Let’s Encrypt (LE) is a great service that offers free SSL certificates for websites and similar uses. It’s important to understand that this verifies the site name and provides encryption for traffic to and from the site or device, but it doesn’t verify who owns the site. While you need to verify that you control the site, you don’t provide any identity information. If you’re running an e-commerce website you’ll want to pay for a more enhanced certificate. But if you just want to encrypt communication between your devices and the NAS then this is a great solution.
The initial setup is well documented by Synology, and easily run by stepping through a wizard. The Let’s Encrypt certificates are only valid for 90 days. While the Synology NAS will automatically renew certificates that are over 60 days old, port 80 must be open in order for this to work. The validation process for renewal is done using only port 80, unlike the initial installation port 443 does not need to be open.
In some cases it is not practical or wise to keep port 80 open all the time. For example, I don’t need port 80 open to the internet for my home NAS. Since it is a well know port nefarious people are constantly scanning for port 80 on the internet. Since I don’t need it for anything I’d prefer to just keep it shut down at the router and not worry about it. Even if security wan’t a concern I just want to keep the traffic from these unnecessary scans off my network.
Opening port 80 after 59 days is an option, but not one I like. The Let’s Encrypt client on Synology will try the renewal whenever it gets around to it, which could be several days. Plus, it’s additional work I have to remember to do.
I can manually renew the certificate, and this is my preferred method. It is a manual process but it’s quick (about 5 minutes). Port 80 is open to the internet, but only for that short time.
Manual Let’s Encrypt Certificate Renewal
This has worked for me since DSM 6 and still works with the latest version, DSM DSM 6.1.1-15101 Update 4. The screenshots are from the slightly older DSM 6.1.1-15101 Update 2.
This procedure works if the certificate is within 30 days of it’s expiration date. The date will be displayed in orange when it’s within 30 days of expiration.
- Configure your router to forward port 80 to your Synology NAS. This will vary by router but will be the same as during the initial Let’s Encrypt certificate installation.
- Enable SSH on your Synology NAS:
- Open Terminal on your computer. I use Terminal on Mac OS (OS X). On Windows use any terminal application that supports SSH. Putty is a popular choice. You can also use any iOS or Android app that supports SSH. (I like Prompt on the iPad.)
- Issue the command
SSH *adminid*@*NASipADDRESS*where adminid is a user on your NAS that is a member of the administrators group. NASipADDRESS is the IP address of you NAS (or use a name if it resolves to an IP address.) Example:
- The renewal needs to be done as root, not any old administrator ID. So issue the command
sudo -i. Enter your administrator ID password at the password prompt. (The same password you just used to log on to the NAS.)
- Now it’s time to actually renew the certificate. Enter the command
/usr/syno/sbin/syno-letsencrypt renew-all -v
The -v is optional. It means verbose and will display any messages. If you don’t use verbose mode then no success or failure message is displayed. You’ll have to check the status in the DSM Control Panel.
- Turn off forwarding of port 80 and disable SSH on the Synology NAS (undo steps 1 & 2)
Your certificate has been renewed for another 90 days. Some Synology mobile apps may warn you of a certificate change which can be annoying. Some apps may stop working until the certificate change is approved. DS Note is the one that catches me all the time so my checklist includes running it after the manual renewal. This happens whether or not this manual method is used or if port 80 is kept open and the renewal is automatic. This is another reason I like manual renewals, since I will be expecting the certificate change and can proactively approve it.
The following screenshot shows the error message displayed (again, only if -v is used) if port 80 isn’t forwarded.