Manually Renewing Let’s Encrypt Certificates on a Synology NAS

Synology

Let’s Encrypt (LE) is a great service that offers free SSL certificates for websites and similar uses. It’s important to understand that this verifies the site name and provides encryption for traffic to and from the site or device, but it doesn’t verify who owns the site. While you need to verify that you control the site, you don’t provide any identity information. If you’re running an e-commerce website you’ll want to pay for a more enhanced certificate. But if you just want to encrypt communication between your devices and the NAS then this is a great solution.

The initial setup is well documented by Synology, and easily run by stepping through a wizard. The Let’s Encrypt certificates are only valid for 90 days. While the Synology NAS will automatically renew certificates that are over 60 days old, port 80 must be open in order for this to work. The validation process for renewal is done using only port 80, unlike the initial installation port 443 does not need to be open.

In some cases it is not practical or wise to keep port 80 open all the time. For example, I don’t need port 80 open to the internet for my home NAS. Since it is a well know port nefarious people are constantly scanning for port 80 on the internet. Since I don’t need it for anything I’d prefer to just keep it shut down at the router and not worry about it. Even if security wan’t a concern I just want to keep the traffic from these unnecessary scans off my network.

Opening port 80 after 59 days is an option, but not one I like. The Let’s Encrypt client on Synology will try the renewal whenever it gets around to it, which could be several days. Plus, it’s additional work I have to remember to do.

I can manually renew the certificate, and this is my preferred method. It is a manual process but it’s quick (about 5 minutes). Port 80 is open to the internet, but only for that short time.

Manual Let’s Encrypt Certificate Renewal

This has worked for me since DSM 6 and still works with the latest version, DSM DSM 6.1.1-15101 Update 4. The screenshots are from the slightly older DSM 6.1.1-15101 Update 2.

This procedure works if the certificate is within 30 days of it’s expiration date. The date will be displayed in orange when it’s within 30 days of expiration.

This certificate is within 30 days of expiration.

  • Configure your router to forward port 80 to your Synology NAS. This will vary by router but will be the same as during the initial Let’s Encrypt certificate installation.
  • Enable SSH on your Synology NAS:

 

Screen to enable SSH on Synology

  • Open Terminal on your computer. I use Terminal on Mac OS (OS X). On Windows use any terminal application that supports SSH. Putty is a popular choice. You can also use any iOS or Android app that supports SSH. (I like Prompt on the iPad.)
  • Issue the command SSH *adminid*@*NASipADDRESS* where adminid is a user on your NAS that is a member of the administrators group. NASipADDRESS is the IP address of you NAS (or use a name if it resolves to an IP address.) 
Example:

    The home directory error in the example does not affect this procedure and may or may not appear for you.

  • The renewal needs to be done as root, not any old administrator ID. So issue the command sudo -i. Enter your administrator ID password at the password prompt. (The same password you just used to log on to the NAS.)Issue the sudo -i command in terminal
  • Now it’s time to actually renew the certificate. Enter the command /usr/syno/sbin/syno-letsencrypt renew-all -v

The -v is optional. It means verbose and will display any messages. If you don’t use verbose mode then no success or failure message is displayed. You’ll have to check the status in the DSM Control Panel.

Success:

Certificate screen in DSM after successful renewal

Control panel after a successful renewal

Success message on the command line (if -v used)

  • Turn off forwarding of port 80 and disable SSH on the Synology NAS (undo steps 1 & 2)

Your certificate has been renewed for another 90 days. Some Synology mobile apps may warn you of a certificate change which can be annoying. Some apps may stop working until the certificate change is approved. DS Note is the one that catches me all the time so my checklist includes running it after the manual renewal. This happens whether or not this manual method is used or if port 80 is kept open and the renewal is automatic. This is another reason I like manual renewals, since I will be expecting the certificate change and can proactively approve it.

The following screenshot shows the error message displayed (again, only if -v is used) if port 80 isn’t forwarded.

Error displayed in terminal if port 80 isn't forwarded correctly.

Errors if port 80 isn’t forwarded correctly.

9 comments… add one
  • Andy

    Thanks! This was very helpful. I experienced a failure in the renewal process saying the my domain was not a subdomain of synology.me. I’d read on a board that port 80 wasn’t required to be forwarded if using the quickconnect service.

    I had port 80 forwarded at the time, so I removed that setting and tried again. It failed, saying port 80 was closed.

    So I re-established the port forward and tried again. It worked! I’m not sure why it failed in the first place since it seems I just took the circuitous route. But I’m thankful just the same.

    Thanks much for the clear concise instructions!

  • Tomasz Kluczkowski

    Hey thanks for this!

    Much appreciated, just followed your guide and renewed the certificate remotely.

    Take care,

    Tomasz Kluczkowski

  • Jon Rescca

    Excellent, just what I was looking for. Now I can manually renew after opening port 80.

  • Ferdinand Wiese

    Thank you very much!
    Smooth update with your guide.

  • Stefan

    Thank you very much!
    I pimped your solution a little bit.
    It is much easier if you generate a script task in the task scheduler, as the script I use your command execute as root. Then I Disable the task. After that I configured the port forwarding and executed the task manualy and closed the port. I it woks you can see afte a few seconds in the certifcate GUI . This soloution is easier cause you don’t have to do the steps with SSH and commandline Tools.
    Maybe I can schedule my port forwarding rule on the firewall an then synchronize the synology. Then it wood be fully automated.

    • Ray

      Hi Stefan,

      Good idea, and much easier. Thanks for sharing.

      As and FYI: I’ve been running the DSM 6.2 beta and there’s now an option to renew the certificate through the same interface where you create one in control panel. It can’t be scheduled so your task would still be the better option if port forwarding could also be scheduled.

      Thanks for reading,
      Ray

  • Nahuai

    Brilliant!

    Thanks a lot, it saved me a lot of time.

    Cheers.

  • Tom

    Hello.
    I would like to setup my firewall to let open the port 80 to my nas.
    But I need to know the url / IP where my NAS gets the new certificate.
    Does anyone know the ip or url?

Leave a Comment