TimmerTech
Synology Let's Encrypt

Synology: Let's Encrypt Wildcard Certificate

Synology Jan 9, 2023

Today I will teach you how to set up a Synology Let’s Encrypt wildcard certificate. If you have read any of my other posts, you might have seen my guides on setting up external access or obtaining a Let’s Encrypt certificate. In my Let’s Encrypt guide, I focus on how to get a certificate per service. The choice of having a certificate per service is personal. However, it’s also possible to obtain a wildcard certificate. This will give you some additional benefits.

For starters, not every certificate domain for each application will be within the Let’s Encrypt database, so people with malicious intent will have a more challenging time figuring out which application you run and which domains. A second benefit is that we only have to maintain a single certificate for our Synology. This is where a wildcard certificate comes into play. This post is compatible with DSM 6 and DSM 7.

Wildcard certificate disclaimer

Please note that the wildcard support for Synology is limited to Synology-provided DDNS only. I will post soon on how to do this with a custom domain.

Prerequisites

External access is required to obtain a certificate. Your router must forward all HTTP and HTTPS traffic from the internet to your Synology. Let’s Encrypt connects to Synology in order to determine that you are the owner of that subdomain.

Check out my earlier post on how to configure Synology External Access.

Guide

In this guide, we will issue a default certificate for our Synology, a Let’s Encrypt wildcard certificate if you have followed my earlier post about external access. You should have the domain name of your NAS. In the previously mentioned guide, the example was mynas.diskstation.me. Please replace the references in this guide with your domain name.

Why do we need a TLS (SSL) certificate?

We want our service to have a TLS (SSL) certificate so the browser will show it as safe. We also want this to be an official certificate so that it does not only look professional, but we also want every browser to accept the website as secure. Maybe you came across it on the internet, those browser warnings that a website is not secure. Please take a look at the image below; we want to avoid this.

TLS (SSL) Certificate Expired: This is what we do not want

We will be using Let’s Encrypt as our certificate provider to secure our Synology; if we get a certificate from Let’s Encrypt, every browser will recognize it as a valid certificate, and we do not get the warning above. Let’s Encrypt is a free provider, so we do not have to pay for the certificates. Let’s Encrypt certificates are valid for 90 days. However, do not worry. Synology DSM comes with full support for Let’s Encrypt, which means that if you set it up correctly, as I will be teaching here, your Synology will automatically refresh the certificates before they expire and obtain a new one from Let’s Encrypt without any interaction required from you. Yeah!, no maintenance😊.

Get a Synology Let’s Encrypt wildcard certificate

So let’s start.

  1. Login into DSM as an administrator
  2. Open Control Panel
  3. Open Security
  4. Goto tab Certificate
  5. Choose Add
DSM 7: Add new certificate
DSM 6: Add new certificate
  1. Choose Add a new certificate
  2. Click Next
DSM 7: Add a new certificate
DSM 6: Add a new certificate
  1. Choose Get a certificate from Let's Encrypt
  2. It is highly recommended to enter a description, even while it’s optional; it is shown within the Security > Certificate overview screen. Entering a description will improve documentation and maintenance over a long period. I usually put the FQDN (Fully Qualified Domain Name) as the description. The certificate overview screen within Synology favors the description. Certificates can also be used for multiple services.

    Because we are issuing a default certificate for our Synology I personally entered the Hostname of my Synology in all Capitals.
  3. Check Set as default certificate; we are replacing the self-signed certificate of Synology with the Let’s Encrypt certificate.
  4. Click Next
DSM 7: Issue default certificate
DSM 6: Issue default certificate
  1. Fill in the FQDN (Fully Qualified Domain Name) address you want a certificate for in the field Domain Name; this is the Dynamic DNS you created for your Synology in the external access guide. Example; mynas.diskstation.me replace this with your own domain name.
  2. Enter your e-mail address. Each certificate must have an e-mail. This email address will also be encoded within your certificate. You can receive e-mails from Let’s Encrypt regarding your certificate, so please use a real one.
  3. Subject Alternative Names, this is what we are going to use to obtain our Synology Let’s Encrypt wildcard certificate. Here you will enter the same domain name as you did in the Domain name field, with the modification that you put a prefix in front of it *. When using the domain name example from the external access guide. The full subject alternative name domain name would read; *.mynas.diskstation.me; replace this with your domain name.
  4. Issue the certificate by clicking on Apply or Done

So that you know, there are limits to requesting certificates from Let’s Encrypt. If you exceed certain limits, there is no other way around it than to wait until your limit has reset itself after a certain period.

Details about the limits for Let's Encrypt can be found here: Let’s Encrypt Rate Limits

DSM 7: Issue wildcard certificate
DSM 6: Issue wildcard certificate

The certificate will now be issued and appear in the Certificate overview tab, where you can start using it. One possibility of using your certificate is to secure a Synology service or a reverse proxy entry.

Assign certificate

Now that we have a new default certificate, we must ensure it is used. In the certificate overview screen where you have issued your certificate, you should now see two certificates—a Synology certificate was generated during the installation of DSM, and your newly issued certificate. In the description of your new certificate, there should be an indicator that has now been assigned as the default. (Default certificate).

Now, you have your domain name default certificate with a wildcard option. You can now delete the generated Synology certificate.

The final step is to ensure that we have assigned our new certificate to every Synology service and reverse proxy entry.

  1. Open Control Panel
  2. Open Security
  3. Goto tab Certificate
  1. Click on Settings
  1. Click on Configure
  1. The certificate assignment panel consists of two columns. The left is the Services, and the right is the Certificate. Look for the domain name we just created with the reverse proxy entry. Use the drop-down on the right of your service entry to assign your newly issued certificate to every entry in this list. This should have happened automatically, but to ensure everything is correct we check it here.
  2. Click OK, and your domain certificate is now assigned to every service and reverse proxy on your Synology.
DSM 6/7: Certificate assignment

Tags

Garrett Timmer

Recommended for you