tfboy

This is my first attempt at a tutorial here, so please go easy on me. I've spent some time yesterday understanding the process and various issues and common errors we can easily make. This guide is based on 6.2.2-24922 U6. It may work with other versions of DSM, but I've tested it and managed to get it working on this one. First, a few pre-requisites: You need a domain name for which you have administrative access and control. I already had one I could use. I think getting it to work on free dynamic DNS domain names is very difficult due to Let's Encrypt (LE) limiting the number of SSL certs for a given domain name. So any "popular" domain will have already exceeded the number. I initially tried, but couldn't get it working and as I had my own domain name I could use, I concentrated on getting it working with that. Note that if you have full control of a primary domain name, say, my-example.com, you can easily create a subdomain (i.e. myxpenology.my-example.com) with a totally different IP address (your public home IP address) even if the main domain is used for another server / service already on the internet. This is the case for me where I used a domain which is active and points to a server in a datacenter and then created a subdomain and had the DNS point to my home IP where I have my Xpenology server. Your ISP must allow incoming traffic on ports 80 and 443. If they block this, then you will not be able to create a LE certificate. You must be able to port forward traffic from your internet router to your server. I haven't used the wizard in DSM as my router is not supported, so I just set up port forwarding manually via my router's web interface. It helps if you have a static / non-changing public Internet IP address. I think most ISPs now don't change your IP that often. If it does change, you'll have to keep track and update your DNS entry. As mentioned previously, due to LE's policy on the number of certificates issues to a primary domain, your chances of using a free dynamic DNS system are pretty small. You need to install the Web Station package. No other packages are required (Apache, PHP, etc). You don't need to create a personal web page. Domain Name configuration Here, let's assume your public IP is 81.10.11.12, and you want to use domain my-example.com I use Linode for my public hosting and have all my domains managed by Linode so I log into my control panel and do it from there. The appearance of this will change depending on your DNS admin console. If you haven't already done so, create your domain entry, here, my-example.com. Now, you need to create a new A/AAAA record with your domain name directing to your home IP address. If you want to use myxpenology.my-example.com, go to your ex-ample.com entry. Add an A/AAAA record with the name "myxpenology" and your IP address. This will effectively create a DNS entry for myxpenology.example.com and point that to your IP. If you have an option for TTL, make it small, like 5 minutes. So if your IP does change, you can edit it and updates should be reflected within 5 minutes as opposed to the default value which could be hours or even days. I clicked on Save to then see the entry appear as a subdomain: You will then have to wait some time before this comes live. DNS update frequency varies I guess. Linode update every 15 minutes, but it can take longer for that to propogate to your ISP's DNS servers or Google's if you use theirs. You can check if this works by pinging your new domain name. It will either say unknown host: C:\>ping myxpenology.my-example.com Ping request could not find host myxpenology.my-example.com. Please check the name and try again. (so it's not rippled through) or come back with your public IP. Don't worry if your public IP times out. Your home router / firewall might configured not to reply to ICMP ping requests. This is what you want to see: C:\>ping myxpenology.my-example.com Pinging myxpenology.my-example.com [80.10.11.12] with 32 bytes of data: Request timed out. Now that your domain is set up and pointing to your home IP address, you can set up port forwarding Port Forwarding Again, this will depend on your router's admin page. You need to forward port 80 to port 80 on your internal IP address where your server is. You need to repeat this for port 443. This is what it looks like on my router, my server uses the private IP of 192.168.0.38: Note that we're forwarding to ports 80 and 443, not to ports 5000 and 5001 where the DSM web interface runs. This is normal and necessary for LE to generate the certificate. Save the changes. We will soon be able to test whether it works or if your ISP blocks incoming traffic on ports 80 and/or 443. Install Web Station In DSM, if not already installed, install the Web Station package. This is the only package you need to install, you don't need to add an Apache webserver or PHP. Once installed, open it and check the settings are OK. You just need to ensure the Default server status is normal and nginx is up and running. You do not need to set up a personal website. Check this is working properly by opening up a web browser and going to your internal IP address (here, 192.168.0.38) and ensure you get the Web Station page: And also check that the secure version is up and running by going to https://<your server ip> (here 192.168.0.38). If you get a warning certificate, you should be good. The warning is because the current certificate (the one provided by Synology) doesn't match your IP address: Now we can see if your ISP has these ports open from the public Internet. Check your ISP allows incoming traffic on ports 80 and 443 There are a couple of ways you can do this. If you have another Internet connection you can use (for example mobile 3G / 4G from your mobile phone), then you can use that and try opening your browser and going to your public IP address (80.10.11.12). If you get the same pages as before with both http and https, you're good. If you don't have another Internet connection available, you can use any online port checker. I just tried https://www.yougetsignal.com/tools/open-ports/ which works. Ensure you have your public IP in the remote address box and test port 80 and then re-test with port 443. Both must come back as open. If this is all good, then you're now ready to create the certificate using the wizard in DSM. If the tests above come back with no reply or closed, then the chances are your ISP is blocking incoming traffic on those 80 and 443 ports and there's nothing more you can do. You can try calling their support line, but I doubt they'd be able to help. Create the certificate in DSM Finally! In DSM, go to Control Panel -> Security -> Certificate tab Click on Add a new certificate and click Next. Add a description if you wish (I just use the domain name) and tick the "Get a certificate from Let's Encrypt" radio button. Also tick the Set as default certificate option. Click Next. Now enter the domain name you're using (myxpenology.my-example.com), enter a valid email address. Leave the SAN field empty. Finally, click Apply. Hopefully, all goes well and you'll get a new certificate created and installed and used as the default certificate. I can't show a screenshot of that as I don't own and so cannot create the myxpenology.my-example.com certificate (and my photoshop skills aren't that good :p). But you'll end up with two entries: one for the certificate you've just created and made default and the already-existing synology one that was used beforehand. Accessing DSM over HTTPS on your home network Now that you've set up the certificate, you can access DSM securely with no error messages, but there's an extra step for that to work. If you were to go to https://192.168.0.38:5001 for example, you'd still get the warning about an invalid certificate because despite it no longer being self-signed, it's not valid as it doesn't have your private IP address in it. Unfortunately, you cannot specify that IP address in the SAN field earlier either as you cannot obtain an LE certificate containing an IP address. The workaround is to modify your local hosts file to include your public domain name and have it direct to your internal IP address. In Windows, you need to open notepad as an administrator (search for notepad in start menu, right click, run as administrator). The hosts file is located in C:\Windows\System32\drivers\etc Edit it to add the following line at the bottom, editing for your domain name and internal IP address: 192.168.0.38 myxpenology.my-example.com Save the file. You should now be able to access the DSM webpage over HTTPS from your computer without a certificate warning message: https://myxpenology.my-example.com:5001 Accessing DSM over HTTPS over the Internet Currently, we've set up port forwarding for the web pages to allow Let's Encrypt to create the certificate. If you want to access the DSM Web GUI, we need to add port forwarding for 5001. I would suggest only forwarding 5001 (the HTTPS version) and NOT forwarding port 5000 as that's insecure and you don't want to be doing that! So again, back in your router, add a third port forwarding entry for 5001 to 5001. Here, I've named it HTTPS-DSM-GUI to clarify You should now be able to access the DSM webpage over the internet. Again, this can only truly be tested from an independent Internet connection (3G/4G from mobile phone). You can ask a friend if they can access your DSM login by going to https://myxpenology.my-example.com:5001 I hope that helps. If you have any questions, maybe this can become the Let's Encrypt questions thread. I'll try to help if I can

@Red100, you have a couple of options depending on how you want to do it. Work on the .img bootloader file before you write to USB. If you want to modiy your original image file use OSFmount. With that app, you can load the .img bootloader file. Mount it, untick the "read only" check box, selecting the first 15MB partition. The app will mount that as a drive letter. You'll then be able to access the files in that partition from Windows Explorer. Edit the file directly on your USB key. For that, you can use the free version of Partition Wizard. That will allow you to mount your USB key, assign a drive letter so you can then modify files directly from your USB key. In both cases, you need to check the file Grub\grub.conf. In there, there's the PID and VID you need to update to match what your USB stick is. Remember to keep the 0x bit in front. Once you've edited the file, save it. Then you can unmount in OSFmount and write the image to a new USB key or exit Partition Wizard. If you're unsure what your PID and VID is, you can use USB Device View app. This also means that if you're testing with many different USB keys, you need to ensure your grub.conf has the right values for each key.

Found the issue for me. I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443. My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation.

I'm having issues with getting a LE cert for my domain. It's similar to the ones above, but I get a different error message. I've checked and am using ACME v2 so it's not that. Having been unsuccessful using the DSM interface, I've tried within SSH to get more detailed information. sudo /usr/syno/sbin/syno-letsencrypt new-cert -d test.xavierwalker.co.uk -m email@xavierwalker.co.uk -s https://acme-staging-v02.api.letsencrypt.org/directory -v The /var/log/messages suggests an invalid response from the ./well-known/acme-challenge url. I've tried that and get the Synology "Sorry the page you're looking is not found" message. I don't know whether that's correct or not, I guess not ? syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://test.xavierwalker.co.uk/.well-known/acme-challenge/2PVDi0NX5lW4PH2q0K2jSKQ_RF_fwUtGIMdj1M9DPkI [82.13.19.134]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""} Port forwarding from 80->5000 and 443->5001 is working OK and I have Web Station installed. Of course, I don't know where the problem lies. It could be a DNS problem (I've updated my DNS entry to point to the correct IP) as I have a different certificate under a different IP for the primary domain. Or a Synology problem. Or a Let's Encrypt issue? Any ideas?

Ooh. A bit more digging and it appears the OS really does have the X553 NICs. I've stripped out some of the non-important data, but the key point is that the onboard X553 NICs are enumerated (eth4 - eth7) but even if they are connected physically to the network, they never come up and never get an IP address from the DHCP server. eth0 is strange, the MAC address starting with 0000b6 is Micro Matic Research - I guess the vendor Synology use so it's a fabricated one by the underlying OS and replaces the MAC burnt into the active NIC (I removed the MAC address from grub.cfg to see what happens). eth1 - eth3 is the HP PCIe NIC. That always seems to work, I'm guessing using the e1000e kernel driver. eth4 - eth7 is what I'd like to get working in DSM. I had the ifconfig contents here in code, but the forum kicked it out as spam contact info! So I've attached as a text file instead. I don't know whether it's worthwhile continuing in this thread as I'm no longer sure exactly what the root cause of the non-working X553 NICs is. Clearly the driver gets loaded, the NICs are listed in the underlying OS, they are then presented in DSM, but just refuse to come up. I'll wait for an updated driver pack thingy for 3615 / 3617 and maybe give that a go. Worst case, I could live with the PCIe NIC card, but I'd like to remove that to free up the slot for other future expansion and use the onboard NICs as they're there anyway. Thanks again for your support and advice ifconfig.txt

Here are the device IDs, etc: I guess this is the extra HP PCIe card: 0000:04:00.0 Class 0200: Device 8086:10bc (rev 06) Subsystem: Device 103c:704b Kernel driver in use: e1000e 0000:04:00.1 Class 0200: Device 8086:10bc (rev 06) Subsystem: Device 103c:704b Kernel driver in use: e1000e 0000:05:00.0 Class 0200: Device 8086:10bc (rev 06) Subsystem: Device 103c:704b Kernel driver in use: e1000e 0000:05:00.1 Class 0200: Device 8086:10bc (rev 06) Subsystem: Device 103c:704b Kernel driver in use: e1000e And these are the onboard Intel X553 NICs I want to use: 0000:09:00.0 Class 0200: Device 8086:15e4 (rev 11) Subsystem: Device 8086:0000 Kernel driver in use: ixgbe 0000:09:00.1 Class 0200: Device 8086:15e4 (rev 11) Subsystem: Device 8086:0000 Kernel driver in use: ixgbe 0000:0a:00.0 Class 0200: Device 8086:15e4 (rev 11) Subsystem: Device 8086:0000 Kernel driver in use: ixgbe 0000:0a:00.1 Class 0200: Device 8086:15e4 (rev 11) Subsystem: Device 8086:0000 Kernel driver in use: ixgbe So the ixgbe are apparently there. However, the NICs on this motherboard are 1GbE, not 10GbE, although I understand the X55x series of NICs are generally 10GbE. I don't know whether this difference is enough to throw it off course and not use them. What is strange though, is that it appears the 918+ 6.2.2 picks them because DSM now lists 8 LAN connections and when looking at the system info, it does pick up the MAC addresses of them, but they never come live - plugging in a cable the light becomes active, I can see it flashing indicating network traffic but in DSM, the link remains down. Whether that's a limitation of the 2x ports in 918 or not, I'm not sure.

Oh there's an 0.11 on 6.2.3? Interestingly, I was caught out this evening playing with 918+ 0.8 package on 6.2.2. At first, I thought it was working on the Intel X553 NICs as I had that Mac address picked up on my router but then realised that it was using the other HP add-in card. I guess it picked up the Mac addresses within the grub file and as it couldn't work with the X553, it applied those Mac addresses on the HP card.

Thanks. I'm not worried (for me) about intel GPU transcoding, I just want the basic version working but preferably with the X553 onboard NICs rather than having to add a PCIe card. I'm starting from scratch, no real preference on whether a 918+, 3615 or 3617 platform. I did see a table somewhere but can't find it now detailing the differences. For DSM, again, no preference, 6.2.2 would be fine for me. Just to make sure I've understood, does that mean with my config above, it should be working with your extra.lzma ? As I've been running under the 3615 platform, I've tried extra.lzma for loader 1.03b_mod ds3615 DSM 6.2.2 v0.5_test but the v0.5 suggests it's older and has less stuff than the v0.8 you do for the 918+. As the v0.5 doesn't seem to include a list of supported drivers (you did put them for the 0.8 for 918+), I'm not sure whether I should go for this and wait for an updated pack (I guess this is what you meant in your last sentence) or revert to the later 918+ pack. I'll play around a bit more. Thanks for your post and support

I posted in another thread But after some more digging, it really appears my boot issues are purely NIC driver. I have put in an HP NC364T and that boots fine and gets an IP address. It's not clear to me exactly which drivers version I require. The motherboard I want to get working is a Supermicro A2SDi-8C-HLN4F which has 4x Intel 1GbE NICs based on the X553. Now the X55x is a 10GbE capable range of cards, so not sure if this is the problem. Linux drivers are here: https://downloadcenter.intel.com/product/88207/Intel-Ethernet-Converged-Network-Adapter-X550-Series @IG-88, do you know if / how these can be integrated into an extra.lzma package ?

Hi @Infray I have the same Supermicro motherboard. Searching, I saw you had similar issues getting the onboard Intel X553 drivers to work. Your latest post here: suggests it does or did with an older version. Can I ask where are you with it today and what versions do you have it running on? I've tried 1.03b with both DS3615 and DS3617 bootloaders with no luck. I haven't tried getting my head around including the extra.lzma which might be required for driver support? Thanks!