Synology - Setup Let's Encrypt SSL Certificates

Setting up Let's Encrypt SSL certificates on Synology NAS devices

Prerequisites

Before following this article please first secure your Synology NAS. And setup DDNS and a CNAME.

Let's Encrypt SSL Certificates

Let's Encrypt provides a free automated SSL certificate that can be used to secure your Synology NAS. You can have multiple SSL certificates. Perhaps one for local LAN DSM logins and another for WebDAV internet access. Or you could use the same SSL certificate.

I am not replacing or removing the default Synology self-signed SSL certificate. You can always switch back to that for various services.

Setup Web Station

Let's Encrypt will query your Synology NAS on port 80/TCP and 443/TCP. I can't find the nice technical document I read before. When I do I will add the link to this document. By default the Synology NAS device does not listen on 80/TCP or 443/TCP nor does it have a website.

Go to Package Center and install 'Web Station'. Once that finishes go to the main menu and launch 'Web Station'. Follow the steps below to configure the virtual host.

By default Web Station uses Nginx. I have both PHP 5.6 and PHP 7.0 installed on my NAS. I need to figure out if I can uninstall PHP 5.6. But that is for a future date. I am not sure if Web Station will automatically install PHP. If necessary install that package as well.

General Settings Tab

Select the following items from the drop down boxes.

  1. HTTP back-end server: = Nginx
  2. PHP: = Default Profile ( PHP 7.0 )
  3. Do NOT enable the personal website.

PHP Settings Tab

I think I deleted the PHP 5.6 profile from this tab. I didn't edit anything else.

Virtual Host

Before adding the virtual host you need to create a document root. Go to the Control Panel and then click on 'Shared Folder' and then 'Create' a new shared folder in the root directory. Or if you prefer bury the folder in whatever path you desire. The name should be 'www'. But it can be anything you desire.

  • Shared Folder Setup
    • Name = www
    • Description = Virtual Host Root Directory
    • Permissions Local Users = Your Admin ID = RW
    • Permissions Local Groups = administrators = RW // http = RO

Go back to the web station settings and finish creating the virtual host. Fill out the panel as shown below. See the screen shot after the explanation.

  • Select 'Name-Based'
    • Hostname = syno.lab.example.com
    • Port = check 80/443
  • Document root = www (browse and select)
  • HTTPS settings:
    • Check HSTS
      • HSTS - Force connections to use HTTPS (443/TCP)
    • Check HTTP/2
      • HTTP/2 - Newest HTML standards
  • HTTP back-end server = Nginx
  • PHP = Default Profile ( PHP 7.0 )
  • Click OK
Create Virtual Host Panel
Create Virtual Host Panel

Create the .well-known/acme-challenge Directory

Let's Encrypt will query our virtual host to verify that we own the domain we wish to secure with the SSL certificate. To allow this we need to create two sub-directories under the 'www' shared folder.

I prefer the command line. SSH into your NAS. (as root) Run the following commands.

  • Switch to your www directory. - example: cd /volume1/www
  • mkdir -m 0711 -p .well-known/acme-challenge
  • chmod -R 0711 .well-known
  • chown -R http:http .well-known

Setup Port Forwarding on Your Router

Let's Encrypt will query your NAS device using your public IP address given to you by your ISP. Your NAS should not be on the internet or in a DMZ. I don't use UPnP either. Port forwarding is very simple to setup. And just about any consumer router should allow you to setup port forwarding.

One catch to make port forwarding work is that your NAS needs to use the same private IP address at all times. I do this by setting up DHCP reservations on my router. But you could configure your NAS device to use a static IP address.

PC World has a good article on setting up port forwarding. It varies from router to router. But the basics are the same. The site https://portforward.com/ has a number of guides on how to setup port forwarding on various routers. Just don't buy there tool. You need three port forwarding rules.

  1. HTTP-80 // Protocol = TCP // Port from = 80 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 80
  2. HTTPS-443 // Protocol = TCP // Port from = 443 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 443
  3. WebDAV-5006 // Protocol = TCP // Port from = 5006 // IP Address = Private IP address of your NAS (192.168.x.y) // Port to 5006

The last rule assumes you will use the default secure WebDAV port. Feel free to change this to any port you desire as long as you change it in the WebDAV configuration as well.

Add additional rules if you enable additional packages on your NAS.

Verify Ports Are Open

I have read that some ISPs will block 80/TCP or 443/TCP. You may be able to get them to open these ports for you. Verify that your NAS is listening on 80/TCP and 443/TCP. You can use nmap or netstat. Synology does not have the 'ss' command as of yet. SSH to your NAS and run the following command.

netstat -latn |egrep "80|443"

Use Shields Up from GRC.com to probe your NAS device. First run tcpdump on your NAS so you can see if any traffic hits your box. The IP address is for shields up. (dig @8.8.8.8 shieldsup.grc.com +short)

tcpdump -i eth0 -lnpt tcp and port 80 or port 443 and host 4.79.142.206

Make sure you see a SYN [S] from GRC and a SYN-ACK [S.] going to GRC for each port you check. Don't worry about the reset flags [R.].

Install the Let's Encrypt SSL Certificate

Remember in a previous post we setup DDNS and a CNAME for our subdomain. Here is a review of the information we setup for our domain.

  1. The domain you purchased. Presumably for your personal website. = example.com
  2. Comcast public IP address (73/8) = 73.x.y.z
  3. DDNS = mysyno.ddns.net with A record of 73.x.y.z
  4. Subdomain = lab.example.com (replace lab with anything you desire)
  5. Fully Qualified Domain Name (FQDN) = syno.lab.example.com (You don't really need to do this. But I wanted to use my Synology FQDN as the URL. You can simply use the subdomain if you desire.)

Go to: Control Panel > Security > Certificate

Click 'Add' to create a new certificate. Leave the default 'synology.com' self-signed certificate alone. It is our fallback certificate if we ever have issues. Follow the steps below.

  1. Select 'Add a new certificate' and click 'Next'
  2. Select 'Get a certificate from Let's Encrypt' and click 'Next'
  3. Fill out Let's Encrypt information as shown below.
    1. Domain name = syno.lab.example.com (FQDN from above. Or you could simply use the subdomain 'lab.example.com'. Whichever you prefer.)
    2. Email = Your email address (must be a valid email)
    3. Subject Alternative Name = mysyno.ddns.net OR mysyno.ddns.net;lab.example.com (The dynamic DNS name you created from a dynamic DNS provider. Since I used my FQDN for the domain name I also add the subdomain as a second SAM. Separate the two subject alternative names with a semi-colon. Again adding the second SAM is optional.)

See the screen shot below.

Lets Encrypt Certificate Information Panel
Lets Encrypt Certificate Information Panel

Once you have filled it out click 'Apply'. Assuming everything is correct you should have a new SSL certificate. If things don't work you can look at the logs on your NAS. SSH and tail '/var/log/messages'.

Configure the New Certificate

To use this new certificate for DSM logins (5001/TCP) you need to set it as the system default certificate. Highlight the newly created certificate and click 'Configure'. You will see a list of all your services. Your list may be different than the screen shot shown below. The certificate column has a bunch of drop down boxes that allow you to select any configured certificate. For the 'System default' service use the drop down box and select your newly created Let's Encrypt certificate. And then click 'OK'.

Configure Certificates Panel
Configure Certificates Panel

Update Your Hosts File

I am not allowing DSM access from the web. You can continue to use the IP address of your NAS (https://1.2.3.4:5001) if you desire. But you will get the warning about an improper SSL certificate. The FQDN 'syno.lab.example.com' will resolve to your public IP address.

To allow for easy access from your LAN update your hosts file. Add the private IP address of your NAS and the FQDN and the subdomain. See the example below.

  • notepad C:\Windows\System32\drivers\etc\hosts
  • 192.168.x.y  syno.lab.example.com lab.example.com
  • Save the file. Ensure there is no 'txt' extension

Now test out the connection from your browser.

https://syno.lab.example.com:5001

Setup WebDAV

In my next post I will install and configure WebDAV.