Resolve certificate error for Synology Diskstation part 3 of 4

My Synology NAS allows the use of SSL to encrypt traffic. The default certificate supplied works, but gives an exception in the browser: There is a problem with this websites security certificate. The problem is the address and the certificate don’t add up. So the solution is to setup your own domain, link it to your NAS and create a certificate for it.

Other parts

Create your SSL certificate

Finally the point of all this work. The SSL certificate for your own domain and access to the NAS. For this I use startssl which is free :mrgreen:
UPDATE 21 March 2017: don’t use startssl anymore

 

  1. Head over to startssl and goto Control Panel. Start the Express lane or Authenticate when you’ve already signed up.
  2. The Express lane guides you through the signup process and starts the Validations Wizard. When you authenticated/signed in you can start the Validations Wizard now.
  3. Choose Domain Name Validation and continue

    Domain Name Validation

  4. Enter the domain name (findmynas.nl) and continue

    Enter Domain Name

  5. Select the e-mail address to use for verification and continue. This is why I always have a catch-all e-mail (* for namecheap).

    Select Verification Email

  6. Copy-and-Past the verification code from the e-mail into the field and continue

    Complete Validation

    Now the domain is verified and the SSL can be generated.

  7. Start the Certificates Wizard. Choose Web Server SSL/TLS certificate and continue

    Select Certificate Purpose

  8. Enter and confirm a Password, leave the keysize and algorithm to the defaults and continue

    Generate Private Key

  9. Now you need to save the encrypted private key by Copy-and-Past to a plain text file.

    SavePrivateKey

    Since I’m doing this from a MacBook I execute the openssl rsa -in ssl.key -out ssl.key command in terminal. There is a tool in the Tool Box that can do this for you online.

  10. Select your domain (findmynas.nl) and continue

    Add Domains

  11. Enter the subdomain setup for DDNS and continue

    AddSubDomain

  12. Confirm your choices on the next step and continue
  13. Now you need to save the encrypted certificate by Copy-and-Past into a plain text file.

    Save Certificate

    Also save the intermediate and root CA certificates: the bolt texts in the wizard are links to the files you need.

  14. Now login to your NAS and goto Control Panel > DSM Settings tab Certificate and choose Import certificate. Select the files you’ve created above.

    dsm certificate

  15. Add the root CA certificate to your keychain/certificate store by double clicking and importing it to Trusted Root Certification Authorities.

Now you can access your synology NAS over the internet without the certificate Error.

Note that the used domain FINDMYNAS.NL is not mine and only used for demo purposes because it was available at the time I created this post.

About erictummers

My work as a recruited developer changes almost every month. I like challenges and sharing the solutions with others. On my blog I’ll mostly post about my work, but expect an occasional home project, productivity tip and tooling review.
This entry was posted in Security and tagged , , , . Bookmark the permalink.

22 Responses to Resolve certificate error for Synology Diskstation part 3 of 4

  1. Pingback: Resolve certificate error for Synology Diskstation part 1 of 4 | Erictummers's Blog

  2. Pingback: Resolve certificate error for Synology Diskstation part 2 of 4 | Erictummers's Blog

  3. Pingback: Resolve certificate error for Synology Diskstation part 4 of 4 | Erictummers's Blog

  4. David says:

    Hi, I am trying to follow your guide and things are going well but I have a question – what is the purpose of decrypting your private key? Do you need it to be decrypted before uploading to the server?

    • erictummers says:

      Hi David, nice to hear you’re setting up ssl using my post.
      In step 8. you specify the password for encrypted storing your private key in ASCII format. To use the private key you need to decrypt it with that password. Then you can setup ssl with the decrypted key. Securely dispose the decrypted key after use.
      The private key is used to proof your NAS sent the information and not a malicious person. To prevent this ‘identity theft’, is why the private key is stored encrypted with a password.

      • David says:

        Thanks for your help. I think I might out of luck because I somehow incorrectly saved my encrypted private certificate so when I try to load it to decrypt (I have the key), it says it can’t load. I tried passing it through a validator to see what might be wrong (extra white space or hidden CR?) but I can’t seem to figure it out. It seems like it’ll cost about $25 to revoke it and I cannot generate another cert without paying. Any advice?

      • erictummers says:

        Hi David, today I renewed my certificate (= created a new) No problem creating another certificate for my domain.
        The validation of the domain (step 3-6) seems to be valid for 30 days. Maybe after that period you can start over without paying.
        Also be sure to past the certificate in a plain text file. In Mac OS X you can achieve this with TextEdit, make sure to use Format > Make Plain Text. What OS are you on?

  5. Pingback: Renew certificate | .NET Development by Eric

  6. Pingback: Best Off .NET development by Eric | .NET Development by Eric

  7. Robert in SF says:

    I don’t know if you are reading comments on this blog post, but any advice on how to do this would be appreciated.

    I have registered my domain via Google, used Namecheap to set up the domain and subdomain and get verified, etc. for synology.[mydomain].com, created my various certs and keys and downloaded them etc…

    but for the life of me I can not get my local browser to recognize the subdomain name with https….it just has errors on loading the page. I use Chrome to navigate to the local IP address for my synology, and it just shows that https is not valid but still lets me browse to the drive’s interface once I accept the risk.

    Any other help or pointers would be appreciated. I don’t care so much about internet access, but want to get rid of that https error for loca browser access.

    • erictummers says:

      Have you imported the Root CA Certificate on the machine you browse with? Windows needs it to trust the certificate.
      I’m using OS X El Capitan and StartCom root CA certificate is installed by default.

      • Robert in SF says:

        I have imported various certs…Keychain access is not intuitive. 😦 Now I am checking Windows 7 in BootCamp…still gets the same error as described below.

        At any rate, I think it’s a DNS issue maybe?
        When I type in synology.mydomain.com, it comes back as: The server at rrpersonal.com can’t be found, because the DNS lookup failed.
        I have the domain registered via Google, and just checked namecheap.com for my set up.

        I have an entry in both Host Records and Dynamic DNS set up the same it seems:
        A+ Dynamic DNS,
        Host: synology
        Value: 127.0.0.1
        TTL: automatic

        Any insight from these data?

      • erictummers says:

        My namecheap freedns only has A Record. Changing this can take some time before effective, be patient.
        type: A Record
        host: synology
        value: 84.18.217.99 (ip-address I have from ISP)
        TTL: automatic

  8. Robert in SF says:

    Oh and my real goal was just to get rid of the damned SSL error when I browse to the NAS via an internet browser (such as Chome)….I think I am fine with using the synology built in connection service to access via the internet…

    But the first time each browsing session that I enter https://192.168.1.7:5001/webman/index.cgi as the addess, I get the https struckthrough, and the error about possibly being an unsafe site. 😦 I have to set an exception in the browser screen to say go ahead I accept the risk.

  9. Robert in SF says:

    Maybe it has something to do with my DDNS Updated 2 configuration? What app do you use on your Synology to update your DNS to your IP?

  10. Robert in SF says:

    Yay, it works for now. I used Namcheap’s DNS tool while I was in Window 7 and I guess that pushed through. But now I am back in El Captian, so I have to check the DDNS app on the synology to see if it is connecting to update the DDNS…wish me luck!

  11. Robert in SF says:

    OK, one more question, since you’ve been so great. 🙂

    What are the configuration entries to make in DDNS updater? Some are clear, I think…others not so much.

    http://prntscr.com/9q8hvq

    Wildcard: [] use wildcard
    Static: []has a static IP address
    Custom: []is a ‘custom’ top-level domain

    Login:

    Password:

    Confirm Password:

    MX Hostname:

    MX Priority:
    1-999
    Backup MX: [] is backup MX for the domain

    • erictummers says:

      You should use ‘synology’ for the hostname and ‘rrpersonal.com’ for the login. Leave all options unchecked and clear, except for the password + confirm password.

      • Robert in SF says:

        Great! Thanks man. I got the DDNS updater working now and it seems to be great!
        I really appreciate the guide, although I came late to the party after some of the services’ interafaces changed…I still got!

  12. Pingback: Renew certificate 2017 edition | .NET Development by Eric

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s