Thanks so much for making this video. I've tried several times to set up a secured certificate w/o success. Following the instructions in your video worked perfectly. You rock!
You rock bro, I really appreciate your videos, always informative and helpful and straight to the point, without any fancy unnecessary video effects or other bs. Keep them video coming. Greetz from Italy, and bless 🙏🏾
Thank you so much. I have an older synology NAS and I have been messing around trying to figure this out through online forums. This video was so much easier to follow and understand. Love the content!
I did find the very end of your video very helpful. I had to open the ports in my router and in the NAS. Everything says it's working, but still not HTTPS. Thanks for getting me a few more steps closer to getting an encrypted connection.
I greatly appreciate you talking slower and showing the computer steps slower so a user can follow. Also thanks for these videos they are very helpful. I wish you could do a series on the basics for us beginners as this is a lot of terminology and technology to try and learn.
HI great video, could I ask you make a Video for updating the UDMPRO Certificate for hot spot ? think that is a area which is problematic for all users
Hey I have a question about this. When I set up the openvpn server and only expose the 1194 port. I still cannot connect to my NAS by enter my synology.me domain name. Actually, it will re direct me to my router's admin page. Is it because I didn't setup the port forwarding of 5001 so I cannot reach to my homepage? But I route all my traffic through the openvpn. Doesn't it mean I do not need to open any ports to get into my Synology DSM? I do can connect to my NAS by enable the vpn and enter the local address manually, but somehow, it just wont work with synology.me domain. Would you mind guide me about this problem I have? Thank you so much! Your video is really really helpful! Huge support!!
I've been tearing my hair out trying to stream my large music collection from my NAS to my new Echo Dot. All with no luck. This didn't solve the whole problem but it was the first step in the problems in Audio Station which I'm told I need. If you ever make or find a video to help with the Synology NAS.Echo Dot connection I'd love to know. Please keep up the great work.
Thanks for the response. I kept searching and found this video which let me connect the NAS to the Echo Dot. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-u9Oz74fDa4M.html I still had some problems with Synology Audio and found another video to help with that. Thanks so much!
Great video. There is a way to use lets encrypt and you have websites hosted on your NAS. What I did was disable all the other sites, create a new virtual host for the name you are needing, then do the cert, works perfect!
@John Z Open up Web Station, in there under Web Service Portal, under that, are all of my sites. Let's say site A, B, C, D and E and I want to create a new site "F", highlight each of the other sites, one at a time and click disable under the ACTION button, do that on all of them, then there is only one active site, "F", go back and create your cert like Wil shows, it should work. I had to upload a text file (or something) to the root folder that they specified in the cert, this is how they verify things. Once you do this, you should be good to go. I believe part of this issue may be because of the way Synology Web Server handles the host headers, I don't know. After creating the cert, go into control panel / Security and Certificate, select SETTINGS, then assign the cert you created. Now go back and enable all the other sites. Good luck.
The new certificate goes straight into the home router's webpage, you choose Let's Encrypt but returns an “Emitted by R10” and that's it. It still warns that the certificate is self-signed. Apparently, you'd need an advanced telecommunications degree in order to make a dent out this convoluted device settings. Why Synology doesn't make a wizard for 99% of settings so people can be done with it?
Great walkthrough! Question: How many certificates can one add to the Synology using Let's Encrypt? If I'd like to use Reverse Proxy and point to Docker WebServers or maybe a Raspberry Pi on the network? Keep up the awesome work buddy!
I actually am not sure if there is a limit to the number of certs let's encrypt can give you, If you have a bunch you can look into wildcard certs (not sure where lets encrypt stands on this right now) or adding multiple addresses to the same cert
Thanks for all your videos - very helpful! I get the "insecure" error when I log into my NAS via IP, but when I log in via quickconnect I see the connection is secure. Sounds like there is no way to get the IP login to be secure? So is the point that you should always use quickconnect to log in? Or is it that you don't need to worry about the "insecure" warning when you log in via IP because you know it is secure (and you can only log in via IP when you are on your own network)?
So the reason its "insecure" is that the browser does not match the domain name on the cert to where you ended up. No one can get a "secure" message when trying in a local IP address because no one can own a local IP address. However you can get a secure message for something like www.spacerex.co (or at least I can) because I prove that I own it
@@SpaceRexWill Gotcha. Thanks! To make sure I understand: For QuickConnect logins: as long as I have the lock and don't get the "insecure" warning when I use my QuickConnect URL then I'm good and protected. For IP logins: even though I get an "insecure" warning, it's not a risk, and I should ignore that warning. Do I have that right?
Yes! so funny enough they are actually both encrypted end to end. However your web browser just cannot confirm that it is properly encrypted and spits out the warning. Both are encrypted and both are protected. Just your computer knows they are when you use quick connect
Like all other kudos, awesome videos and I support the suggestion below that Synology should pay you. I did all the steps as outlined, and it seemed to go as per the video. However, when I check the details of the certificate, it indicates it was issued by "R3". I was expecting something like "Let's Encrypt". Does R3 look right to you or did this fail? Also, the date of the certificate is not today´s date that would suggest maybe the request to "Let's Encrypt" failed. I do know as I was setting up the NAS and experimenting (and learning) I tried setting up certificates before. There was some message about "limits" per email address. Could I have exhausted my quota with Let's Encrypt?
I actually had the same question when I saw the R3 when I first did this. R3 is actually (one of) the master cert provider that signs certs for Let's Encrypt. The date of the cert should be "expires on" roughly 3 months from now. it sounds like it worked, but honestly the simplest way to check is simply to use it. If your browser likes it then it is a valid cert, but if you got one it should be valid
Hi SpaceRex, I tried this, but Lets Encrypt failed, I think because my email is just a normal gmail account. Should this be a mail server on the Synology NAS? If it is then I don't know how to set this up. Do you have a tutorial on how to set one up? Any help would be appreciated. Thanks, Hans
Great video, thanks, however I don’t get the final stage you show. When I type my domain address I get my router login page not my DSM login page. What am I doing wrong?
Despite all of your great videos I have been unable to get https to work for me. I followed the steps to set up a ddns server and get a certificate from Lets Encrypt (R3) yet when I type in my domain name it sends me to my routers login page. So then I manually set up port forwarding of ports 80 and 443 to my NAS's static IP (UPnP wasn't working), and now I get the message "This site can’t be reached, refused to connect". Been trying for a couple days, any ideas on what I could be doing wrong? Thanks!
Hi, I had already a "personal" certificate and i follow the steps like you show here. All went fine. Now i have 2 questions that i hope you can answer: 1- Why my certificate has the date 20/04/2021 (04/20/2021)? It will expire on that date? 2- When i'm at home, if i go through the IP address it always shows that the connection is unsecure (yes, i saw your previous video and i have https) because the certificate is not valid. Thanks
1) yes it will expire 2) if you are using you LAN IP (ie 192.168.1.1) it will be "insecure" as the hostname you entered (the IP in this case) was not what was on the cert (x.synology.me) this is ok as 1) its your own cert so you can trust it (so you are secure) 2) its local, so you don't have to worry about traffic being intercepted
@@SpaceRexWill Just 2 more question (sorry): 1- Why the expiry date is so small? 2- After expire i have to do the same process again (or even create one from scratch)? "Let's encrypt" limits (i think it was what i read while i was following your tutorial) user and email addresses. Thanks
Thanks for the video! How can you stop the security messages in your browser similarly for the host name (when on your LAN rather than over the internet)?
For the hostname you are not going to be able to get a cert for it. You are going to either have to stop using SSL for LAN (its fine if you are on your LAN) or change to the Synology DDNS address
When you host a DDNS server using a Let's Encrypt certificate, how often (if u do at all) do u need to renew the certificate. I received an email stating my Let's Encrypt certificate for the domain I'm using is about to expire. But I don't know how to renew this and don't see any signs that the certificate is going to expire. Even on the DSM>Security>Certificate>(Default certificate) tab, it still says I have a while left. Thanks.
Hi, thanks fore this tutorial but i've still some questions, i'm using firefox to access my synology nas but then firefox always tells me that the connection isn't secure, i want to try this tutorial but i dont have a domain name. what can i do to avoid gettin the firefox error? any help is more then welcome
I have a standard 1GB connection from the NAS to the router, but I also have a dedicated 10GB connection directly from the computer to the NAS. To ensure that I can force a connection from the computer to the NAS over the faster line, I have given that 10GB connection a static IP in its own subnet, separate from the default subnet the rest of my LAN is using (for example, 192.168.75.1 for the NAS and 192.168.75.3 for the ethernet port on the computer, while all other LAN traffic uses the 192.168.1.x subnet). How can I ensure the system uses the faster connection when I'm connecting to the DNS server name instead of typing in IP addresses? I thought I could adjust the Network > Network Interface > Service Order and set the 10GB connection as the primary interface, but only the 1GB connection appears as an option.
Would getting a signed SSL Certificate for my DNS cause logging into my NAS via Synology VPN to quit encrypting. I have Synology open VPN setup and was working. Now however I can log in without the vpn client! TIA
I used my quick connect address as my domain name and I was ultimately prompted with "Please check if your IP address, reverse rules, and firewall settings are correctly configured and try again..." So I don't know what to do with that. Any advice?
I use Starlink which uses, CGNAT. This precludes me using port forwarding if I understand correctly. Given this is it impossible for me to host anything on my synology (or anywhere else for that matter)
@@SpaceRexWill I actually found a workaround. My synology has a global ipv6. I created a AAAA record pointing to that in cloudflare for the two nas and one pi subdomains. I then followed the reverse proxy scenario and opened 443 on router. weather.sangrephotography.com (as well as nas's) are now externally visible without using quickconnect. I don't think the synology ipv6 will change but I will cross that bridge if I have to.
I went through this tutorial so many times. But cant figure out what I'm doing wrong. I have followed every step but when I try to connect with the domain that I selected, I cannot. I get the chrome error "site cannot be reached "
@@SpaceRexWill I think this was the question was about to ask based on the video. Decided to read thru the comments a bit to see if there was another question on this and came upon this. So will have to find that other DDNS video. Thanks
Hey thanks for the vid. DNS server is set, certificate created as per tutorial and port forwarding for ports 443 and ports for DSM HTTP & HTTPS all done on my router (UPnP is switched off so skipped doing it through Synology). yet when i type the domain name i get a '400 BAD request' error which further read 'The plain HTTP request was sent to HTTPS port nginx'
i created ddns successfully, but whenever i try to connect it while on my home wifi, it always gives me error and could not connect. i can connect via quick connect. whenever i connect my laptop to cellular hotspot then it let me connect. am i doing anything wrong? is it true that if you on your home wifi then you cannot connect to ddns address?
@@SpaceRexWill Do you mind me asking what is the purpose of VPN on NAS if it won't be possible to open a port? I use VPN on my PC and just got my NAS and the only reason I decided to try implementing VPN on NAS because I have it on my PC. If I won't be able to open a port will I still be connecting through VPN if on my network? Right now I have my SSL and VPN running on my NAS but I can't access it from outside unless I use QuickConenct which defeats the purpose. What's the reason to use VPN on the local network only?
Ah. I was not sure if you had something like a NordVPN setup and were trying to use that. So are you unable to connect to your VPN that you are hosting on your Synology?
@@SpaceRexWill The one I'm using is Private Internet Access. I learned that it has port forwarding option on the Win client but I'm not sure yet if I'll be able to make it work. I didn't install a VPN server on my NAS, instead implemented what I already had on my PC ("PIA" VPN). The status is good, so it works but now I figured I must adjust VPN on my PC to connect to VPN on my NAS. Sounds complicated. BTW, would you happen to know why my SSL certificate says unsecured when I use IP in my browser but says it is secured when I used a domain name?
So the cert is only valid for specific domain names. The cert to work much verify that you and only you own the domain. That way no one can fake the domain with DNS Poisoning. TLDR; you cannot get a cert for an IP address
Not really if you are already going to have external access. If you do not have external access then you can just enable it to get the cert the first time, then leave it disabled. After the first check you do not need port forwarding
@SpaceRexWill said "After the first check you do not need port forwarding" and that is not correct if you want the automatic every-3-months renewal of the certificate to work. The Synology knowledge base says as much: "To obtain or renew the certificate of your customized domain, make sure port 80 has been forwarded to your NAS. This limitation does not apply to Synology DDNS." If you opt for the DDNS method, then you need to leave port 53 always open (which may be even worse if Will is to be believed from his Avoid Ransomware video). Web searches for "Synology certificate renew port 80" indicate that others have found a workaround of this open-port issue by instead using CloudFlare certificates and custom ACME server scripts setup through SSH to a server admin account, but that all sounded very complicated and was subject to being undone every time DSM was updated. To me it seems that there is just no good solution yet for this from Synology. I did see one suggestion that said "you might consider a port triggering rule on your router so port 80 is only opened when the certificate needs to be obtained or renewed" which I have yet to investigate.
