Your connection isn't private - LE Cert is Valid?

Currently reading
Your connection isn't private - LE Cert is Valid?

34
7
NAS
DS920+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
This clearly baffles me and has been for some time. Every week at various times (I have not seen a pattern yet). I get the following:
1624523338684.png


I do know that the certificate needs to be valid and any URL I access needs to use that cert. Which I do and have set them all correctly in the Reverse Proxy section.

I have double checked everything:
  1. Made sure the certificate is valid has an expiry date end of September
  2. Every service I would like to run has been defined in reverse proxy with the correct IP address and port. Example below
  3. Went back to Certs and configured the services to use the correct cert.
  4. Cleared all the browsers cache and history and cookies.
I still get the Invalid Cert error. I am accessing these services within my own network.
I have a setup of some of the services through nginx proxy manager for external access using my own domain and it works perfectly.

Now saying that I have been constantly having this issue from some time and somehow gets resolved as well. However, this invalid cert has been on for a couple of days now and I wanted to understand why.

I can access my services using the IP address and so I am not currently losing the functionalities but it is frustrating to not know why?

Thanks in advance
 
You only get this warning when accessing your services internaly using their public names? What about when you are outside your home? Do you then also get the warning?
Sorry I have not mentioned that clearly.
I have the *.mynas.synology.me available only locally and not opened it up outside the local network. This is where I see the error.

I have a RaspberryPi where I host nginx proxy manager which handles external traffic and point to the services in Synology.
This has my own domain, for example: plex.mydomain.org and this works fine.
 
Upvote 0
This may then be a router issue if it does not support NAT loopback.
I had to do a bit of reading for this. However, in the UK BT Smart Hub 2 does not support NAT Loopback. However, I am a bit confused as to why it was working for so long and now suddenly refuses to connect.

I should also perhaps mention that I have recently got a "NETGEAR PoE Switch 8 Port Gigabit Ethernet Plus Network Switch (GS108PEv3) - Managed" making use of Prime day and moved all wired devices to connect off the switch. Previously my Synology was connected to the router directly.
 
Upvote 0
I would say nat loopback as well but then again how reverse hosts resolve internally without any problem?

So just to be clear, you have no problem with accessing services using your domain aliases but you do have problem with accessing your synology.me domain hosted services?

So if you don’t have them exposed, how does the ssl challenge complete?
 
Upvote 0
I would say nat loopback as well but then again how reverse hosts resolve internally without any problem?

So just to be clear, you have no problem with accessing services using your domain aliases but you do have problem with accessing your synology.me domain hosted services?

So if you don’t have them exposed, how does the ssl challenge complete?
I am completely lost. The set up was simple and worked well. Internally on the local network I would use synology.me domain and used Synology's own reverse proxy. Worked well and without a hitch. Kept adding docker services and it kept working well. Used Let's Encrypt to get the certificate sorted.

Then I wanted to use a few services like Bitwarden, Plex, Ombi and expose them to the Internet. So, I purchased a domain, and a Raspberry Pi and installed nginx proxy manager on it to point to the services IP address on Synology. This worked (still does) well too.

So now, synology.me domain is giving me SSL error and I am forced to use ip:port to access all the services including DSM and with the usual unsecure message.

Wish there was an uncomplicated way to diagnose this.

I am going to delete all the reverse proxy data and then redo them one by one to see if that helps. Following the "Have you tried turning it off and on again" method.
 
Upvote 0
I screwed up a bit more now. Cleared all the entries from reverse proxy. Deleted the certificate and Synology DDNS.
Followed the steps:
  1. Set up DDNS with mynas.synology.me
  2. It automatically got a new Lets encrypt certificate and set it as default.
  3. I use the Ip address and port to connect. The cert is for mynas.synology.me so I get the usual warning but can login using port 5001
  4. Now I just type: mynas.synology.me:5001 and without the port and I get Invalid URL in Safari as it could not connect. Chrome gives Invalid Cert error.
 
Upvote 0
without the port and I get Invalid URL in Safari
Reverse proxy handles that.

in: [URL]http://mynas.synology.me[/URL]
out: [URL]https://192.168.1.42:5001[/URL]

or if doing this externally (off-LAN, ex, cell phone data), forward port 443 to 443 on your NAS, then w/reverse proxy as

in: http[B]s[/B]://mynas.synology.me
out: [URL]https://192.168.1.42:5001[/URL]

... where 192.168.1.42 is your reserved/fixed NAS IP.
 
Upvote 0
Reverse proxy handles that.

in: [URL]http://mynas.synology.me[/URL]
out: [URL]https://192.168.1.42:5001[/URL]

or if doing this externally (off-LAN, ex, cell phone data), forward port 443 to 443 on your NAS, then w/reverse proxy as

in: http[B]s[/B]://mynas.synology.me
out: [URL]https://192.168.1.42:5001[/URL]

... where 192.168.1.42 is your reserved/fixed NAS IP.
Thank you for that. I understand the setup as I have done this before. And did it again, but still refuses to work.
 
Upvote 0
I usually have TLS Inspector in my arsenal of tools when certificates are involved. It might (or might not) help :)

 
Upvote 0
I usually have TLS Inspector in my arsenal of tools when certificates are involved. It might (or might not) help :)

Thanks for that, I will check it out.

I have finally opened a support case with Synology and praying they can help 🤞
 
Upvote 0
So, I got a reply from support to open port 5001 on my router (port forward).
The thing is, I had never port forwarded anything on my router, and it was still working and that is why I am totally confused. If at all I am using within the network, I do not want to be remembering IP addresses and port. How the hell did it stop working.

So, I am here again, to see if I can find another way to connect to my DSM and the docker services I have without port forwarding anything as I do not need any external connections, nor need access to my DSM over the internet.

Any suggestions are welcome please.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
Ok, I'm reviving this thread because I'm experiencing the same problem, but none of the solutions...
Replies
8
Views
7,411
  • Question
Your situation seems like it should be simple and that the security mechanisms are being overly pedantic...
Replies
10
Views
7,936

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top