Adding LetsEncrypt.ORG SSL to your Synology NAS (and hosted applications)

LetsEncrypt.org is a free Certificate Authority for SSL certificates. The system is designed to allow you to automate requesting SSL certificates and installing them into your web server. As the solution is quite new, it does not work with Synology (yet?). Here's how you can do it manually. At a high level its not that complicated.

1. Setup your domain to point to your Synology NAS
2. Use LetsEncrypt.org scripts to get an SSL Certificate and validate you own your domain
3. Install that certificate in Synology
4. Export the CRT an KEY for use in other apps
5. Configure those apps to use the CRT and KEY

The step by step isn't complicated, but there are quite a few steps and I can't document what you need to do for every step as your setup will vary depending on your network, routers, etc. But I wanted to share what I did so others can give it a shot.

Setup your domain and your Network to reach your Synology NAS

Before you get going, you have to be able to reach your Synology NAS on port 80 or 443 in the clear (i.e. with http) at the domain you plan to use. If you can't do that, you can't use this at all. The current Let's Encrypt scripts do not support doing the validation (ACME Challenge its called) on a custom port (yet).

My setup uses a Ubiquiti EdgeRouter Lite to my GB Ethernet provider. Then my house has Ethernet in the walls and my synology is plugged into that. The EdgeRouter is a great device! It has a Dynmic DNS client if you can't get a Static IP. My ISP does not offer static IPs so I used NameCheap as my Dynamic DNS provider. Its FREE!

Whichever you do it, before you start, you have to be able to reach your Synology NAS at http://YourDomain.com. For most of you will see the Web Station home page, or something else if you've setup a web site on your NAS.

Use LetsEncrypt.org scripts to get an SSL Certificate and validate you own your domain

I did all these parts from an Ubuntu machine. I'm not sure if they will work from windows or not.

1. Clone the or download the LetsEncrypt GitHub repository to your Linux machine. https://github.com/letsencrypt/letsencrypt

2. From the CLI run the command ./letsencrypt-auto --help\ All of LetsEncrypts dependencies will be installed and then you'll see the help text.

   letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

   The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
   default, it will attempt to use a webserver both for obtaining and installing
   the cert. Major SUBCOMMANDS are:
   
    (default)       run Obtain & install a cert in your current webserver
    certonly        Obtain cert, but do not install it (aka "auth")
    install         Install a previously obtained cert in a server
    revoke          Revoke a previously obtained certificate
    rollback        Rollback server configuration changes made during install
    config_changes  Show changes made to server config during installation
    plugins         Display information about installed plugins
   
   Choice of server plugins for obtaining and installing cert:
    --apache      Use the Apache plugin for authentication & installation
    --standalone  Run a standalone webserver for authentication
        (nginx support is experimental, buggy, and not installed by default)
    --webroot     Place files in a server's webroot folder for authentication
   
   OR use different plugins to obtain (authenticate) the cert and then install it:
   
   --authenticator standalone --installer apache
   
   More detailed help:
   -h, --help [topic]     print this message, or detailed help on a topic;
                          the available topics are:
   
   all, automation, paths, security, testing, or any of the subcommands or
    plugins (certonly, install, nginx, apache, standalone, webroot, etc)
   

3. Run ./letsencrypt certonly --manual -d yourdomain.com

4. You'll get some screens to configure your email address and confirming they can log your IP.

5. Then you'll see the terminal again and it will have a set of commands which will NOT work on your NAS. We'll do it manually.

   mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
   cd /tmp/letsencrypt/public_html
   printf "%s" pUyneutbXO-zzczxczxczxcz.ddgsssssssssssssssdffffffff > .well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg
   # run only once per server:
   $(command -v python2 || command -v python2.7 || command -v python2.6) -c \
   "import BaseHTTPServer, SimpleHTTPServer; \
   s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
   s.serve_forever()"
   

6. You need to make a file on your NAS at \volume1\web\.well-known\acme-challenge with the file name and the contents specified in the printf line. I did this by:

   1. SSHing into my NAS
   2. Creating the path /volume1/web/.well-known/acme-challenge/

   3. Now you can copy the printfs line and run it from /volume1/web

      printf "%s" pUyneutbXO-zzczxczxczxcz.ddgsssssssssssssssdffffffff > .well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg
      

   4. Ignore the other parts.

   5. You could also do this through the Synology File Station if you prefer.

7. When that is complete verify in your web browser that you can get to http://YOURDOMAIN.COM/.well-known/acme-challenge/pUyneutbXO-vgt0Q1K6PAS2EsssjjhhgkdhDyIX4DKlg\ Your filename will be unique.IF THAT WORKS

8. Go back to the Linux window and hit Enter
9. LetsEncrypt's servers will now look for the file you created on your server to verify you own the domain. If it can successfully find it, your certificates will saved to your linux machine. If not, you have configured something incorrectly, go back to the beginning.

Install that certificate in Synology

When the scripts finish, they will tell you where the files are located. I assume this will vary by linux distro, because Linux, for me there were at /etc/letsencrypt/YOURDOMAIN/live. You want to back everything up from there, like maybe to your NAS.

1. From a browser where you access those files, Login into Synology DSM.
2. Go to Control Panel, Security, Certificates
3. Import your new certificate.\ privkey1.pem is the Private Key\ cert1.pem is the certificate\ You do not have to enter the chain.
4. Still in the Control Panel go to Web Services
5. Enable HTTPS
6. Enable SPDY
7. Enable HSTS
8. APPLY

httpS://yourdomain.com will now work (you opened 443 on your firewall and setup a route, right?)

Export the CRT an KEY for use in other apps

You can use these certificates in other applications on your Synology NAS, but we have to export them.

1. In the Control Panel go back to Security, Certificates.
2. Click EXPORT
3. Save the .zip file.
4. Now you need to extract server.key and server.cert and place the files someplace on your Synolgoy NAS.\ I used DS Cloud to get them to the NAS, then SSH'd to the NAS I copied them to a new folder in /volume1. ex: /volume1/security

Configure those apps to use the CRT and KEY

Now you need to go the settings in your Synology hosted Packages and put in the full path to /volume1/security/server.key and /volume1/security/server.crt.

I don't know what packages you are running, so I can't give you more specifics. You also need to verify what port they use for SSL and ensure it is opened and mapped to your NAS on your firewall.

On-Going Maintenance

Every 6 months, you will need to renew your certificates, import them to Synology, and export them to /volume1/security.

Eventually, I hope Synology justs adds this in to DSM or someone makes a package for it.

Enjoy and let me say once again... NameCheap is awesome !

Comments

Tweet