Sunday, July 29, 2018

Setting up Letsencrypt certificate on Synology DSM 6.0

HTTPS is already the de facto standard.  With Google Chrome now shaming non-HTTPS websites, little guys/gals like me running legacy insecure web servers are now on the wrong side of the line and risk losing business / traffic.

Fortunately, Synology DSM 6.x has a baked-in solution using the free certificate services from Let's Encrypt.  It looks scary at first, but it's very easy once you know all the steps. 

Things to know:
-  It's perfectly free, no cost.
 -  It works with dynamic DNS services.  You do not have to renew the security certificate if your IP changes.
-  It works with virtual hosts.
-  It is maintenance-free, as it auto-renews itself.
-  DON'T read the "Get Started" information at Let's Encrypt.  It will just confuse the hell out of you. 
-  Did I mention it is free?

This article assumed you have Web Station set up and your website(s) are running correctly.  If not, you obviously have other things to fix before you get around to HTTPS support, so go away and fix it.

It also assumes you have DSM 6.x.  If you are like I was, and still running DSM 5.x, you will have to upgrade in order for the security certificate to auto-renew.  Otherwise you will have to manually renew it every 90 days, which sucks.

I've gotten very conservative in my old age, as I've seen waaaay too many "upgrades" cause waaaay more trouble than they were ever worth.  So the prospect of accidentally borking my main file server frankly terrifies me.  However - and in my experience - upgrading from DSM 5.x to DSM 6.x was painless, so woman up and do it.

Note, however, that in 6.x, Web Station moved from within the Control Panel to its own application.  Look for it in the app box at the top left-hand corner of the web interface.

How to enable HTTPS on your Synology Web Station website(s):

1.  Make sure port 443 is open in your firewall.  (Somehow, nobody mentions this - I guess everyone assumes everyone already knows?)

Depending on your setup, the firewall may be in the Synology, or it may be in your router.  It will be in the same place where you have port 80 open for your website(s) to work in the first place.

While you're at it, disable any port forwarding you're not still using.  I had some old ports open from some old PVR applications that I stopped using ages ago.  Typically, all you need open is 80 (for HTTP) and 443 (for HTTPS).

2.  Go to Control Panel / Security / Certificate.  Click "Add", then "Add new certificate".

3.  Choose "Get a certificate from Let's Encrypt". 

4.  Fill in the blanks:
  Domain name = the domain name of your website [i.e.]
  Email = the contact info for that website  []
  Subject Alternative Name = the www server name  []

Note: if you don't put the "www" version of your domain in Subject Alternative Name, the certificate won't cover the web server name, and you'll get verification errors.

 5.  Click "Apply".

6.  The screen will return to "certificate" with the new certificate listed.

7.  Click "Configure".

8.  For the target domain ( change the "Certificate" from "" to the new certificate for that domain (also

9.  Certificates are tied to the domain name.  So if you have multiple (virtual) hosts on different domains, repeat the above with each one of your vhosts, so they each have their own Letsencrypt certificate.

If you only have one domain / one website, and/or you don't know what "virtual hosts" are, you don't need to repeat anything.

10.  Use SSL Checker to ensure you get everything right. 

Common errors: 

-  Can't resolve:  Your dynamic DNS is borked.  Fix it.

-  Port error:  You didn't open port 443 in your firewall(s).  Go fix it.

-  Untrusted certificate:  You forgot to click "Configure" and change the domain name setting from the default Synology certificate to your new certificate.  Go fix it.

-  Unlisted / Incorrect hostname:  You forgot to list the "www" version of your website in Subject Alternative Name.  Restart the process with "Replace an existing certificate" and fix it.

Done.  Ta-da!

Kudos to Synology for baking this directly into DSM 6.x.  People often whine they are not user-friendly, but if this isn't user-friendly, then what is?  I mean, come on - like 10 clicks and you're done.  Give them some credit.

No comments:

Post a Comment