Get HTTPS on DiskStation with Let’s Encrypt

From the moment I got my DiskStation and made it available online, I wanted to try HTTPS. Organizations that issue certificates to use for HTTPS free of charge have been around for a while now (like StartSSL). However you need to own a domain and I use DDNS, but thanks to Let’s Encrypt I can finally get a certificate to secure the communication to melo.myds.me with HTTPS!

Why care about HTTPS?

You might have noticed that more and more service providers like Google and Facebook made the move to serve their content through HTTPS by default and that the adoption of HTTPS has been pushed by organizations like the EFF. Instead of deciding whether a communication requires protection or not, you simply protect all communication, thus being on the safe side and increasing the level of privacy between all of your services and your consumers. Even the US government stated:

Today, there is no such thing as non-sensitive web traffic[…]

In this post I will talk about what you need to do to access your DiskStation over the internet through HTTPS. We are talking about your private device here, serving your private content over the internet. Because of this, the need to encrypt the communication between you and your DiskStation, from wherever you might access it (like from a hotel’s public Wi-Fi), should be a no-brainer.
If you want to follow along, please make sure your DiskStation is accessible over the internet already through HTTP. In case you need help with that, have a look at how to configure DDNS and how to setup port forwarding rules.

What about a self-signed certificate?

As you might know, you can issue a self-signed certificate directly in DSM. So you might ask yourself:
Why should I need a real certificate signed by a trusted certificate authority? Well, your self-signed certificate will not be trusted by common web browsers, because you are not recognized as a trustworthy certificate authority and thus whenever someone accesses services on your NAS with a web browser they will be presented with a warning.
If your NAS is only about your private content and only you (and maybe your family) accessing it over the internet, you might be fine with this or you are willing to add your certificate to the trust store of every device that you and your family use to access your NAS.

Let’s Encrypt to the rescue

Let’s Encrypt is a new, free, automated and open certificate authority and their declared goal is

to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention.

Thanks to their efforts and the ACME protocol it is not as hard as it used to be to get a genuine certificate, even for your very own DiskStation using a DDNS domain and the certificates signed by Let’s Encrypt are trusted by all major browsers, too.
There are several clients already available, however none of them run directly on a DiskStation as far as I know. So for now I decided to use the official Let’s Encrypt client in manual mode on my Linux desktop and import the generated certificate to the DiskStation. It is still quite easy to do. Just keep reading to find out how.

Let’s Encrypt client’s manual mode

Let’s Encrypt managed to establish a wonderful community that is very active and ready to help. In fact I found the solution to get a certificate for my Synology DiskStation despite not being able to run the Let’s Encrypt client directly on the NAS in their community forum. Have a look at dip987’s step-by-step guide over there. Since Let’s Encrypt is in open beta now you don’t even need to sign up and can skip step 1 and 2 in dip987’s guide. In essence, you take these steps:

  1. Get the client on a Linux OS by doing:
    git clone https://github.com/letsencrypt/letsencrypt
  2. Use the client in manual mode like this:
    ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual
    and type in your domain name when asked
  3. You will be asked to create a file with a specific name and content and to make it available with a specific URL on your domain, e.g.:
    http://melo.myds.me/.well-known/acme-challenge/<filename>
    So login to DSM, start FileStation, open the web folder and create the .well-known/acme-challenge folders. For the file itself I recommend using DSM’s Text Editor and double check you use UTF-8 when saving the file
  4. Grab privkey.pem, cert.pem and chain.pem following the symlinks in /etc/letsencrypt/live
  5. Import the pem files to your DiskStation at Control Panel > Security > Certificate.
    Private key uses privkey.pem, Certificate uses cert.pem and Intermediate certificate needs chain.pem
  6. Make sure to include the /etc/letsencrypt folder to your scheduled backup

Congratulations! You can now visit your DiskStation services like DSM and access whatever you might have inside the web folder using HTTPS.

Outlook

We saw how to secure access to our DiskStation with a valid certificate. For certificate renewal you can use exactly the same steps as for the initial certificate creation.
However this is a manual process for now, but don’t worry: Synology will be supporting Let’s Encrypt and the ACME protocol in the near future and is actually already doing so in the current DSM 6 beta. This is great news, since we soon will be able to have the entire process of creating and renewing trusted certificates for secure access to our NAS right inside DSM with the click of a button!

In case you also use Tomcat: Stick around for my next post where I will show the steps required to use HTTPS for your Tomcat apps on your DiskStation.

13 thoughts on “Get HTTPS on DiskStation with Let’s Encrypt”

  1. Hello Carmelo,
    Thanks for this usefull “how to”. Unfortunately I’m struggling to get it done on my NAS… I’ve checked all the bascis stuff like port 80 redirection, no firewall etc…
    Then I’m wondering if this works with sub-domains like myds.me,
    Do you run the let’s encrypt certificate on your blog? which is obviously a myds.me sub domain!
    Thanks for your help!
    Alain

    1. Hi Alain, thanks for your comment!
      About your question: I am serving this very blog, which is a myds.me sub domain, through HTTPS with the use of the Let’s Encrypt certificate.
      So I don’t see why this shouldn’t be working for you.

      What is the step you are actually having issues with? The challenge/verification step?
      It is very important that the file you create has exactly the content displayed by the LE client with no leading or trailing spaces and that the file is UTF-8 encoded.
      If the file you create is not UTF-8 encoded, the verification will fail.
      Easiest way is to use DSM’s built in TextEditor, copy-paste the file content from the terminal and save it with UTF-8 encoding and exactly the filename and path as requested by the LE client.

      If you can provide more details, I will be happy to help you as much as I can.

      1. Ok, so definitively I was doing something wrong…
        After having read again your reply, I’ve decided to try again, starting by erasing the file in the ./well-known/acme-challenge and creating it again… and then I realized the file did not had the .txt extension before… so this time I’ve created the text file with the.txt extension and it works !
        Thank you very much to offer your help, I succeeded thanks to your reply !
        I now have a secured access to my NAS with a known certificate, I’m happy 🙂

  2. Hi Carmelo
    I am using LE in the DSM 6 RC release based on the settings you explained for your blog setup what would you place in each field below

    Domain Name: melo.myds.me?
    Subject Alternative Name: melo.myds.me?

    1. Hi Ray, thanks for your comment!
      I am still on DSM 5.2, but I will try my best to help anyway.

      The subject alternative name is completely up to you, really. It is just an alternative name you want to use for accessing your NAS.
      If you have alternative names you want to use, make sure to provide them as “Subject Alternative Name” so that they will be included in the certificate that is going to be issued for you.
      I understand from this post that “Subject Alternative Name” can handle a semicolon separated list so you can provide several alternative names.

      If I don’t have any alternative names I want to use, things would look like this:

      Domain Name: melo.myds.me
      Subject Alternative Name: leave blank

      However if I want to access my NAS by several domain names like melo.myds.me, alt1.melo.myds.me and alt2.melo.myds.me, things would look like this:

      Domain Name: melo.myds.me
      Subject Alternative Name: alt1.melo.myds.me;alt2.melo.myds.me

      You can find how to set up virtual hosts that can be used as alternative names here.

      Hope this helps =)

  3. Hi Carmelo,

    I am also using DSM 5.2 and applied 2 cert from Let’s encrypt for 2 virtual hosts (2 directories) in the same Synology box. However, say the first one is for http://www.mydomain.com and the second is for dev.mydomain.com, I can easily to follow its instructions to put the first cert into http://www.mydomain.com via DSM control panel. However, I don’t know how to put the cert into the /web/dev folder to enable such https://dev.mydomain.com.

    Do you have any experience can share?

    Thanks.

    1. Hi Mendel,
      thanks for your comment! This reply comes a little late because I was out a few days =)

      Regarding your question: I understood that you are trying to get a valid certificate for both your domain and a sub-domain.
      Is your sub-domain already set up and accessible with HTTP when calling http://dev.mydomain.com?

      DSM offers an option where you create a directory for your second website/web-application in the web folder and assign a new hostname for it. You can find information about this in the “Enable Virtual Host to Host Websites” section of this documentation: https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/application_webserv_http

      So in your case you would use this feature to assign the dev.mydomain.com hostname to your /web/dev folder. Keep in mind that you need to create two virtual host rules both for HTTP and HTTPS.
      Once you can see the contents of /web/dev when calling http://dev.mydomain.com through HTTP you are ready to create your cert.
      When the Let’s Encrypt client prompts you to create the file for dev.mydomain.com you create the path .well-known/acme-challenge inside the web/dev directory and put the file with the requested content inside web/dev/.well-known/acme-challenge.
      Once the client creates your cert it will be valid for both validated domains and you can import the cert to your DiskStation like I described in the post.

      I hope this helps and I would be happy to hear from you if it worked out.

  4. Hi again Carmelo !
    Thanks for your great article which helped me a lots for a start. Unfortunately we can’t use the official Let’s Encrypt client on the NAS and was too complicated to build a linux client on a VirtualBox etc… So I used another client, Acme-tiny, listed in your link, and it works nice (DSM 6, with Nginx). I write a new article on the subject : http://thorpora.fr/synology-certificat-valide-avec-lets-encrypt/
    PS : i posted a comment before but don’t appear

    1. Hi Yannick,
      DSM 6 has official Let’s Encrypt support inside the Control Panel. Just head to the certificate configuration. There you can choose to create a cert with LE.
      My cert will expire this month, so I will give it a try.

    2. So I gave the new DSM 6 Let’s Encrypt integration a try and I really like it.
      You can create an LE cert right from the certificate setup in the DSM control panel and it will work its magic without further intervention. You just provide your domain name, alternative names and e-mail address.
      I combined the possibility to provide an alternative name for the certificate with the new reverse proxy feature to access my tomcat server from the internet through HTTPS without the need to setup https in Tomcat itself. Instead Nginx is now fronting both the Web Station and the Tomcat content. I think this is really nice, because it frees me from manual certificate renewal and setup.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.