Configure SSL /https · NAS server · Secure your NAS

Secure your synology with https/ SSL certificate from Let’s Encrypt

Have you updated your Synology to the latest DSM 6? If you haven’t done it yet, here is reason to get you started.

I have been wanting to do this for a long time, but I never managed to figure out how to do it until now.

First step:

  1. You need to have your own domain name pointing at your synology. Follow this guide to learn how.

Once you have done that, here is what you do.

Navigate to Security and then click on certificate:

install SSL certificates in synology

You will have the self-signed Synology certificate available.

Let’s add a certificate for the domain name you created in the previous step:

  1. Click on Add
  2. Select Add new certificate

add a new certificate

Note, If you get an error while obtaining the certificate, you need to open port 80/443 in your router (Thanks hades2003 for the tip):

error lets encrypt

Select, Get a new certificate from Let’s encrypt.

2 get a certificate from lets encrypt

To create your certificate, you need to:

  1. Add your new domain (or subdomain): ds.example.com or example.com
  2. Add your email
  3. Enter your old DDNS address: mydomain.synology.me

31 create certificate

Now that the new certificate has been created, click on it and select “configure”:

configure certificate

Click on each service and change to your new certificate:

configure services ssl

Now, log out of your synology and login using your new domain name. You should see this:

login secure connection

One last change:

  1. Navigate to Network
  2. DSM settings
  3. It is recommended to change your Http and https port numbers (you can do it here)
  4. Check: automatically redirect http to https , so all your logins and user’s logins will be secured

7 redirect http to https synology

And you are done!!

Enjoy!!

Advertisements

34 thoughts on “Secure your synology with https/ SSL certificate from Let’s Encrypt

  1. Gracias Ruth por publicar el tutorial,en mi NAS durante el proceso de la descarga del certificado desde Let´s Encrypt mostraba un error de conexión, para evitarlo se tiene que habilitar en el router el port forwarding de los puertos 80/443 a la IP de la NAS (El 80 solamente se requiere para la descarga inicial del certificado, finalizado el proceso se puede desactivar).

    Saludos

    Like

  2. Hello Ruth —

    Thank you for putting up these instructions. I am trying to get this working with our Synology, using example mytest.synology.me for DDNS and mytest.exampledomain.com as the subdomain. I am able to get through the LetsEncrypt certificate creation process correctly, and the Control Panel indicates that a certificate for mytest.exampledomain.com is correctly registered.

    However when I go to the following URL in Firefox, I get a “Your connection is not secure” error where it ind:

    https://mytest.exampledomain.com:12121

    Note that 12121 is the port to reach the DiskStation admin console (i.e. when I log in locally, I go to some thing like 10.0.1.55:12121). I have confirmed that port 12121 is open on my router and re-directing to the Synology. In fact, if I tell Firefox to make a certificate exception to the above URL, then it works fine, so I know it is possible to reach the Synology from outside, just not via a certificate that is recognized as valid.

    Any suggestions?

    Ramon

    Like

  3. Hi Ruth.

    I am succeeded setup DMS with https/SSL and every application(Video Station,File Station) accessed via https works fine, but Photo Station access field.

    Any idea? Thinks.

    Like

    1. Hi Jimmy,
      Enabling HTTPS under DSM Settings does not work for Web or Photo station. These two applications require enabling HTTPS in their own UI. To enable HTTPS on Photo Station, open the application, go to “General Settings >Other Settings” and check “Automatically redirect http to https”.
      photostation https
      /Ruth

      Like

      1. Hi Ruth,

        And how would you do this for web station; both main site and virtual hosts? I cannot for the life of me, find out where this should be done.

        /David

        Like

  4. Thank you. I’ve just followed your excellent tutorial and everything works. However, when I log into my DS through local LAN (192.168.x.x) the old red “Not Secure” sign shows up again in Chrome. Any insight you may have on this would be really appreciated!

    Like

  5. Can I have certification *without* my own domain? I am happy with ‘mytest.synology.me’ — could I use the Let’s Encrypt certificate with ‘mytest.synology.me’?

    Like

  6. Hi, I did all these, and I got the Secure connection using Google Chrome. However, when I try it with Microsoft Edge or Mozilla Firefox browser, both of these say that the site is unsecured and that the configuration is improper.

    The certificate is only valid for (site name)
    example.com uses an invalid security certificate.

    The certificate is only valid for the following names: http://www.example.com, *.example.com

    Error code: SSL_ERROR_BAD_CERT_DOMAIN

    This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.

    A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning.

    Liked by 1 person

    1. Okay this is REALLY weird. I suspected that my domain settings on the Hover.com account has the error. So, I deleted and cleared everything. Now weird part is, http://www.mydomain.com points to nowhere and I cannot access the Synology through that address.

      BUT, mydomain.synlogy.me is still up and running AND is secured by Let’s Encrypt – all 3 browsers shows that it is secured. I dont understand what is going on! Hahahaha! I though we needed a mydomain.com in order to set up the Let’s Encrypt SSL connection?

      Help please! TQ

      Like

  7. Thanks a LOT ! just to mention that I lots HOURS because of some details I’ll explain here just in case.
    1 : a bug in DSM UI Rendering (using chromium under ubuntu,). When ‘updating the services’ to point to the new certificate … the dropdown did only display the old ‘synology.com’ certificate. Weird huh ? And finally, I hit the down-arrow key (almost by mistake) : the dropdown menu opened and expanded fully : I saw the certificates. In the menu, there is a small arrow on the far right to tell you to click there to expand the full list … but it’s hidden, nearly unclickable, and I could see it.

    2 : at the beginning the whole procedure failed, so let’s add one prerequisite : Web Station must be installed 🙂 It was not my case, even after installation lets encrypt could not fulfill the certificate request. (even with port 80 opened and so on). Please note that :
    – lets encrypt looks for .well-known/acme-challenge/SOME-GENERATED-FILE to ckeck eveything is OK
    – but NGINX on DSM has a special configuration for this path : even if you anually creates files under ‘web/.well-known/acme-challenge’ with file station for instance, it won’t be served by the web server. (any other path/file will). In /etc/nginx.conf : this very specific path is rerouted to /var/lib/letsencrypt, instead of /volume1/web
    – long story short : manual tweaks didn’t help, reboot DSM did help after web station installation, not sure why. Probably because DSM itself relies on nginx (I know : I jailed me out by stopping it 🙂 )
    – so : in the end : install web station, reboot dsm, open port 80 of your router, point it to your diskstation.

    Hope it will help someone 🙂

    Like

  8. Just a quick note, if you’re using Dynamic DNS with a CNAME, this won’t work. You MUST use an ‘A’ record for your external WAN address, not a ‘CNAME’ pointing to the Synology DDNS address. This took me like 3 hours to figure out.

    Like

    1. Hi Russ,
      Thanks for your comment. This might be the root problem in my case but I am wondering what I need to do if I don’t have a fix IP to point the A record to? This might work today but how would the automatic renewal process work if my IP is changing?
      Do you have any suggestions?
      Thanks for your reply

      Like

  9. Hey hey! thanks for this guide – very helpful.

    The certificate expires in 90 days.
    I received an email saying that the certificate has expired.
    Do we need to do anything to renew the Lets Encrypt certificate?
    I logged on to https://www.mydomain.com:5001 and everything seems to be working fine still.
    I am confused

    Thanks

    Like

  10. Okay it turns out that yes, I made erroneous entries via the hover.com account.

    Now another issue:
    The certificate expires in 90 days.
    I received an email saying that the certificate has expired.
    Do we need to do anything to renew the Lets Encrypt certificate?
    I logged on to https://www.mydomain.com:5001 and everything seems to be working fine still.
    I am confused

    Thanks

    Like

      1. Hi Ruth,
        do you know when, approximately, does synology renew the certificate automatically?

        Mine is due on 2017-09-12 and I’m getting a bit nervous 😀
        (By the way, that date on the rightside of the certificate name is orange colored, any idea why?)

        Thanks a lot for your guide, helped me configure it flawlessly.

        Like

      2. Hi, Not sure, I am guessing that it does it the same day? I have never monitored that, but for me it works every time!
        I think the orange means that your cert is about to expire.
        Glad it worked for you!
        /Ruth

        Like

  11. Hi Ruth,

    Thank you for all the help you provide on this blog! I love that you always show screenshots of all the steps you’re describing. You are truly a life saver!

    Thank you,
    Levi Martinez

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s