Configure SSL /https · NAS server · Secure your NAS

Secure your synology with https/ SSL certificate from Let’s Encrypt

Have you updated your Synology to the latest DSM 6? If you haven’t done it yet, here is reason to get you started.

I have been wanting to do this for a long time, but I never managed to figure out how to do it until now.

Buy a domain name

First of all, you need to have your own domain name pointing at your synology. Follow this guide to learn how.

I use Hover for all my domain names.

If you also want to register your domain at Hover, click on this link or the picture below for a 2$ discount, when you sign up an account with them. Disclosure: I get also $2 discount, thanks!! 🙂


                                                   Get a $2 discount if you purchase your domain with Hover

Once you have done that, here is what you do.

Navigate to Security and then click on certificate:

install SSL certificates in synology

You will have the self-signed Synology certificate available.

Let’s add a certificate for the domain name you created in the previous step:

  1. Click on Add
  2. Select Add new certificate

add a new certificate

Note, If you get an error while obtaining the certificate, you need to open port 80/443 in your router (Thanks hades2003 for the tip):

error lets encrypt

Select, Get a new certificate from Let’s encrypt.

2 get a certificate from lets encrypt

To create your certificate, you need to:

  1. Add your new domain (or subdomain): or
  2. Add your email
  3. Enter your old DDNS address:

31 create certificate

Now that the new certificate has been created, click on it and select “configure”:

configure certificate

Click on each service and change to your new certificate:

configure services ssl

Now, log out of your synology and login using your new domain name. You should see this:

login secure connection

One last change:

  1. Navigate to Network
  2. DSM settings
  3. It is recommended to change your Http and https port numbers (you can do it here)
  4. Check: automatically redirect http to https , so all your logins and user’s logins will be secured

7 redirect http to https synology

And you are done!!


63 thoughts on “Secure your synology with https/ SSL certificate from Let’s Encrypt

  1. Gracias Ruth por publicar el tutorial,en mi NAS durante el proceso de la descarga del certificado desde Let´s Encrypt mostraba un error de conexión, para evitarlo se tiene que habilitar en el router el port forwarding de los puertos 80/443 a la IP de la NAS (El 80 solamente se requiere para la descarga inicial del certificado, finalizado el proceso se puede desactivar).


    1. Muchas gracias Hades! Me podrías mandar el error que te mostraba? (Si lo recuerdas). Actualizare la guía con tus indicaciones, seguro que ayuda a alguien con el mismo problema. Saludos, Ruth

    1. Hey,
      Thank you, it works, when I connect in whilst away from home.
      When I am at home, and connect in using my browser, I still get the “this connection may not be safe, bla bla bla” error message. Any suggestions?

  2. Hello Ruth —

    Thank you for putting up these instructions. I am trying to get this working with our Synology, using example for DDNS and as the subdomain. I am able to get through the LetsEncrypt certificate creation process correctly, and the Control Panel indicates that a certificate for is correctly registered.

    However when I go to the following URL in Firefox, I get a “Your connection is not secure” error where it ind:

    Note that 12121 is the port to reach the DiskStation admin console (i.e. when I log in locally, I go to some thing like I have confirmed that port 12121 is open on my router and re-directing to the Synology. In fact, if I tell Firefox to make a certificate exception to the above URL, then it works fine, so I know it is possible to reach the Synology from outside, just not via a certificate that is recognized as valid.

    Any suggestions?


    1. Hi Ramon,

      Unfortunately I omit one step. You need to reconfigure all your services with the new certificate:

      I have updated the guide now, let me know if you still have problems,

      Best Regards,

  3. Hi Ruth.

    I am succeeded setup DMS with https/SSL and every application(Video Station,File Station) accessed via https works fine, but Photo Station access field.

    Any idea? Thinks.

    1. Hi Jimmy,
      Enabling HTTPS under DSM Settings does not work for Web or Photo station. These two applications require enabling HTTPS in their own UI. To enable HTTPS on Photo Station, open the application, go to “General Settings >Other Settings” and check “Automatically redirect http to https”.
      photostation https

      1. Hi Ruth,

        And how would you do this for web station; both main site and virtual hosts? I cannot for the life of me, find out where this should be done.


  4. Thank you. I’ve just followed your excellent tutorial and everything works. However, when I log into my DS through local LAN (192.168.x.x) the old red “Not Secure” sign shows up again in Chrome. Any insight you may have on this would be really appreciated!

      1. One year further and i have the same question. Howto resolve the issue with the certificate when i go locally (192.168.x.x) to the nas?

  5. Can I have certification *without* my own domain? I am happy with ‘’ — could I use the Let’s Encrypt certificate with ‘’?

  6. Hi, I did all these, and I got the Secure connection using Google Chrome. However, when I try it with Microsoft Edge or Mozilla Firefox browser, both of these say that the site is unsecured and that the configuration is improper.

    The certificate is only valid for (site name) uses an invalid security certificate.

    The certificate is only valid for the following names:, *


    This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.

    A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited, but the certificate is for In this case, if you access directly, you should not receive the warning.

    1. Okay this is REALLY weird. I suspected that my domain settings on the account has the error. So, I deleted and cleared everything. Now weird part is, points to nowhere and I cannot access the Synology through that address.

      BUT, is still up and running AND is secured by Let’s Encrypt – all 3 browsers shows that it is secured. I dont understand what is going on! Hahahaha! I though we needed a in order to set up the Let’s Encrypt SSL connection?

      Help please! TQ

  7. Thanks a LOT ! just to mention that I lots HOURS because of some details I’ll explain here just in case.
    1 : a bug in DSM UI Rendering (using chromium under ubuntu,). When ‘updating the services’ to point to the new certificate … the dropdown did only display the old ‘’ certificate. Weird huh ? And finally, I hit the down-arrow key (almost by mistake) : the dropdown menu opened and expanded fully : I saw the certificates. In the menu, there is a small arrow on the far right to tell you to click there to expand the full list … but it’s hidden, nearly unclickable, and I could see it.

    2 : at the beginning the whole procedure failed, so let’s add one prerequisite : Web Station must be installed 🙂 It was not my case, even after installation lets encrypt could not fulfill the certificate request. (even with port 80 opened and so on). Please note that :
    – lets encrypt looks for .well-known/acme-challenge/SOME-GENERATED-FILE to ckeck eveything is OK
    – but NGINX on DSM has a special configuration for this path : even if you anually creates files under ‘web/.well-known/acme-challenge’ with file station for instance, it won’t be served by the web server. (any other path/file will). In /etc/nginx.conf : this very specific path is rerouted to /var/lib/letsencrypt, instead of /volume1/web
    – long story short : manual tweaks didn’t help, reboot DSM did help after web station installation, not sure why. Probably because DSM itself relies on nginx (I know : I jailed me out by stopping it 🙂 )
    – so : in the end : install web station, reboot dsm, open port 80 of your router, point it to your diskstation.

    Hope it will help someone 🙂

  8. Just a quick note, if you’re using Dynamic DNS with a CNAME, this won’t work. You MUST use an ‘A’ record for your external WAN address, not a ‘CNAME’ pointing to the Synology DDNS address. This took me like 3 hours to figure out.

    1. Hi Russ,
      Thanks for your comment. This might be the root problem in my case but I am wondering what I need to do if I don’t have a fix IP to point the A record to? This might work today but how would the automatic renewal process work if my IP is changing?
      Do you have any suggestions?
      Thanks for your reply

    2. Fantastic! Thanks for sharing. After days trying to get this to work, your tip got this fixed right away. Secure connection now!

  9. Hey hey! thanks for this guide – very helpful.

    The certificate expires in 90 days.
    I received an email saying that the certificate has expired.
    Do we need to do anything to renew the Lets Encrypt certificate?
    I logged on to and everything seems to be working fine still.
    I am confused


    1. Unfortunately each 90 days, after automatic renewal, all the connected systems (mail clients, Cloud stations, Note stations .. etc. ) wans you that the certificate was changed and you have to agree on each message manually. When you consider that you can have plenty of users, each of them using many services, it is mana and many warnings each 90 days. The users which do not understand the procedure are disconnected…
      We do not know how to solve this problem.
      Any help/advice?

  10. Okay it turns out that yes, I made erroneous entries via the account.

    Now another issue:
    The certificate expires in 90 days.
    I received an email saying that the certificate has expired.
    Do we need to do anything to renew the Lets Encrypt certificate?
    I logged on to and everything seems to be working fine still.
    I am confused


      1. Hi Ruth,
        do you know when, approximately, does synology renew the certificate automatically?

        Mine is due on 2017-09-12 and I’m getting a bit nervous 😀
        (By the way, that date on the rightside of the certificate name is orange colored, any idea why?)

        Thanks a lot for your guide, helped me configure it flawlessly.

      2. Hi, Not sure, I am guessing that it does it the same day? I have never monitored that, but for me it works every time!
        I think the orange means that your cert is about to expire.
        Glad it worked for you!

  11. Hi Ruth,

    Thank you for all the help you provide on this blog! I love that you always show screenshots of all the steps you’re describing. You are truly a life saver!

    Thank you,
    Levi Martinez

  12. Would anyone have guidance on how to configure nginx in DSM 6.1 to force port 80 connections to https? Specifically, when accessing the contents of volume1/web/index.html – how to force encryption. I have been looking at /usr/syno/share/nginx/WWWService.mustache, but editing this doesn’t seem to be working for me.

  13. Hi Ruth, how did you renewed the letscrypt certificate? I had to readd a new certificate to keep this domain active.

  14. Hi, thanks a lot for this very good information. It helped me a lot to have it all working.
    Except one thing : I have set my NAS (DSM 6.1) to “Automatically redirect HTTP connections to HTTPS”. But it is not working :

    Browsing to https://:5001 works finem and it uses the “Let’s Encrypt” certificate.
    But when I browse to http://:5001 , it is not working and it gives

    400 Bad Request
    The plain HTTP request was sent to HTTPS port

    Any idea what I’m doing wrong ?



      1. Yes within Synology. I opened all ports but this error comes up for the last 3 days.

  15. I know it has been 2 years, and the cat is out of the bag so to speak, but you blurred out all of the copies of your desk station domain name except the one in the 2nd to last photo.

  16. I keep getting the “File exceeds size limit”. I changed the values in the regedit to the biggest possible but the problem still persists.

  17. Great tutorial thanks!

    Bought my domain and an SSL cert from, installed it, opened 80 (to 5000) and 443 (to 5001), and now I’m able to access my NAS normally via https://www.mydomain.xx:5001/, Chrome reporting a safe certificate.

    Although via the LAN or, I get the “untrusted certificate” warning (any browser).

    The thing is I’d like to use Amazon Alexa with Audio Station, and when I go to settings in AudioStation and try to activate the skills, it says my NAS is not accessible from the Internet, from a non-valid certificate.

    Any clue for me? Did anyone got their Echo devices working with Audiostation?

  18. Hello! Just found this website and has been very helpful to me. One questions: to add ssl do I need to create sign up for a new domain or can I just point to my DDNS (i.e. – And If I can just use my DDNS, do I put that in the Domain box and leave Alternative name blank? Thanks!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.