Synology: Let's Encrypt Wildcard Certificate
Today I will teach you how to set up a Synology Let’s Encrypt wildcard certificate. If you have read any of my other posts, you might have seen my guides on setting up external access or obtaining a Let’s Encrypt certificate. In my Let’s Encrypt guide, I focus on how to get a certificate per service. The choice of having a certificate per service is personal. However, it’s also possible to obtain a wildcard certificate. This will give you some additional benefits.
For starters, not every certificate domain for each application will be within the Let’s Encrypt database, so people with malicious intent will have a more challenging time figuring out which application you run and which domains. A second benefit is that we only have to maintain a single certificate for our Synology. This is where a wildcard certificate comes into play. This post is compatible with DSM 6 and DSM 7.
Wildcard certificate disclaimer
Please note that the wildcard support for Synology is limited to Synology-provided DDNS only. I will post soon on how to do this with a custom domain.
Prerequisites
External access is required to obtain a certificate. Your router must forward all HTTP
and HTTPS
traffic from the internet to your Synology. Let’s Encrypt connects to Synology in order to determine that you are the owner of that subdomain.
Check out my earlier post on how to configure Synology External Access.
Guide
In this guide, we will issue a default certificate for our Synology, a Let’s Encrypt wildcard certificate if you have followed my earlier post about external access. You should have the domain name of your NAS. In the previously mentioned guide, the example was mynas.diskstation.me
. Please replace the references in this guide with your domain name.
Why do we need a TLS (SSL) certificate?
We want our service to have a TLS (SSL) certificate so the browser will show it as safe. We also want this to be an official certificate so that it does not only look professional, but we also want every browser to accept the website as secure. Maybe you came across it on the internet, those browser warnings that a website is not secure. Please take a look at the image below; we want to avoid this.
We will be using Let’s Encrypt as our certificate provider to secure our Synology; if we get a certificate from Let’s Encrypt, every browser will recognize it as a valid certificate, and we do not get the warning above. Let’s Encrypt is a free provider, so we do not have to pay for the certificates. Let’s Encrypt certificates are valid for 90 days. However, do not worry. Synology DSM comes with full support for Let’s Encrypt, which means that if you set it up correctly, as I will be teaching here, your Synology will automatically refresh the certificates before they expire and obtain a new one from Let’s Encrypt without any interaction required from you. Yeah!, no maintenance😊.
Get a Synology Let’s Encrypt wildcard certificate
So let’s start.
- Login into DSM as an administrator
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Choose
Add
- Choose
Add a new certificate
- Click
Next
- Choose
Get a certificate from Let's Encrypt
- It is highly recommended to enter a description, even while it’s optional; it is shown within the
Security > Certificate
overview screen. Entering a description will improve documentation and maintenance over a long period. I usually put the FQDN (Fully Qualified Domain Name) as the description. The certificate overview screen within Synology favors the description. Certificates can also be used for multiple services.
Because we are issuing a default certificate for our Synology I personally entered theHostname
of my Synology in all Capitals. - Check
Set as default certificate
; we are replacing the self-signed certificate of Synology with the Let’s Encrypt certificate. - Click
Next
- Fill in the FQDN (Fully Qualified Domain Name) address you want a certificate for in the field
Domain Name
; this is theDynamic DNS
you created for your Synology in the external access guide. Example;mynas.diskstation.me
replace this with your own domain name. - Enter your e-mail address. Each certificate must have an e-mail. This email address will also be encoded within your certificate. You can receive e-mails from Let’s Encrypt regarding your certificate, so please use a real one.
Subject Alternative Names
, this is what we are going to use to obtain our Synology Let’s Encrypt wildcard certificate. Here you will enter the same domain name as you did in theDomain name
field, with the modification that you put a prefix in front of it*.
When using the domain name example from the external access guide. The full subject alternative name domain name would read;*.mynas.diskstation.me
; replace this with your domain name.- Issue the certificate by clicking on
Apply
orDone
So that you know, there are limits to requesting certificates from Let’s Encrypt. If you exceed certain limits, there is no other way around it than to wait until your limit has reset itself after a certain period.
Details about the limits for Let's Encrypt
can be found here: Let’s Encrypt Rate Limits
The certificate will now be issued and appear in the Certificate
overview tab, where you can start using it. One possibility of using your certificate is to secure a Synology service or a reverse proxy entry.
Assign certificate
Now that we have a new default certificate, we must ensure it is used. In the certificate overview screen where you have issued your certificate, you should now see two certificates—a Synology
certificate was generated during the installation of DSM, and your newly issued certificate. In the description of your new certificate, there should be an indicator that has now been assigned as the default. (Default certificate)
.
Now, you have your domain name default certificate with a wildcard option. You can now delete the generated Synology certificate
.
The final step is to ensure that we have assigned our new certificate to every Synology service and reverse proxy entry.
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Click on
Settings
- Click on
Configure
- The certificate assignment panel consists of two columns. The left is the
Services
, and the right is theCertificate
. Look for the domain name we just created with the reverse proxy entry. Use the drop-down on the right of yourservice
entry to assign your newly issued certificate to every entry in this list. This should have happened automatically, but to ensure everything is correct we check it here. - Click
OK
, and your domain certificate is now assigned to every service and reverse proxy on your Synology.