Have you updated your Synology to the latest DSM 6? If you haven’t done it yet, here is reason to get you started.
I have been wanting to do this for a long time, but I never managed to figure out how to do it until now.
First step:
- You need to have your own domain name pointing at your synology. Follow this guide to learn how.
Once you have done that, here is what you do.
Navigate to Security and then click on certificate:
You will have the self-signed Synology certificate available.
Let’s add a certificate for the domain name you created in the previous step:
- Click on Add
- Select Add new certificate
Note, If you get an error while obtaining the certificate, you need to open port 80/443 in your router (Thanks hades2003 for the tip):
Select, Get a new certificate from Let’s encrypt.
To create your certificate, you need to:
- Add your new domain (or subdomain): ds.example.com or example.com
- Add your email
- Enter your old DDNS address: mydomain.synology.me
Now that the new certificate has been created, click on it and select “configure”:
Click on each service and change to your new certificate:
Now, log out of your synology and login using your new domain name. You should see this:
One last change:
- Navigate to Network
- DSM settings
- It is recommended to change your Http and https port numbers (you can do it here)
- Check: automatically redirect http to https , so all your logins and user’s logins will be secured
And you are done!!
Enjoy!!
Gracias Ruth por publicar el tutorial,en mi NAS durante el proceso de la descarga del certificado desde Let´s Encrypt mostraba un error de conexión, para evitarlo se tiene que habilitar en el router el port forwarding de los puertos 80/443 a la IP de la NAS (El 80 solamente se requiere para la descarga inicial del certificado, finalizado el proceso se puede desactivar).
Saludos
LikeLike
Muchas gracias Hades! Me podrías mandar el error que te mostraba? (Si lo recuerdas). Actualizare la guía con tus indicaciones, seguro que ayuda a alguien con el mismo problema. Saludos, Ruth
LikeLike
Adjunto un enlace con la captura del error.
LikeLike
Genial, muchas gracias! Mañana actualizo la guía.
/Ruth
LikeLike
Hey,
Thank you, it works, when I connect in whilst away from home.
When I am at home, and connect in using my browser, I still get the “this connection may not be safe, bla bla bla” error message. Any suggestions?
LikeLike
Hi, in your home Network, you can connect with your internal IP.
/Ruth
LikeLike
Hello Ruth —
Thank you for putting up these instructions. I am trying to get this working with our Synology, using example mytest.synology.me for DDNS and mytest.exampledomain.com as the subdomain. I am able to get through the LetsEncrypt certificate creation process correctly, and the Control Panel indicates that a certificate for mytest.exampledomain.com is correctly registered.
However when I go to the following URL in Firefox, I get a “Your connection is not secure” error where it ind:
https://mytest.exampledomain.com:12121
Note that 12121 is the port to reach the DiskStation admin console (i.e. when I log in locally, I go to some thing like 10.0.1.55:12121). I have confirmed that port 12121 is open on my router and re-directing to the Synology. In fact, if I tell Firefox to make a certificate exception to the above URL, then it works fine, so I know it is possible to reach the Synology from outside, just not via a certificate that is recognized as valid.
Any suggestions?
Ramon
LikeLike
Hi Ramon,
Unfortunately I omit one step. You need to reconfigure all your services with the new certificate:
I have updated the guide now, let me know if you still have problems,
Best Regards,
Ruth
LikeLike
Hi Ruth.
I am succeeded setup DMS with https/SSL and every application(Video Station,File Station) accessed via https works fine, but Photo Station access field.
Any idea? Thinks.
LikeLike
Hi Jimmy,
Enabling HTTPS under DSM Settings does not work for Web or Photo station. These two applications require enabling HTTPS in their own UI. To enable HTTPS on Photo Station, open the application, go to “General Settings >Other Settings” and check “Automatically redirect http to https”.
/Ruth
LikeLike
Hi Ruth,
And how would you do this for web station; both main site and virtual hosts? I cannot for the life of me, find out where this should be done.
/David
LikeLike
I cant either David, as soon as I figure it out I will write a post about it. Or perhaps you know now and want to do a guest post? Let me know!
/Ruth
LikeLiked by 1 person
Thank you. I’ve just followed your excellent tutorial and everything works. However, when I log into my DS through local LAN (192.168.x.x) the old red “Not Secure” sign shows up again in Chrome. Any insight you may have on this would be really appreciated!
LikeLike
Sorry, being away from this blog for a while. Did you solve your issue?
/Ruth
LikeLike
One year further and i have the same question. Howto resolve the issue with the certificate when i go locally (192.168.x.x) to the nas?
LikeLike
Can I have certification *without* my own domain? I am happy with ‘mytest.synology.me’ — could I use the Let’s Encrypt certificate with ‘mytest.synology.me’?
LikeLike
No, unfortunately you cant, as you would be using a subdomain of synology which you dont own.
/Ruth
LikeLike
hi,
how to set up 3 certificate for 3 different email servers?
I have set up 3 certificates from Let’s Encrypt, all services looks like wokring correct except mail for https://mail.xxxxx2.com and https://mail.xxxxx3.com (not default certificates)
i get warning from browser, showing certificate for xxxxx1.com
any ideas?
LikeLike
Hi, I did all these, and I got the Secure connection using Google Chrome. However, when I try it with Microsoft Edge or Mozilla Firefox browser, both of these say that the site is unsecured and that the configuration is improper.
The certificate is only valid for (site name)
example.com uses an invalid security certificate.
The certificate is only valid for the following names: http://www.example.com, *.example.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.
A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning.
LikeLiked by 2 people
Okay this is REALLY weird. I suspected that my domain settings on the Hover.com account has the error. So, I deleted and cleared everything. Now weird part is, http://www.mydomain.com points to nowhere and I cannot access the Synology through that address.
BUT, mydomain.synlogy.me is still up and running AND is secured by Let’s Encrypt – all 3 browsers shows that it is secured. I dont understand what is going on! Hahahaha! I though we needed a mydomain.com in order to set up the Let’s Encrypt SSL connection?
Help please! TQ
LikeLike
Sorry, being away from this blog for a while. Did you solve your issue?
/Ruth
LikeLike
Thanks a LOT ! just to mention that I lots HOURS because of some details I’ll explain here just in case.
1 : a bug in DSM UI Rendering (using chromium under ubuntu,). When ‘updating the services’ to point to the new certificate … the dropdown did only display the old ‘synology.com’ certificate. Weird huh ? And finally, I hit the down-arrow key (almost by mistake) : the dropdown menu opened and expanded fully : I saw the certificates. In the menu, there is a small arrow on the far right to tell you to click there to expand the full list … but it’s hidden, nearly unclickable, and I could see it.
2 : at the beginning the whole procedure failed, so let’s add one prerequisite : Web Station must be installed 🙂 It was not my case, even after installation lets encrypt could not fulfill the certificate request. (even with port 80 opened and so on). Please note that :
– lets encrypt looks for .well-known/acme-challenge/SOME-GENERATED-FILE to ckeck eveything is OK
– but NGINX on DSM has a special configuration for this path : even if you anually creates files under ‘web/.well-known/acme-challenge’ with file station for instance, it won’t be served by the web server. (any other path/file will). In /etc/nginx.conf : this very specific path is rerouted to /var/lib/letsencrypt, instead of /volume1/web
– long story short : manual tweaks didn’t help, reboot DSM did help after web station installation, not sure why. Probably because DSM itself relies on nginx (I know : I jailed me out by stopping it 🙂 )
– so : in the end : install web station, reboot dsm, open port 80 of your router, point it to your diskstation.
Hope it will help someone 🙂
LikeLike
Fantastic! Thanks for sharing!
/Ruth
LikeLike
Just a quick note, if you’re using Dynamic DNS with a CNAME, this won’t work. You MUST use an ‘A’ record for your external WAN address, not a ‘CNAME’ pointing to the Synology DDNS address. This took me like 3 hours to figure out.
LikeLike
Hi Russ,
Thanks for sharing, it might help others 🙂
/Ruth
LikeLike
Hi Russ,
Thanks for your comment. This might be the root problem in my case but I am wondering what I need to do if I don’t have a fix IP to point the A record to? This might work today but how would the automatic renewal process work if my IP is changing?
Do you have any suggestions?
Thanks for your reply
LikeLike
Sorry this is so late… I created an A record, got it registered, them changed it back to a CNAME.
LikeLike
Fantastic! Thanks for sharing. After days trying to get this to work, your tip got this fixed right away. Secure connection now!
LikeLike
Perfect! It took me a while to het it working too 🙂
/Ruth
LikeLike
Hey hey! thanks for this guide – very helpful.
The certificate expires in 90 days.
I received an email saying that the certificate has expired.
Do we need to do anything to renew the Lets Encrypt certificate?
I logged on to https://www.mydomain.com:5001 and everything seems to be working fine still.
I am confused
Thanks
LikeLike
You dont need to do anything! It will renew automatically 🙂
/Ruth
LikeLike
Okay it turns out that yes, I made erroneous entries via the hover.com account.
Now another issue:
The certificate expires in 90 days.
I received an email saying that the certificate has expired.
Do we need to do anything to renew the Lets Encrypt certificate?
I logged on to https://www.mydomain.com:5001 and everything seems to be working fine still.
I am confused
Thanks
LikeLike
Hi, You dont need to do anything, the certificate will refresh automatically 🙂 Neat!
/Ruth
LikeLike
No need to renew manually, synology will manage that for you 🙂
/Ruth
LikeLike
Hi Ruth,
do you know when, approximately, does synology renew the certificate automatically?
Mine is due on 2017-09-12 and I’m getting a bit nervous 😀
(By the way, that date on the rightside of the certificate name is orange colored, any idea why?)
Thanks a lot for your guide, helped me configure it flawlessly.
LikeLike
Hi, Not sure, I am guessing that it does it the same day? I have never monitored that, but for me it works every time!
I think the orange means that your cert is about to expire.
Glad it worked for you!
/Ruth
LikeLike
Hi Ruth,
Thank you for all the help you provide on this blog! I love that you always show screenshots of all the steps you’re describing. You are truly a life saver!
Thank you,
Levi Martinez
LikeLike
Great! Happy that it is useful:)
/Ruth
LikeLike
Flawless instructions… can’t Thank You enough!!!
James
LikeLike
You welcome James! /Ruth
LikeLike
Would anyone have guidance on how to configure nginx in DSM 6.1 to force port 80 connections to https? Specifically, when accessing the contents of volume1/web/index.html – how to force encryption. I have been looking at /usr/syno/share/nginx/WWWService.mustache, but editing this doesn’t seem to be working for me.
LikeLike
I dont have, but perhaps somebody here has it?
/Ruht
LikeLike
Hi Ruth, how did you renewed the letscrypt certificate? I had to readd a new certificate to keep this domain active.
LikeLike
For me, it renews automatically… Do you have more than one ?
/Ruth
LikeLike
Hi, thanks a lot for this very good information. It helped me a lot to have it all working.
Except one thing : I have set my NAS (DSM 6.1) to “Automatically redirect HTTP connections to HTTPS”. But it is not working :
Browsing to https://:5001 works finem and it uses the “Let’s Encrypt” certificate.
But when I browse to http://:5001 , it is not working and it gives
400 Bad Request
The plain HTTP request was sent to HTTPS port
Any idea what I’m doing wrong ?
Thanks,
Eddy
LikeLike
Hi!
http://5001 is not allowed. You can use either http://5000 which will take you to 5001 or use https://5001.
Hope I explained myself!
/Ruth
LikeLike
Oh yes, of course. I should have realized this. Thanks !.
Now the only thing I need to arrange is to get rid of the 5001. So end-users can simply use https://nas.domainname , instead of https://nas.domainname:5001 . I believe I have to redirect 80 to 5001 in my router . Unless there is another way.
Thanks again
LikeLike
Aha! Never thought that’s far! Let me know if it works 🙂
/Ruth
LikeLike
I get an error: “no response from the destination server please try again later”. Any tips?
LikeLike
when do you get that error?
/Ruth
LikeLike
When I try to apply for a new certicicate.
LikeLike
From within the synology? Maybe there is a problem with let’s certificate server? Check with them.
/Ruth
LikeLike
Yes within Synology. I opened all ports but this error comes up for the last 3 days.
LikeLike
Still no luck 😦 Any suggestions?
LikeLike
Contact synology support, they might be able to help you.
/Ruth
LikeLike
I know it has been 2 years, and the cat is out of the bag so to speak, but you blurred out all of the copies of your desk station domain name except the one in the 2nd to last photo.
LikeLike
Thanks! I gave up by that point 😉
/Ruth
LikeLike