This guide will help you issue a certificate from Let’s Encrypt. You can use these certificates for securing services or docker containers on your Synology. Synology and Let’s Encrypt will secure NAS. Suppose you use a Let’s Encrypt certificate to secure services or docker container access. I recommend you read my entire post about how to set up a reverse proxy for docker containers on Synology here. This post is compatible with DSMv6 and DSMv7.
If you want to setup a Let’s Encrypt wildcard certificate on your Synology for all your Synology services and or docker containers, please go this guide. Synology Let’s Encrypt Wildcard.
Shortly I will also write a guide on achieving the same for Synology services.
External access is required to obtain a certificate. Your router must forward all
HTTPS traffic from the internet to your Synology. Let’s Encrypt connects to Synology in order to determine that you are the owner of that subdomain.
Check out my earlier post on how to configure Synology External Access.
In this guide, we will use
mynas.diskstation.me as described in my earlier post on configuring your Synology for external access. The subdomain we will be using throughout this guide is
service. The FQDN (Fully Qualified Domain Name) will become
service.mynas.diskstation.me. Please replace this with the FQDN you created in the Synology external access guide, and replace the
service with the name of the service for which you want to obtain a certificate.
A real-world example for clarity, let’s say that we are using this guide to obtain a certificate to export the UI of the docker management application
portainer to the public internet, and we have our Synology publicly available on the domain
gtimmer.diskstation.me. Then the FQDN will become
portainer.gtimmer.diskstation.me. I have planned on writing a post on how to set up
portainer anyway, so shortly, I will link that article here.
Why do we need a TLS (SSL) certificate?
We want our service to have a TLS (SSL) certificate so the browser will show it as safe. We also want this to be an official certificate so that it does not only look professional, but we also want every browser to accept the website as secure. Maybe you came across it on the internet, those browser warnings that a website is not secure. Please take a look at the image below; we want to avoid this.
We will be using Let’s Encrypt as our certificate provider to secure our Synology; if we get a certificate from Let’s Encrypt, every browser will recognize it as a valid certificate, and we do not get the warning above. Let’s Encrypt is a free provider, so we do not have to pay for the certificates. Let’s Encrypt certificates are valid for 90 days. However, do not worry. Synology DSM comes with full support for Let’s Encrypt, which means that if you set it up correctly, as I will be teaching here, your Synology will automatically refresh the certificates before they expire and obtain a new one from Let’s Encrypt without any interaction required from you. Yeah!, no maintenance😊.
Get a Let’s Encrypt certificate
So let’s start.
- Login into DSM as an administrator
- Goto tab
Add a new certificate
Get a certificate from Let's Encrypt
- It is highly recommended to enter a description, even while it’s optional; it is shown within the
Security > Certificateoverview screen. Entering a description will improve documentation and maintenance over a long period. I usually put the FQDN (Fully Qualified Domain Name) as the description. The certificate overview screen within Synology favors the description. Certificates can also be used for multiple services. Quite useful when using a wildcard certificate. Therefore a good practice is to put in the certificate DNS name. Example:
- Fill the FQDN (Fully Qualified Domain Name) address you want a certificate for in the field
- Enter your e-mail address. Each certificate must have an e-mail. This email address will also be encoded within your certificate. You can receive e-mails from Let’s Encrypt regarding your certificate, so please use a real one.
Subject Alternative Names, this is a very excellent option. It allows you to add additional domain names to a certificate. This can be used to have multiple addresses use the same certificate.
Say that you make the earlier mentioned docker service available on the address
portainer.mynas.diskstation.me; while creating this certificate, you conclude that it also would be nice to have the address
docker.mynas.diskstation.mealso point to
portainer. So you have two addresses. This is where
Subject Alternative Namescome into play. You can add additional domains to a certificate (alternatives) which are also valid for this certificate. Domain names must be separated with a semicolon
- Issue the certificate by clicking on
Example: Multiple domains
Subject Alternative Names:
A requested certificate with the configuration as stated above will be valid for the following domains:
There is a limit of maximum of 100 Names per certificate
So that you know, there are limits to requesting certificates from Let’s Encrypt. If you exceed certain limits, there is no other way around it than to wait until your limit has reset itself after a certain period.
Details about the limits for
Let's Encrypt can be found here: Let’s Encrypt Rate Limits
The certificate will now be issued and appear in the
Certificate overview tab, where you can start using it. One possibility of using your certificate is to secure a Synology service or a reverse proxy entry.
When you have issued or imported a certificate in your DSM security center you can then assign them to services and reverse proxy entries.
- Goto tab
- Click on
- Click on
- The certificate assignment panel consists of two columns. The left is the
Services, and the right is the
Certificate. Look for the domain name we just created with the reverse proxy entry. Use the drop-down on the right of your
serviceentry to assign your issued certificate. Also, earlier in this guide, I mentioned that I always advise filling in the
Descriptionfield when issuing a new certificate, this will be shown in the drop-down menu.
OK, and the certificate you issued is now assigned to the domain we created in the reverse proxy.
I hope this guide is helpful to you for issuing a certificate from Let’s Encrypt on Synology. If yo want to know how to use this new certificate in combination with securing a docker container you can read my guide on how to setup a reverse proxy.
Please leave a comment and let me know what you think.