Thanks so much for making this video. I've tried several times to set up a secured certificate w/o success. Following the instructions in your video worked perfectly. You rock!
I did find the very end of your video very helpful. I had to open the ports in my router and in the NAS. Everything says it's working, but still not HTTPS. Thanks for getting me a few more steps closer to getting an encrypted connection.
I greatly appreciate you talking slower and showing the computer steps slower so a user can follow. Also thanks for these videos they are very helpful. I wish you could do a series on the basics for us beginners as this is a lot of terminology and technology to try and learn.
Thank you so much. I have an older synology NAS and I have been messing around trying to figure this out through online forums. This video was so much easier to follow and understand. Love the content!
You rock bro, I really appreciate your videos, always informative and helpful and straight to the point, without any fancy unnecessary video effects or other bs. Keep them video coming. Greetz from Italy, and bless 🙏🏾
Great video. There is a way to use lets encrypt and you have websites hosted on your NAS. What I did was disable all the other sites, create a new virtual host for the name you are needing, then do the cert, works perfect!
@John Z Open up Web Station, in there under Web Service Portal, under that, are all of my sites. Let's say site A, B, C, D and E and I want to create a new site "F", highlight each of the other sites, one at a time and click disable under the ACTION button, do that on all of them, then there is only one active site, "F", go back and create your cert like Wil shows, it should work. I had to upload a text file (or something) to the root folder that they specified in the cert, this is how they verify things. Once you do this, you should be good to go. I believe part of this issue may be because of the way Synology Web Server handles the host headers, I don't know. After creating the cert, go into control panel / Security and Certificate, select SETTINGS, then assign the cert you created. Now go back and enable all the other sites. Good luck.
You would not believe how many times I have tried to fix this. Your instructions are excellent though I had to start and stop the video 50 times to catch your cursor on the right icon. Anyone using Synology Photos/Photos Mobile on an iphone needs to log out and log back in with the url as you instructed. Also, a couple of the control panel screens have changed just a little. Thanksl
HI great video, could I ask you make a Video for updating the UDMPRO Certificate for hot spot ? think that is a area which is problematic for all users
Hey I have a question about this. When I set up the openvpn server and only expose the 1194 port. I still cannot connect to my NAS by enter my synology.me domain name. Actually, it will re direct me to my router's admin page. Is it because I didn't setup the port forwarding of 5001 so I cannot reach to my homepage? But I route all my traffic through the openvpn. Doesn't it mean I do not need to open any ports to get into my Synology DSM? I do can connect to my NAS by enable the vpn and enter the local address manually, but somehow, it just wont work with synology.me domain. Would you mind guide me about this problem I have? Thank you so much! Your video is really really helpful! Huge support!!
Really useful video, I've done all the steps in this and the others but I'm getting a 401 unauthorized error when i visit the domain. It initially gives me the usual certificate warning and i click accept then shows the 401. What could be causing this?
Thanks for all your videos - very helpful! I get the "insecure" error when I log into my NAS via IP, but when I log in via quickconnect I see the connection is secure. Sounds like there is no way to get the IP login to be secure? So is the point that you should always use quickconnect to log in? Or is it that you don't need to worry about the "insecure" warning when you log in via IP because you know it is secure (and you can only log in via IP when you are on your own network)?
So the reason its "insecure" is that the browser does not match the domain name on the cert to where you ended up. No one can get a "secure" message when trying in a local IP address because no one can own a local IP address. However you can get a secure message for something like www.spacerex.co (or at least I can) because I prove that I own it
@@SpaceRexWill Gotcha. Thanks! To make sure I understand: For QuickConnect logins: as long as I have the lock and don't get the "insecure" warning when I use my QuickConnect URL then I'm good and protected. For IP logins: even though I get an "insecure" warning, it's not a risk, and I should ignore that warning. Do I have that right?
Yes! so funny enough they are actually both encrypted end to end. However your web browser just cannot confirm that it is properly encrypted and spits out the warning. Both are encrypted and both are protected. Just your computer knows they are when you use quick connect
I've been tearing my hair out trying to stream my large music collection from my NAS to my new Echo Dot. All with no luck. This didn't solve the whole problem but it was the first step in the problems in Audio Station which I'm told I need. If you ever make or find a video to help with the Synology NAS.Echo Dot connection I'd love to know. Please keep up the great work.
Thanks for the response. I kept searching and found this video which let me connect the NAS to the Echo Dot. ruclips.net/video/u9Oz74fDa4M/видео.html I still had some problems with Synology Audio and found another video to help with that. Thanks so much!
The new certificate goes straight into the home router's webpage, you choose Let's Encrypt but returns an “Emitted by R10” and that's it. It still warns that the certificate is self-signed. Apparently, you'd need an advanced telecommunications degree in order to make a dent out this convoluted device settings. Why Synology doesn't make a wizard for 99% of settings so people can be done with it?
Great video, thanks, however I don’t get the final stage you show. When I type my domain address I get my router login page not my DSM login page. What am I doing wrong?
Hi SpaceRex, I tried this, but Lets Encrypt failed, I think because my email is just a normal gmail account. Should this be a mail server on the Synology NAS? If it is then I don't know how to set this up. Do you have a tutorial on how to set one up? Any help would be appreciated. Thanks, Hans
I used my quick connect address as my domain name and I was ultimately prompted with "Please check if your IP address, reverse rules, and firewall settings are correctly configured and try again..." So I don't know what to do with that. Any advice?
Hi, thanks fore this tutorial but i've still some questions, i'm using firefox to access my synology nas but then firefox always tells me that the connection isn't secure, i want to try this tutorial but i dont have a domain name. what can i do to avoid gettin the firefox error? any help is more then welcome
Despite all of your great videos I have been unable to get https to work for me. I followed the steps to set up a ddns server and get a certificate from Lets Encrypt (R3) yet when I type in my domain name it sends me to my routers login page. So then I manually set up port forwarding of ports 80 and 443 to my NAS's static IP (UPnP wasn't working), and now I get the message "This site can’t be reached, refused to connect". Been trying for a couple days, any ideas on what I could be doing wrong? Thanks!
Hi, I had already a "personal" certificate and i follow the steps like you show here. All went fine. Now i have 2 questions that i hope you can answer: 1- Why my certificate has the date 20/04/2021 (04/20/2021)? It will expire on that date? 2- When i'm at home, if i go through the IP address it always shows that the connection is unsecure (yes, i saw your previous video and i have https) because the certificate is not valid. Thanks
1) yes it will expire 2) if you are using you LAN IP (ie 192.168.1.1) it will be "insecure" as the hostname you entered (the IP in this case) was not what was on the cert (x.synology.me) this is ok as 1) its your own cert so you can trust it (so you are secure) 2) its local, so you don't have to worry about traffic being intercepted
@@SpaceRexWill Just 2 more question (sorry): 1- Why the expiry date is so small? 2- After expire i have to do the same process again (or even create one from scratch)? "Let's encrypt" limits (i think it was what i read while i was following your tutorial) user and email addresses. Thanks
I have a standard 1GB connection from the NAS to the router, but I also have a dedicated 10GB connection directly from the computer to the NAS. To ensure that I can force a connection from the computer to the NAS over the faster line, I have given that 10GB connection a static IP in its own subnet, separate from the default subnet the rest of my LAN is using (for example, 192.168.75.1 for the NAS and 192.168.75.3 for the ethernet port on the computer, while all other LAN traffic uses the 192.168.1.x subnet). How can I ensure the system uses the faster connection when I'm connecting to the DNS server name instead of typing in IP addresses? I thought I could adjust the Network > Network Interface > Service Order and set the 10GB connection as the primary interface, but only the 1GB connection appears as an option.
When you host a DDNS server using a Let's Encrypt certificate, how often (if u do at all) do u need to renew the certificate. I received an email stating my Let's Encrypt certificate for the domain I'm using is about to expire. But I don't know how to renew this and don't see any signs that the certificate is going to expire. Even on the DSM>Security>Certificate>(Default certificate) tab, it still says I have a while left. Thanks.
Like all other kudos, awesome videos and I support the suggestion below that Synology should pay you. I did all the steps as outlined, and it seemed to go as per the video. However, when I check the details of the certificate, it indicates it was issued by "R3". I was expecting something like "Let's Encrypt". Does R3 look right to you or did this fail? Also, the date of the certificate is not today´s date that would suggest maybe the request to "Let's Encrypt" failed. I do know as I was setting up the NAS and experimenting (and learning) I tried setting up certificates before. There was some message about "limits" per email address. Could I have exhausted my quota with Let's Encrypt?
I actually had the same question when I saw the R3 when I first did this. R3 is actually (one of) the master cert provider that signs certs for Let's Encrypt. The date of the cert should be "expires on" roughly 3 months from now. it sounds like it worked, but honestly the simplest way to check is simply to use it. If your browser likes it then it is a valid cert, but if you got one it should be valid
@@SpaceRexWill I think this was the question was about to ask based on the video. Decided to read thru the comments a bit to see if there was another question on this and came upon this. So will have to find that other DDNS video. Thanks
Thanks for the video! How can you stop the security messages in your browser similarly for the host name (when on your LAN rather than over the internet)?
For the hostname you are not going to be able to get a cert for it. You are going to either have to stop using SSL for LAN (its fine if you are on your LAN) or change to the Synology DDNS address
Great walkthrough! Question: How many certificates can one add to the Synology using Let's Encrypt? If I'd like to use Reverse Proxy and point to Docker WebServers or maybe a Raspberry Pi on the network? Keep up the awesome work buddy!
I actually am not sure if there is a limit to the number of certs let's encrypt can give you, If you have a bunch you can look into wildcard certs (not sure where lets encrypt stands on this right now) or adding multiple addresses to the same cert
Would getting a signed SSL Certificate for my DNS cause logging into my NAS via Synology VPN to quit encrypting. I have Synology open VPN setup and was working. Now however I can log in without the vpn client! TIA
I use Starlink which uses, CGNAT. This precludes me using port forwarding if I understand correctly. Given this is it impossible for me to host anything on my synology (or anywhere else for that matter)
@@SpaceRexWill I actually found a workaround. My synology has a global ipv6. I created a AAAA record pointing to that in cloudflare for the two nas and one pi subdomains. I then followed the reverse proxy scenario and opened 443 on router. weather.sangrephotography.com (as well as nas's) are now externally visible without using quickconnect. I don't think the synology ipv6 will change but I will cross that bridge if I have to.
I went through this tutorial so many times. But cant figure out what I'm doing wrong. I have followed every step but when I try to connect with the domain that I selected, I cannot. I get the chrome error "site cannot be reached "
Hey thanks for the vid. DNS server is set, certificate created as per tutorial and port forwarding for ports 443 and ports for DSM HTTP & HTTPS all done on my router (UPnP is switched off so skipped doing it through Synology). yet when i type the domain name i get a '400 BAD request' error which further read 'The plain HTTP request was sent to HTTPS port nginx'
i created ddns successfully, but whenever i try to connect it while on my home wifi, it always gives me error and could not connect. i can connect via quick connect. whenever i connect my laptop to cellular hotspot then it let me connect. am i doing anything wrong? is it true that if you on your home wifi then you cannot connect to ddns address?
@@SpaceRexWill Do you mind me asking what is the purpose of VPN on NAS if it won't be possible to open a port? I use VPN on my PC and just got my NAS and the only reason I decided to try implementing VPN on NAS because I have it on my PC. If I won't be able to open a port will I still be connecting through VPN if on my network? Right now I have my SSL and VPN running on my NAS but I can't access it from outside unless I use QuickConenct which defeats the purpose. What's the reason to use VPN on the local network only?
Ah. I was not sure if you had something like a NordVPN setup and were trying to use that. So are you unable to connect to your VPN that you are hosting on your Synology?
@@SpaceRexWill The one I'm using is Private Internet Access. I learned that it has port forwarding option on the Win client but I'm not sure yet if I'll be able to make it work. I didn't install a VPN server on my NAS, instead implemented what I already had on my PC ("PIA" VPN). The status is good, so it works but now I figured I must adjust VPN on my PC to connect to VPN on my NAS. Sounds complicated. BTW, would you happen to know why my SSL certificate says unsecured when I use IP in my browser but says it is secured when I used a domain name?
So the cert is only valid for specific domain names. The cert to work much verify that you and only you own the domain. That way no one can fake the domain with DNS Poisoning. TLDR; you cannot get a cert for an IP address
Not really if you are already going to have external access. If you do not have external access then you can just enable it to get the cert the first time, then leave it disabled. After the first check you do not need port forwarding
@SpaceRexWill said "After the first check you do not need port forwarding" and that is not correct if you want the automatic every-3-months renewal of the certificate to work. The Synology knowledge base says as much: "To obtain or renew the certificate of your customized domain, make sure port 80 has been forwarded to your NAS. This limitation does not apply to Synology DDNS." If you opt for the DDNS method, then you need to leave port 53 always open (which may be even worse if Will is to be believed from his Avoid Ransomware video). Web searches for "Synology certificate renew port 80" indicate that others have found a workaround of this open-port issue by instead using CloudFlare certificates and custom ACME server scripts setup through SSH to a server admin account, but that all sounded very complicated and was subject to being undone every time DSM was updated. To me it seems that there is just no good solution yet for this from Synology. I did see one suggestion that said "you might consider a port triggering rule on your router so port 80 is only opened when the certificate needs to be obtained or renewed" which I have yet to investigate.
All of your tutorials are excellent! Walked me through the whole setup for my Synology NAS!
Thanks so much for making this video. I've tried several times to set up a secured certificate w/o success. Following the instructions in your video worked perfectly. You rock!
This went as smoothly as it possibly could. I can't believe how easy it was. THANK YOU!
I did find the very end of your video very helpful. I had to open the ports in my router and in the NAS. Everything says it's working, but still not HTTPS. Thanks for getting me a few more steps closer to getting an encrypted connection.
Interesting, when you hit the site click on the lock on the address bar and see if it says self signed
Could you explain more about the issue about web hosting conflict with Let’s Encrypt use of port 80/443?
I greatly appreciate you talking slower and showing the computer steps slower so a user can follow.
Also thanks for these videos they are very helpful.
I wish you could do a series on the basics for us beginners as this is a lot of terminology and technology to try and learn.
I have been meaning to make one!
Thank you so much. I have an older synology NAS and I have been messing around trying to figure this out through online forums. This video was so much easier to follow and understand. Love the content!
Thanks a lot. The tip to enable http and https if you encounter problems, was GOLD
You rock bro, I really appreciate your videos, always informative and helpful and straight to the point, without any fancy unnecessary video effects or other bs. Keep them video coming.
Greetz from Italy, and bless 🙏🏾
Thanks!
And no annoying background music!
thx for the tutorial. I had to enable port 80 and 443 on mine for it to work
Great video. There is a way to use lets encrypt and you have websites hosted on your NAS. What I did was disable all the other sites, create a new virtual host for the name you are needing, then do the cert, works perfect!
@John Z Open up Web Station, in there under Web Service Portal, under that, are all of my sites. Let's say site A, B, C, D and E and I want to create a new site "F", highlight each of the other sites, one at a time and click disable under the ACTION button, do that on all of them, then there is only one active site, "F", go back and create your cert like Wil shows, it should work. I had to upload a text file (or something) to the root folder that they specified in the cert, this is how they verify things. Once you do this, you should be good to go. I believe part of this issue may be because of the way Synology Web Server handles the host headers, I don't know. After creating the cert, go into control panel / Security and Certificate, select SETTINGS, then assign the cert you created. Now go back and enable all the other sites. Good luck.
You would not believe how many times I have tried to fix this. Your instructions are excellent though I had to start and stop the video 50 times to catch your cursor on the right icon. Anyone using Synology Photos/Photos Mobile on an iphone needs to log out and log back in with the url as you instructed. Also, a couple of the control panel screens have changed just a little. Thanksl
@spacerex could you do an updated video on this topic with the new DSM 7.0.1
I get the error Let's Encrypt is unable to validate this domain.
After all these useless attempts, you really helped me. Thanks a lot!!!
Thank you, Great tutorial
Thanks Will, your channel is the best for synology info
Hey thanks!
I do my best!
So close! I DO use my Synology to hose a webpage...now I have to find another way around that problem on port 80
HI great video, could I ask you make a Video for updating the UDMPRO Certificate for hot spot ? think that is a area which is problematic for all users
Hey I have a question about this. When I set up the openvpn server and only expose the 1194 port. I still cannot connect to my NAS by enter my synology.me domain name. Actually, it will re direct me to my router's admin page. Is it because I didn't setup the port forwarding of 5001 so I cannot reach to my homepage? But I route all my traffic through the openvpn. Doesn't it mean I do not need to open any ports to get into my Synology DSM? I do can connect to my NAS by enable the vpn and enter the local address manually, but somehow, it just wont work with synology.me domain. Would you mind guide me about this problem I have? Thank you so much! Your video is really really helpful! Huge support!!
I tried the current external address to my nas and get an error: "let's encrypt failed to connect"..."domain name is valid". Please help.
Same here
@@zerotoninemusic5957 Have you registered your Synology internally via DNS to that domain name?
same here
@@zerotoninemusic5957 did you ever find a fix dude?
Thank you so much!
Really useful video, I've done all the steps in this and the others but I'm getting a 401 unauthorized error when i visit the domain. It initially gives me the usual certificate warning and i click accept then shows the 401. What could be causing this?
Can you do an updated video covering SRM 1.3? I can't make it work.
Thanks for all your videos - very helpful! I get the "insecure" error when I log into my NAS via IP, but when I log in via quickconnect I see the connection is secure. Sounds like there is no way to get the IP login to be secure? So is the point that you should always use quickconnect to log in? Or is it that you don't need to worry about the "insecure" warning when you log in via IP because you know it is secure (and you can only log in via IP when you are on your own network)?
So the reason its "insecure" is that the browser does not match the domain name on the cert to where you ended up. No one can get a "secure" message when trying in a local IP address because no one can own a local IP address. However you can get a secure message for something like www.spacerex.co (or at least I can) because I prove that I own it
@@SpaceRexWill Gotcha. Thanks! To make sure I understand:
For QuickConnect logins: as long as I have the lock and don't get the "insecure" warning when I use my QuickConnect URL then I'm good and protected.
For IP logins: even though I get an "insecure" warning, it's not a risk, and I should ignore that warning.
Do I have that right?
Yes! so funny enough they are actually both encrypted end to end. However your web browser just cannot confirm that it is properly encrypted and spits out the warning.
Both are encrypted and both are protected. Just your computer knows they are when you use quick connect
@@SpaceRexWill Thanks again for the responses, and your very helpful videos! Cheers!
Excellent presentation. Keep up the great work.
Great content. Quick question will let's encrypt auto renew itself?
Yes it will and if it does not they will email you before it expires
I've been tearing my hair out trying to stream my large music collection from my NAS to my new Echo Dot. All with no luck. This didn't solve the whole problem but it was the first step in the problems in Audio Station which I'm told I need. If you ever make or find a video to help with the Synology NAS.Echo Dot connection I'd love to know. Please keep up the great work.
That is actually a good question. not sure
Thanks for the response. I kept searching and found this video which let me connect the NAS to the Echo Dot. ruclips.net/video/u9Oz74fDa4M/видео.html
I still had some problems with Synology Audio and found another video to help with that. Thanks so much!
This is a great video thanks, I can get the the https page with padlock but it's just a white screen?
The new certificate goes straight into the home router's webpage, you choose Let's Encrypt but returns an “Emitted by R10” and that's it. It still warns that the certificate is self-signed. Apparently, you'd need an advanced telecommunications degree in order to make a dent out this convoluted device settings. Why Synology doesn't make a wizard for 99% of settings so people can be done with it?
More excellent info and clearly explained. Many thanks! 😎
Glad it was helpful!
Great video, thanks, however I don’t get the final stage you show. When I type my domain address I get my router login page not my DSM login page. What am I doing wrong?
You have to have port forwarding set up so your router know to forward the traffic to your synology
@@SpaceRexWill Can you be more specific? what port do I have to forward?
Port 80 and port 443
Hi SpaceRex, I tried this, but Lets Encrypt failed, I think because my email is just a normal gmail account. Should this be a mail server on the Synology NAS? If it is then I don't know how to set this up. Do you have a tutorial on how to set one up? Any help would be appreciated. Thanks, Hans
I used my quick connect address as my domain name and I was ultimately prompted with "Please check if your IP address, reverse rules, and firewall settings are correctly configured and try again..." So I don't know what to do with that. Any advice?
Hi, thanks fore this tutorial but i've still some questions, i'm using firefox to access my synology nas but then firefox always tells me that the connection isn't secure, i want to try this tutorial but i dont have a domain name. what can i do to avoid gettin the firefox error? any help is more then welcome
Despite all of your great videos I have been unable to get https to work for me. I followed the steps to set up a ddns server and get a certificate from Lets Encrypt (R3) yet when I type in my domain name it sends me to my routers login page. So then I manually set up port forwarding of ports 80 and 443 to my NAS's static IP (UPnP wasn't working), and now I get the message "This site can’t be reached, refused to connect". Been trying for a couple days, any ideas on what I could be doing wrong? Thanks!
Do I need to enable HTTPS if I only use my NAS on my local network? So no ports open
No real need for SSL on a local network
Hi,
I had already a "personal" certificate and i follow the steps like you show here. All went fine.
Now i have 2 questions that i hope you can answer:
1- Why my certificate has the date 20/04/2021 (04/20/2021)? It will expire on that date?
2- When i'm at home, if i go through the IP address it always shows that the connection is unsecure (yes, i saw your previous video and i have https) because the certificate is not valid.
Thanks
1) yes it will expire
2) if you are using you LAN IP (ie 192.168.1.1) it will be "insecure" as the hostname you entered (the IP in this case) was not what was on the cert (x.synology.me) this is ok as 1) its your own cert so you can trust it (so you are secure) 2) its local, so you don't have to worry about traffic being intercepted
@@SpaceRexWill Just 2 more question (sorry):
1- Why the expiry date is so small?
2- After expire i have to do the same process again (or even create one from scratch)? "Let's encrypt" limits (i think it was what i read while i was following your tutorial) user and email addresses.
Thanks
I have a standard 1GB connection from the NAS to the router, but I also have a dedicated 10GB connection directly from the computer to the NAS. To ensure that I can force a connection from the computer to the NAS over the faster line, I have given that 10GB connection a static IP in its own subnet, separate from the default subnet the rest of my LAN is using (for example, 192.168.75.1 for the NAS and 192.168.75.3 for the ethernet port on the computer, while all other LAN traffic uses the 192.168.1.x subnet).
How can I ensure the system uses the faster connection when I'm connecting to the DNS server name instead of typing in IP addresses? I thought I could adjust the Network > Network Interface > Service Order and set the 10GB connection as the primary interface, but only the 1GB connection appears as an option.
When you host a DDNS server using a Let's Encrypt certificate, how often (if u do at all) do u need to renew the certificate. I received an email stating my Let's Encrypt certificate for the domain I'm using is about to expire. But I don't know how to renew this and don't see any signs that the certificate is going to expire. Even on the DSM>Security>Certificate>(Default certificate) tab, it still says I have a while left.
Thanks.
Like all other kudos, awesome videos and I support the suggestion below that Synology should pay you. I did all the steps as outlined, and it seemed to go as per the video. However, when I check the details of the certificate, it indicates it was issued by "R3". I was expecting something like "Let's Encrypt". Does R3 look right to you or did this fail? Also, the date of the certificate is not today´s date that would suggest maybe the request to "Let's Encrypt" failed. I do know as I was setting up the NAS and experimenting (and learning) I tried setting up certificates before. There was some message about "limits" per email address. Could I have exhausted my quota with Let's Encrypt?
I actually had the same question when I saw the R3 when I first did this. R3 is actually (one of) the master cert provider that signs certs for Let's Encrypt. The date of the cert should be "expires on" roughly 3 months from now.
it sounds like it worked, but honestly the simplest way to check is simply to use it. If your browser likes it then it is a valid cert, but if you got one it should be valid
How did you get the domain name?
This was through Synology. I have a tutorial on in under DDNS
@@SpaceRexWill I think this was the question was about to ask based on the video. Decided to read thru the comments a bit to see if there was another question on this and came upon this. So will have to find that other DDNS video. Thanks
Thanks for the video! How can you stop the security messages in your browser similarly for the host name (when on your LAN rather than over the internet)?
For the hostname you are not going to be able to get a cert for it. You are going to either have to stop using SSL for LAN (its fine if you are on your LAN) or change to the Synology DDNS address
@@SpaceRexWill Thanks a lot man - makes sense. Subed now!
Great walkthrough!
Question: How many certificates can one add to the Synology using Let's Encrypt?
If I'd like to use Reverse Proxy and point to Docker WebServers or maybe a Raspberry Pi on the network?
Keep up the awesome work buddy!
I actually am not sure if there is a limit to the number of certs let's encrypt can give you, If you have a bunch you can look into wildcard certs (not sure where lets encrypt stands on this right now) or adding multiple addresses to the same cert
@@SpaceRexWill My impression is that we can register 50 certificates per week for the same domain.
Would getting a signed SSL Certificate for my DNS cause logging into my NAS via Synology VPN to quit encrypting. I have Synology open VPN setup and was working. Now however I can log in without the vpn client! TIA
I use Starlink which uses, CGNAT. This precludes me using port forwarding if I understand correctly. Given this is it impossible for me to host anything on my synology (or anywhere else for that matter)
You will then want to use quick connect as it does not require port forwarding
@@SpaceRexWill I actually found a workaround. My synology has a global ipv6. I created a AAAA record pointing to that in cloudflare for the two nas and one pi subdomains. I then followed the reverse proxy scenario and opened 443 on router. weather.sangrephotography.com (as well as nas's) are now externally visible without using quickconnect. I don't think the synology ipv6 will change but I will cross that bridge if I have to.
Can I still use Lets Encrypt if the FQDN is mapped to private IP because I don't want to map public IP and open inbound ports on my firewall?
You cannot. If you are not going to have the NAS Open to the internet then you don’t need a signed cert
I went through this tutorial so many times. But cant figure out what I'm doing wrong. I have followed every step but when I try to connect with the domain that I selected, I cannot. I get the chrome error "site cannot be reached "
Try accessing it from outside you local network. Or adding a static host pointing from the synology.me address to the Local IP of your NAS
@@SpaceRexWill do you have a video on this?
@@SpaceRexWill I gave my nas a static ip and still is not working.
@@SpaceRexWill I gave my nas a static ip and still is not working.
I know it's been 4 months since you posted this but you might try what @Evan Herman posted above. It solved my problem.
Damn, now I just need to figure out how to do this on my Qnap. I'm sure it's the same steps but different menus and locations
Due to. Numerous security vulnerability’s leading to ransom ware I would not open your qnap to the internet
I personally own a Qnap NAS and I hate that there are no Tutorials for Qnap regarding certificates. Those that exist are from like 1900 :(
I have no external access for my NAS. Do you still need a certificate?
No
Got a link for the 1st video please, i looked for it but cannot find it
I think it is this one: ruclips.net/video/FZu8NOvpNQc/видео.html&ab_channel=SpaceRex
My synology domain name is secure, however the domain it is hosting is not. How can I fix this? Any help would be highly appreciated.
Do you have a certificate for the domain it is hosting?
it is not working for me it shows Your website is not set up yet.
eso lo estas haciendo desde un synoligy original porque los que tiene dsm en una pc no se puede hacer eso tira un error
Hey thanks for the vid. DNS server is set, certificate created as per tutorial and port forwarding for ports 443 and ports for DSM HTTP & HTTPS all done on my router (UPnP is switched off so skipped doing it through Synology). yet when i type the domain name i get a '400 BAD request' error which further read 'The plain HTTP request was sent to HTTPS port
nginx'
PS. restart webserver is still loading for 30 minutes now
you are setting an HTTP request not an HTTPS request. Try selecting "force HTTPS incoming connections" in DSM
Does this make any sense when I’m only accessing the disk station from my LAN?
You don't need it if you are local
@@SpaceRexWill But I have the error prompt for LAN connection to DSM. How do we clear that?
really it's needed? if using only local network. İf not using from outside?
If you are only using it locally it is not needed
@@SpaceRexWill Yeah i dont use vpn or directly connection to nas. Only working on lan network. Then not needed. Thanks for the information
I've made a certifikat but I enter my router instead of my Nas🤔
thanks!
i created ddns successfully, but whenever i try to connect it while on my home wifi, it always gives me error and could not connect. i can connect via quick connect. whenever i connect my laptop to cellular hotspot then it let me connect. am i doing anything wrong? is it true that if you on your home wifi then you cannot connect to ddns address?
This means your router does not have 'nat loopback' which allows a DNS address to work on your local network.
its not a big deal
Is there a way to add VPN to that and still be able to access a NAS from anywhere in the world?
If you are tying to go through a VPN then you are going to have to talk with your VPN provider about opening up ports on the VPN.
@@SpaceRexWill Do you mind me asking what is the purpose of VPN on NAS if it won't be possible to open a port? I use VPN on my PC and just got my NAS and the only reason I decided to try implementing VPN on NAS because I have it on my PC. If I won't be able to open a port will I still be connecting through VPN if on my network? Right now I have my SSL and VPN running on my NAS but I can't access it from outside unless I use QuickConenct which defeats the purpose. What's the reason to use VPN on the local network only?
Ah. I was not sure if you had something like a NordVPN setup and were trying to use that. So are you unable to connect to your VPN that you are hosting on your Synology?
@@SpaceRexWill The one I'm using is Private Internet Access. I learned that it has port forwarding option on the Win client but I'm not sure yet if I'll be able to make it work. I didn't install a VPN server on my NAS, instead implemented what I already had on my PC ("PIA" VPN). The status is good, so it works but now I figured I must adjust VPN on my PC to connect to VPN on my NAS. Sounds complicated. BTW, would you happen to know why my SSL certificate says unsecured when I use IP in my browser but says it is secured when I used a domain name?
So the cert is only valid for specific domain names. The cert to work much verify that you and only you own the domain. That way no one can fake the domain with DNS Poisoning.
TLDR; you cannot get a cert for an IP address
not work, did exactly the same but still not private
Is it a problem to leave Port 80 and 443 open all the time?
Not really if you are already going to have external access. If you do not have external access then you can just enable it to get the cert the first time, then leave it disabled. After the first check you do not need port forwarding
@@SpaceRexWill Thank you very much for taking the time to answer my question! Everything is clear now :)
@SpaceRexWill said "After the first check you do not need port forwarding" and that is not correct if you want the automatic every-3-months renewal of the certificate to work. The Synology knowledge base says as much: "To obtain or renew the certificate of your customized domain, make sure port 80 has been forwarded to your NAS. This limitation does not apply to Synology DDNS." If you opt for the DDNS method, then you need to leave port 53 always open (which may be even worse if Will is to be believed from his Avoid Ransomware video). Web searches for "Synology certificate renew port 80" indicate that others have found a workaround of this open-port issue by instead using CloudFlare certificates and custom ACME server scripts setup through SSH to a server admin account, but that all sounded very complicated and was subject to being undone every time DSM was updated. To me it seems that there is just no good solution yet for this from Synology. I did see one suggestion that said "you might consider a port triggering rule on your router so port 80 is only opened when the certificate needs to be obtained or renewed" which I have yet to investigate.
SYNOLOGY should pay you ;)
Haha honestly I just want them to send me free NAS units lol
I don't get them boom, I get this site can't be reached
Use synology network tool to make sure you are going to the right IP
ddns does not even work for me whats the point i still will get same message
What message do you get for DDNS?
Thank you so much.. LOL I can't help to stare at your eye brows.
I do not know if this is a good thing or a bad thing lol
Nice tshirt😅
I followed the process, but when I tried to connect I get an error that the server stopped responding. Any idea why that is happening