-official/acme.sh see domain-alias.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence...
wildcard cert always, just use the Search tool on this forum regarding LE cert issues, and you will get...
  • Solved
Cheers @Rusty. I have in the meantime managed to extract the actual cmdline 'syno-letsencrypt' call from...
EDIT: Ok, not sure why. But after destroying the LE docker container and re-created it using a MACVLAN IP...

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!