TimmerTech
Synology Let's Encrypt

Synology: Let's Encrypt Certificate

Synology Jan 7, 2023

This guide will help you issue a certificate from Let’s Encrypt. You can use these certificates for securing services or docker containers on your Synology. Synology and Let’s Encrypt will secure NAS. Suppose you use a Let’s Encrypt certificate to secure services or docker container access. I recommend you read my entire post about how to set up a reverse proxy for docker containers on Synology here. This post is compatible with DSMv6 and DSMv7.

Wildcard certificate

If you want to setup a Let’s Encrypt wildcard certificate on your Synology for all your Synology services and or docker containers, please go this guide. Synology Let’s Encrypt Wildcard.

Shortly I will also write a guide on achieving the same for Synology services.

Prerequisites

External access is required to obtain a certificate. Your router must forward all HTTP and HTTPS traffic from the internet to your Synology. Let’s Encrypt connects to Synology in order to determine that you are the owner of that subdomain.

Check out my earlier post on how to configure Synology External Access.

Guide

In this guide, we will use mynas.diskstation.me as described in my earlier post on configuring your Synology for external access. The subdomain we will be using throughout this guide is service. The FQDN (Fully Qualified Domain Name) will become service.mynas.diskstation.me. Please replace this with the FQDN you created in the Synology external access guide, and replace the service with the name of the service for which you want to obtain a certificate.

A real-world example for clarity, let’s say that we are using this guide to obtain a certificate to export the UI of the docker management application portainer to the public internet, and we have our Synology publicly available on the domain gtimmer.diskstation.me. Then the FQDN will become portainer.gtimmer.diskstation.me. I have planned on writing a post on how to set up portainer anyway, so shortly, I will link that article here.

Why do we need a TLS (SSL) certificate?

We want our service to have a TLS (SSL) certificate so the browser will show it as safe. We also want this to be an official certificate so that it does not only look professional, but we also want every browser to accept the website as secure. Maybe you came across it on the internet, those browser warnings that a website is not secure. Please take a look at the image below; we want to avoid this.

TLS (SSL) Certificate Expired: This is what we do not want

We will be using Let’s Encrypt as our certificate provider to secure our Synology; if we get a certificate from Let’s Encrypt, every browser will recognize it as a valid certificate, and we do not get the warning above. Let’s Encrypt is a free provider, so we do not have to pay for the certificates. Let’s Encrypt certificates are valid for 90 days. However, do not worry. Synology DSM comes with full support for Let’s Encrypt, which means that if you set it up correctly, as I will be teaching here, your Synology will automatically refresh the certificates before they expire and obtain a new one from Let’s Encrypt without any interaction required from you. Yeah!, no maintenance😊.

Get a Let’s Encrypt certificate

So let’s start.

  1. Login into DSM as an administrator
  2. Open Control Panel
  3. Open Security
  4. Goto tab Certificate
  5. Choose Add
DSM 7: Add new certificate
DSM 6: Add new certificate
  1. Choose Add a new certificate
  2. Click Next
DSM 7: Add a new certificate
DSM 6: Add a new certificate
  1. Choose Get a certificate from Let's Encrypt
  2. It is highly recommended to enter a description, even while it’s optional; it is shown within the Security > Certificate overview screen. Entering a description will improve documentation and maintenance over a long period. I usually put the FQDN (Fully Qualified Domain Name) as the description. The certificate overview screen within Synology favors the description. Certificates can also be used for multiple services. Quite useful when using a wildcard certificate. Therefore a good practice is to put in the certificate DNS name. Example: portainer.myns.diskstation.me
  3. Click Next
DSM 7: Get a certificate from Let’s Encrypt
DSM 6: Get a certificate from Let’s Encrypt
  1. Fill the FQDN (Fully Qualified Domain Name) address you want a certificate for in the field Domain Name.
  2. Enter your e-mail address. Each certificate must have an e-mail. This email address will also be encoded within your certificate. You can receive e-mails from Let’s Encrypt regarding your certificate, so please use a real one.
  3. Optional; Subject Alternative Names, this is a very excellent option. It allows you to add additional domain names to a certificate. This can be used to have multiple addresses use the same certificate.

    Say that you make the earlier mentioned docker service available on the address portainer.mynas.diskstation.me; while creating this certificate, you conclude that it also would be nice to have the address docker.mynas.diskstation.me also point to portainer. So you have two addresses. This is where Subject Alternative Names come into play. You can add additional domains to a certificate (alternatives) which are also valid for this certificate. Domain names must be separated with a semicolon ;
  4. Issue the certificate by clicking on Apply or Done
Example: Multiple domains

Domain Name: admin.mynas.diskstation.me

Subject Alternative Names: management.mynas.diskstation.me;dsm.mynas.diskstation.me

A requested certificate with the configuration as stated above will be valid for the following domains:

  • admin.mynas.diskstation.me
  • management.mynas.diskstation.me
  • dsm.mynas.diskstation.me

There is a limit of maximum of 100 Names per certificate

So that you know, there are limits to requesting certificates from Let’s Encrypt. If you exceed certain limits, there is no other way around it than to wait until your limit has reset itself after a certain period.

Details about the limits for Let's Encrypt can be found here: Let’s Encrypt Rate Limits

DSM 7: Issue new certificate
DSM 6: Issue new certificate

The certificate will now be issued and appear in the Certificate overview tab, where you can start using it. One possibility of using your certificate is to secure a Synology service or a reverse proxy entry.

Assign certificate

When you have issued or imported a certificate in your DSM security center you can then assign them to services and reverse proxy entries.

  1. Open Control Panel
  2. Open Security
  3. Goto tab Certificate
  1. Click on Settings
  1. Click on Configure
  1. The certificate assignment panel consists of two columns. The left is the Services, and the right is the Certificate. Look for the domain name we just created with the reverse proxy entry. Use the drop-down on the right of your service entry to assign your issued certificate. Also, earlier in this guide, I mentioned that I always advise filling in the Description field when issuing a new certificate, this will be shown in the drop-down menu.
  2. Click OK, and the certificate you issued is now assigned to the domain we created in the reverse proxy.
DSM 6/7: Certificate assignment

Next Steps

I hope this guide is helpful to you for issuing a certificate from Let’s Encrypt on Synology. If yo want to know how to use this new certificate in combination with securing a docker container you can read my guide on how to setup a reverse proxy.

Please leave a comment and let me know what you think.

Tags

Garrett Timmer

Recommended for you