Adding LetsEncrypt.ORG SSL to your Synology NAS (and hosted applications)
LetsEncrypt.org is a free Certificate Authority for SSL certificates. The system is designed to allow you to automate requesting SSL certificates and installing them into your web server. As the solution is quite new, it does not work with Synology (yet?). Here's how you can do it manually. At a high level its not that complicated.
- Setup your domain to point to your Synology NAS
- Use LetsEncrypt.org scripts to get an SSL Certificate and validate you own your domain
- Install that certificate in Synology
- Export the CRT an KEY for use in other apps
- Configure those apps to use the CRT and KEY
The step by step isn't complicated, but there are quite a few steps and I can't document what you need to do for every step as your setup will vary depending on your network, routers, etc. But I wanted to share what I did so others can give it a shot.
Setup your domain and your Network to reach your Synology NAS
Before you get going, you have to be able to reach your Synology NAS on port 80 or 443 in the clear (i.e. with http) at the domain you plan to use. If you can't do that, you can't use this at all. The current Let's Encrypt scripts do not support doing the validation (ACME Challenge its called) on a custom port (yet).
My setup uses a Ubiquiti EdgeRouter Lite to my GB Ethernet provider. Then my house has Ethernet in the walls and my synology is plugged into that. The EdgeRouter is a great device! It has a Dynmic DNS client if you can't get a Static IP. My ISP does not offer static IPs so I used NameCheap as my Dynamic DNS provider. Its FREE!
Whichever you do it, before you start, you have to be able to reach your Synology NAS at http://YourDomain.com. For most of you will see the Web Station home page, or something else if you've setup a web site on your NAS.
Use LetsEncrypt.org scripts to get an SSL Certificate and validate you own your domain
I did all these parts from an Ubuntu machine. I'm not sure if they will work from windows or not.
- Clone the or download the LetsEncrypt GitHub repository to your Linux machine. https://github.com/letsencrypt/letsencrypt
From the CLI run the command ./letsencrypt-auto --help\ All of LetsEncrypts dependencies will be installed and then you'll see the help text.letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...
The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server revoke Revoke a previously obtained certificate rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, nginx, apache, standalone, webroot, etc)
Run ./letsencrypt certonly --manual -d yourdomain.com
- You'll get some screens to configure your email address and confirming they can log your IP.
Then you'll see the terminal again and it will have a set of commands which will NOT work on your NAS. We'll do it manually.
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge cd /tmp/letsencrypt/public_html printf "%s" pUyneutbXO-zzczxczxczxcz.ddgsssssssssssssssdffffffff > .well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg # run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()"
You need to make a file on your NAS at \volume1\web\.well-known\acme-challenge with the file name and the contents specified in the printf line. I did this by:
- SSHing into my NAS
- Creating the path /volume1/web/.well-known/acme-challenge/
Now you can copy the printfs line and run it from /volume1/web
printf "%s" pUyneutbXO-zzczxczxczxcz.ddgsssssssssssssssdffffffff > .well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg
Ignore the other parts.
- You could also do this through the Synology File Station if you prefer.
When that is complete verify in your web browser that you can get to http://YOURDOMAIN.COM/.well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg\ Your filename will be unique.IF THAT WORKS
- Go back to the Linux window and hit Enter
- LetsEncrypt's servers will now look for the file you created on your server to verify you own the domain. If it can successfully find it, your certificates will saved to your linux machine. If not, you have configured something incorrectly, go back to the beginning.
Install that certificate in Synology
When the scripts finish, they will tell you where the files are located. I assume this will vary by linux distro, because Linux, for me there were at /etc/letsencrypt/YOURDOMAIN/live. You want to back everything up from there, like maybe to your NAS.
- From a browser where you access those files, Login into Synology DSM.
- Go to Control Panel, Security, Certificates
- Import your new certificate.\ privkey1.pem is the Private Key\ cert1.pem is the certificate\ You do not have to enter the chain.
- Still in the Control Panel go to Web Services
- Enable HTTPS
- Enable SPDY
- Enable HSTS
httpS://yourdomain.com will now work (you opened 443 on your firewall and setup a route, right?)
Export the CRT an KEY for use in other apps
You can use these certificates in other applications on your Synology NAS, but we have to export them.
- In the Control Panel go back to Security, Certificates.
- Click EXPORT
- Save the .zip file.
- Now you need to extract server.key and server.cert and place the files someplace on your Synolgoy NAS.\ I used DS Cloud to get them to the NAS, then SSH'd to the NAS I copied them to a new folder in /volume1. ex: /volume1/security
Configure those apps to use the CRT and KEY
Now you need to go the settings in your Synology hosted Packages and put in the full path to /volume1/security/server.key and /volume1/security/server.crt.
I don't know what packages you are running, so I can't give you more specifics. You also need to verify what port they use for SSL and ensure it is opened and mapped to your NAS on your firewall.
Every 6 months, you will need to renew your certificates, import them to Synology, and export them to /volume1/security.
Eventually, I hope Synology justs adds this in to DSM or someone makes a package for it.
Enjoy and let me say once again... NameCheap is awesome !