Synology: Let's Encrypt Certificate
This guide will help you issue a certificate from Let’s Encrypt. You can use these certificates for securing services or docker containers on your Synology. Synology and Let’s Encrypt will secure NAS. Suppose you use a Let’s Encrypt certificate to secure services or docker container access. I recommend you read my entire post about how to set up a reverse proxy for docker containers on Synology here. This post is compatible with DSMv6 and DSMv7.
Wildcard certificate
If you want to setup a Let’s Encrypt wildcard certificate on your Synology for all your Synology services and or docker containers, please go this guide. Synology Let’s Encrypt Wildcard.
Shortly I will also write a guide on achieving the same for Synology services.
Prerequisites
External access is required to obtain a certificate. Your router must forward all HTTP
and HTTPS
traffic from the internet to your Synology. Let’s Encrypt connects to Synology in order to determine that you are the owner of that subdomain.
Check out my earlier post on how to configure Synology External Access.
Guide
In this guide, we will use mynas.diskstation.me
as described in my earlier post on configuring your Synology for external access. The subdomain we will be using throughout this guide is service
. The FQDN (Fully Qualified Domain Name) will become service.mynas.diskstation.me
. Please replace this with the FQDN you created in the Synology external access guide, and replace the service
with the name of the service for which you want to obtain a certificate.
A real-world example for clarity, let’s say that we are using this guide to obtain a certificate to export the UI of the docker management application portainer
to the public internet, and we have our Synology publicly available on the domain gtimmer.diskstation.me
. Then the FQDN will become portainer.gtimmer.diskstation.me
. I have planned on writing a post on how to set up portainer
anyway, so shortly, I will link that article here.
Why do we need a TLS (SSL) certificate?
We want our service to have a TLS (SSL) certificate so the browser will show it as safe. We also want this to be an official certificate so that it does not only look professional, but we also want every browser to accept the website as secure. Maybe you came across it on the internet, those browser warnings that a website is not secure. Please take a look at the image below; we want to avoid this.
We will be using Let’s Encrypt as our certificate provider to secure our Synology; if we get a certificate from Let’s Encrypt, every browser will recognize it as a valid certificate, and we do not get the warning above. Let’s Encrypt is a free provider, so we do not have to pay for the certificates. Let’s Encrypt certificates are valid for 90 days. However, do not worry. Synology DSM comes with full support for Let’s Encrypt, which means that if you set it up correctly, as I will be teaching here, your Synology will automatically refresh the certificates before they expire and obtain a new one from Let’s Encrypt without any interaction required from you. Yeah!, no maintenance😊.
Get a Let’s Encrypt certificate
So let’s start.
- Login into DSM as an administrator
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Choose
Add
- Choose
Add a new certificate
- Click
Next
- Choose
Get a certificate from Let's Encrypt
- It is highly recommended to enter a description, even while it’s optional; it is shown within the
Security > Certificate
overview screen. Entering a description will improve documentation and maintenance over a long period. I usually put the FQDN (Fully Qualified Domain Name) as the description. The certificate overview screen within Synology favors the description. Certificates can also be used for multiple services. Quite useful when using a wildcard certificate. Therefore a good practice is to put in the certificate DNS name. Example:portainer.myns.diskstation.me
- Click
Next
- Fill the FQDN (Fully Qualified Domain Name) address you want a certificate for in the field
Domain Name
. - Enter your e-mail address. Each certificate must have an e-mail. This email address will also be encoded within your certificate. You can receive e-mails from Let’s Encrypt regarding your certificate, so please use a real one.
- Optional;
Subject Alternative Names
, this is a very excellent option. It allows you to add additional domain names to a certificate. This can be used to have multiple addresses use the same certificate.
Say that you make the earlier mentioned docker service available on the addressportainer.mynas.diskstation.me
; while creating this certificate, you conclude that it also would be nice to have the addressdocker.mynas.diskstation.me
also point toportainer
. So you have two addresses. This is whereSubject Alternative Names
come into play. You can add additional domains to a certificate (alternatives) which are also valid for this certificate. Domain names must be separated with a semicolon;
- Issue the certificate by clicking on
Apply
orDone
Example: Multiple domains
Domain Name: admin.mynas.diskstation.me
Subject Alternative Names: management.mynas.diskstation.me;dsm.mynas.diskstation.me
A requested certificate with the configuration as stated above will be valid for the following domains:
- admin.mynas.diskstation.me
- management.mynas.diskstation.me
- dsm.mynas.diskstation.me
There is a limit of maximum of 100 Names per certificate
So that you know, there are limits to requesting certificates from Let’s Encrypt. If you exceed certain limits, there is no other way around it than to wait until your limit has reset itself after a certain period.
Details about the limits for Let's Encrypt
can be found here: Let’s Encrypt Rate Limits
The certificate will now be issued and appear in the Certificate
overview tab, where you can start using it. One possibility of using your certificate is to secure a Synology service or a reverse proxy entry.
Assign certificate
When you have issued or imported a certificate in your DSM security center you can then assign them to services and reverse proxy entries.
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Click on
Settings
- Click on
Configure
- The certificate assignment panel consists of two columns. The left is the
Services
, and the right is theCertificate
. Look for the domain name we just created with the reverse proxy entry. Use the drop-down on the right of yourservice
entry to assign your issued certificate. Also, earlier in this guide, I mentioned that I always advise filling in theDescription
field when issuing a new certificate, this will be shown in the drop-down menu. - Click
OK
, and the certificate you issued is now assigned to the domain we created in the reverse proxy.
Next Steps
I hope this guide is helpful to you for issuing a certificate from Let’s Encrypt on Synology. If yo want to know how to use this new certificate in combination with securing a docker container you can read my guide on how to setup a reverse proxy.
Please leave a comment and let me know what you think.