Your connection isn't private - LE Cert is Valid?

Currently reading
Your connection isn't private - LE Cert is Valid?

28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
This clearly baffles me and has been for some time. Every week at various times (I have not seen a pattern yet). I get the following:
1624523338684.png


I do know that the certificate needs to be valid and any URL I access needs to use that cert. Which I do and have set them all correctly in the Reverse Proxy section.

I have double checked everything:
  1. Made sure the certificate is valid has an expiry date end of September
  2. Every service I would like to run has been defined in reverse proxy with the correct IP address and port. Example below
  3. Went back to Certs and configured the services to use the correct cert.
  4. Cleared all the browsers cache and history and cookies.
I still get the Invalid Cert error. I am accessing these services within my own network.
I have a setup of some of the services through nginx proxy manager for external access using my own domain and it works perfectly.

Now saying that I have been constantly having this issue from some time and somehow gets resolved as well. However, this invalid cert has been on for a couple of days now and I wanted to understand why.

I can access my services using the IP address and so I am not currently losing the functionalities but it is frustrating to not know why?

Thanks in advance
 
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
You only get this warning when accessing your services internaly using their public names? What about when you are outside your home? Do you then also get the warning?
Sorry I have not mentioned that clearly.
I have the *.mynas.synology.me available only locally and not opened it up outside the local network. This is where I see the error.

I have a RaspberryPi where I host nginx proxy manager which handles external traffic and point to the services in Synology.
This has my own domain, for example: plex.mydomain.org and this works fine.
 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
This may then be a router issue if it does not support NAT loopback.
I had to do a bit of reading for this. However, in the UK BT Smart Hub 2 does not support NAT Loopback. However, I am a bit confused as to why it was working for so long and now suddenly refuses to connect.

I should also perhaps mention that I have recently got a "NETGEAR PoE Switch 8 Port Gigabit Ethernet Plus Network Switch (GS108PEv3) - Managed" making use of Prime day and moved all wired devices to connect off the switch. Previously my Synology was connected to the router directly.
 
Upvote 0

Rusty

Moderator
NAS Support
5,846
1,722
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I would say nat loopback as well but then again how reverse hosts resolve internally without any problem?

So just to be clear, you have no problem with accessing services using your domain aliases but you do have problem with accessing your synology.me domain hosted services?

So if you don’t have them exposed, how does the ssl challenge complete?
 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I would say nat loopback as well but then again how reverse hosts resolve internally without any problem?

So just to be clear, you have no problem with accessing services using your domain aliases but you do have problem with accessing your synology.me domain hosted services?

So if you don’t have them exposed, how does the ssl challenge complete?
I am completely lost. The set up was simple and worked well. Internally on the local network I would use synology.me domain and used Synology's own reverse proxy. Worked well and without a hitch. Kept adding docker services and it kept working well. Used Let's Encrypt to get the certificate sorted.

Then I wanted to use a few services like Bitwarden, Plex, Ombi and expose them to the Internet. So, I purchased a domain, and a Raspberry Pi and installed nginx proxy manager on it to point to the services IP address on Synology. This worked (still does) well too.

So now, synology.me domain is giving me SSL error and I am forced to use ip:port to access all the services including DSM and with the usual unsecure message.

Wish there was an uncomplicated way to diagnose this.

I am going to delete all the reverse proxy data and then redo them one by one to see if that helps. Following the "Have you tried turning it off and on again" method.
 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I screwed up a bit more now. Cleared all the entries from reverse proxy. Deleted the certificate and Synology DDNS.
Followed the steps:
  1. Set up DDNS with mynas.synology.me
  2. It automatically got a new Lets encrypt certificate and set it as default.
  3. I use the Ip address and port to connect. The cert is for mynas.synology.me so I get the usual warning but can login using port 5001
  4. Now I just type: mynas.synology.me:5001 and without the port and I get Invalid URL in Safari as it could not connect. Chrome gives Invalid Cert error.
 
Upvote 0

Telos

Subscriber
2,636
850
NAS
DS418play, DS213j, DS3622+, DSM 7.2.4-11091
without the port and I get Invalid URL in Safari
Reverse proxy handles that.

in: [URL]http://mynas.synology.me[/URL]
out: [URL]https://192.168.1.42:5001[/URL]

or if doing this externally (off-LAN, ex, cell phone data), forward port 443 to 443 on your NAS, then w/reverse proxy as

in: http[B]s[/B]://mynas.synology.me
out: [URL]https://192.168.1.42:5001[/URL]

... where 192.168.1.42 is your reserved/fixed NAS IP.
 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Reverse proxy handles that.

in: [URL]http://mynas.synology.me[/URL]
out: [URL]https://192.168.1.42:5001[/URL]

or if doing this externally (off-LAN, ex, cell phone data), forward port 443 to 443 on your NAS, then w/reverse proxy as

in: http[B]s[/B]://mynas.synology.me
out: [URL]https://192.168.1.42:5001[/URL]

... where 192.168.1.42 is your reserved/fixed NAS IP.
Thank you for that. I understand the setup as I have done this before. And did it again, but still refuses to work.
 
Upvote 0
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
I usually have TLS Inspector in my arsenal of tools when certificates are involved. It might (or might not) help :)

 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
I usually have TLS Inspector in my arsenal of tools when certificates are involved. It might (or might not) help :)

Thanks for that, I will check it out.

I have finally opened a support case with Synology and praying they can help 🤞
 
Upvote 0
28
4
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
So, I got a reply from support to open port 5001 on my router (port forward).
The thing is, I had never port forwarded anything on my router, and it was still working and that is why I am totally confused. If at all I am using within the network, I do not want to be remembering IP addresses and port. How the hell did it stop working.

So, I am here again, to see if I can find another way to connect to my DSM and the docker services I have without port forwarding anything as I do not need any external connections, nor need access to my DSM over the internet.

Any suggestions are welcome please.
 
Upvote 0
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
When you login to the NAS and experience this issue of the certificate, check what is reported as the logged in address, if it’s a loopback enabled login, you should see your routers IP address.
Also try TLS Inspector and enter the mynas.synology.me and see what does it report.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Hi Rusty. Thank you for your reply. This makes sense to me somewhat. Interestingly, as I use the Synology...
Replies
3
Views
2,310
  • Question
Your situation seems like it should be simple and that the security mechanisms are being overly pedantic...
Replies
10
Views
4,026

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top