This is my first attempt at a tutorial here, so please go easy on me. I've spent some time yesterday understanding the process and various issues and common errors we can easily make.
This guide is based on 6.2.2-24922 U6. It may work with other versions of DSM, but I've tested it and managed to get it working on this one.
First, a few pre-requisites:
You need a domain name for which you have administrative access and control. I already had one I could use. I think getting it to work on free dynamic DNS domain names is very difficult due to Let's Encrypt (LE) limiting the number of SSL certs for a given domain name. So any "popular" domain will have already exceeded the number. I initially tried, but couldn't get it working and as I had my own domain name I could use, I concentrated on getting it working with that. Note that if you have full control of a primary domain name, say, my-example.com, you can easily create a subdomain (i.e. myxpenology.my-example.com) with a totally different IP address (your public home IP address) even if the main domain is used for another server / service already on the internet. This is the case for me where I used a domain which is active and points to a server in a datacenter and then created a subdomain and had the DNS point to my home IP where I have my Xpenology server.
Your ISP must allow incoming traffic on ports 80 and 443. If they block this, then you will not be able to create a LE certificate.
You must be able to port forward traffic from your internet router to your server. I haven't used the wizard in DSM as my router is not supported, so I just set up port forwarding manually via my router's web interface.
It helps if you have a static / non-changing public Internet IP address. I think most ISPs now don't change your IP that often. If it does change, you'll have to keep track and update your DNS entry. As mentioned previously, due to LE's policy on the number of certificates issues to a primary domain, your chances of using a free dynamic DNS system are pretty small.
You need to install the Web Station package. No other packages are required (Apache, PHP, etc). You don't need to create a personal web page.
Domain Name configuration
Here, let's assume your public IP is 18.104.22.168, and you want to use domain my-example.com
I use Linode for my public hosting and have all my domains managed by Linode so I log into my control panel and do it from there. The appearance of this will change depending on your DNS admin console.
If you haven't already done so, create your domain entry, here, my-example.com.
Now, you need to create a new A/AAAA record with your domain name directing to your home IP address. If you want to use myxpenology.my-example.com, go to your ex-ample.com entry. Add an A/AAAA record with the name "myxpenology" and your IP address. This will effectively create a DNS entry for myxpenology.example.com and point that to your IP.
If you have an option for TTL, make it small, like 5 minutes. So if your IP does change, you can edit it and updates should be reflected within 5 minutes as opposed to the default value which could be hours or even days.
I clicked on Save to then see the entry appear as a subdomain:
You will then have to wait some time before this comes live. DNS update frequency varies I guess. Linode update every 15 minutes, but it can take longer for that to propogate to your ISP's DNS servers or Google's if you use theirs.
You can check if this works by pinging your new domain name. It will either say unknown host:
Ping request could not find host myxpenology.my-example.com. Please check the name and try again.
(so it's not rippled through) or come back with your public IP. Don't worry if your public IP times out. Your home router / firewall might configured not to reply to ICMP ping requests.
This is what you want to see:
Pinging myxpenology.my-example.com [22.214.171.124] with 32 bytes of data:
Request timed out.
Now that your domain is set up and pointing to your home IP address, you can set up port forwarding
Again, this will depend on your router's admin page.
You need to forward port 80 to port 80 on your internal IP address where your server is. You need to repeat this for port 443.
This is what it looks like on my router, my server uses the private IP of 192.168.0.38:
Note that we're forwarding to ports 80 and 443, not to ports 5000 and 5001 where the DSM web interface runs. This is normal and necessary for LE to generate the certificate.
Save the changes. We will soon be able to test whether it works or if your ISP blocks incoming traffic on ports 80 and/or 443.
Install Web Station
In DSM, if not already installed, install the Web Station package. This is the only package you need to install, you don't need to add an Apache webserver or PHP.
Once installed, open it and check the settings are OK. You just need to ensure the Default server status is normal and nginx is up and running. You do not need to set up a personal website.
Check this is working properly by opening up a web browser and going to your internal IP address (here, 192.168.0.38) and ensure you get the Web Station page:
And also check that the secure version is up and running by going to https://<your server ip> (here 192.168.0.38).
If you get a warning certificate, you should be good. The warning is because the current certificate (the one provided by Synology) doesn't match your IP address:
Now we can see if your ISP has these ports open from the public Internet.
Check your ISP allows incoming traffic on ports 80 and 443
There are a couple of ways you can do this.
If you have another Internet connection you can use (for example mobile 3G / 4G from your mobile phone), then you can use that and try opening your browser and going to your public IP address (126.96.36.199). If you get the same pages as before with both http and https, you're good.
If you don't have another Internet connection available, you can use any online port checker. I just tried https://www.yougetsignal.com/tools/open-ports/ which works. Ensure you have your public IP in the remote address box and test port 80 and then re-test with port 443. Both must come back as open.
If this is all good, then you're now ready to create the certificate using the wizard in DSM. If the tests above come back with no reply or closed, then the chances are your ISP is blocking incoming traffic on those 80 and 443 ports and there's nothing more you can do. You can try calling their support line, but I doubt they'd be able to help.
Create the certificate in DSM
In DSM, go to Control Panel -> Security -> Certificate tab
Click on Add a new certificate and click Next.
Add a description if you wish (I just use the domain name) and tick the "Get a certificate from Let's Encrypt" radio button. Also tick the Set as default certificate option. Click Next.
Now enter the domain name you're using (myxpenology.my-example.com), enter a valid email address. Leave the SAN field empty. Finally, click Apply.
Hopefully, all goes well and you'll get a new certificate created and installed and used as the default certificate. I can't show a screenshot of that as I don't own and so cannot create the myxpenology.my-example.com certificate (and my photoshop skills aren't that good :p). But you'll end up with two entries: one for the certificate you've just created and made default and the already-existing synology one that was used beforehand.
Accessing DSM over HTTPS on your home network
Now that you've set up the certificate, you can access DSM securely with no error messages, but there's an extra step for that to work.
If you were to go to https://192.168.0.38:5001 for example, you'd still get the warning about an invalid certificate because despite it no longer being self-signed, it's not valid as it doesn't have your private IP address in it. Unfortunately, you cannot specify that IP address in the SAN field earlier either as you cannot obtain an LE certificate containing an IP address.
The workaround is to modify your local hosts file to include your public domain name and have it direct to your internal IP address.
In Windows, you need to open notepad as an administrator (search for notepad in start menu, right click, run as administrator).
The hosts file is located in C:\Windows\System32\drivers\etc
Edit it to add the following line at the bottom, editing for your domain name and internal IP address:
Save the file.
You should now be able to access the DSM webpage over HTTPS from your computer without a certificate warning message: https://myxpenology.my-example.com:5001
Accessing DSM over HTTPS over the Internet
Currently, we've set up port forwarding for the web pages to allow Let's Encrypt to create the certificate. If you want to access the DSM Web GUI, we need to add port forwarding for 5001. I would suggest only forwarding 5001 (the HTTPS version) and NOT forwarding port 5000 as that's insecure and you don't want to be doing that!
So again, back in your router, add a third port forwarding entry for 5001 to 5001. Here, I've named it HTTPS-DSM-GUI to clarify
You should now be able to access the DSM webpage over the internet. Again, this can only truly be tested from an independent Internet connection (3G/4G from mobile phone). You can ask a friend if they can access your DSM login by going to https://myxpenology.my-example.com:5001
I hope that helps. If you have any questions, maybe this can become the Let's Encrypt questions thread. I'll try to help if I can