Search the Community

Showing results for tags 'certificate'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Information
    • Readers News & Rumours
    • Information and Feedback
    • The Noob Lounge
  • XPEnology Project
    • F.A.Q - START HERE
    • Loader Releases & Extras
    • DSM Updates Reporting
    • Developer Discussion Room
    • Tutorials and Guides
    • DSM Installation
    • DSM Post-Installation
    • Packages & DSM Features
    • General Questions
    • Hardware Modding
    • Software Modding
    • Miscellaneous
  • International
    • РУССКИЙ
    • FRANÇAIS
    • GERMAN
    • SPANISH
    • ITALIAN
    • KOREAN
    • CHINESE
    • HUNGARIAN

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 3 results

  1. This is my first attempt at a tutorial here, so please go easy on me. I've spent some time yesterday understanding the process and various issues and common errors we can easily make. This guide is based on 6.2.2-24922 U6. It may work with other versions of DSM, but I've tested it and managed to get it working on this one. First, a few pre-requisites: You need a domain name for which you have administrative access and control. I already had one I could use. I think getting it to work on free dynamic DNS domain names is very difficult due to Let's Encrypt (LE) limiting the number of SSL certs for a given domain name. So any "popular" domain will have already exceeded the number. I initially tried, but couldn't get it working and as I had my own domain name I could use, I concentrated on getting it working with that. Note that if you have full control of a primary domain name, say, my-example.com, you can easily create a subdomain (i.e. myxpenology.my-example.com) with a totally different IP address (your public home IP address) even if the main domain is used for another server / service already on the internet. This is the case for me where I used a domain which is active and points to a server in a datacenter and then created a subdomain and had the DNS point to my home IP where I have my Xpenology server. Your ISP must allow incoming traffic on ports 80 and 443. If they block this, then you will not be able to create a LE certificate. You must be able to port forward traffic from your internet router to your server. I haven't used the wizard in DSM as my router is not supported, so I just set up port forwarding manually via my router's web interface. It helps if you have a static / non-changing public Internet IP address. I think most ISPs now don't change your IP that often. If it does change, you'll have to keep track and update your DNS entry. As mentioned previously, due to LE's policy on the number of certificates issues to a primary domain, your chances of using a free dynamic DNS system are pretty small. You need to install the Web Station package. No other packages are required (Apache, PHP, etc). You don't need to create a personal web page. Domain Name configuration Here, let's assume your public IP is 81.10.11.12, and you want to use domain my-example.com I use Linode for my public hosting and have all my domains managed by Linode so I log into my control panel and do it from there. The appearance of this will change depending on your DNS admin console. If you haven't already done so, create your domain entry, here, my-example.com. Now, you need to create a new A/AAAA record with your domain name directing to your home IP address. If you want to use myxpenology.my-example.com, go to your ex-ample.com entry. Add an A/AAAA record with the name "myxpenology" and your IP address. This will effectively create a DNS entry for myxpenology.example.com and point that to your IP. If you have an option for TTL, make it small, like 5 minutes. So if your IP does change, you can edit it and updates should be reflected within 5 minutes as opposed to the default value which could be hours or even days. I clicked on Save to then see the entry appear as a subdomain: You will then have to wait some time before this comes live. DNS update frequency varies I guess. Linode update every 15 minutes, but it can take longer for that to propogate to your ISP's DNS servers or Google's if you use theirs. You can check if this works by pinging your new domain name. It will either say unknown host: C:\>ping myxpenology.my-example.com Ping request could not find host myxpenology.my-example.com. Please check the name and try again. (so it's not rippled through) or come back with your public IP. Don't worry if your public IP times out. Your home router / firewall might configured not to reply to ICMP ping requests. This is what you want to see: C:\>ping myxpenology.my-example.com Pinging myxpenology.my-example.com [80.10.11.12] with 32 bytes of data: Request timed out. Now that your domain is set up and pointing to your home IP address, you can set up port forwarding Port Forwarding Again, this will depend on your router's admin page. You need to forward port 80 to port 80 on your internal IP address where your server is. You need to repeat this for port 443. This is what it looks like on my router, my server uses the private IP of 192.168.0.38: Note that we're forwarding to ports 80 and 443, not to ports 5000 and 5001 where the DSM web interface runs. This is normal and necessary for LE to generate the certificate. Save the changes. We will soon be able to test whether it works or if your ISP blocks incoming traffic on ports 80 and/or 443. Install Web Station In DSM, if not already installed, install the Web Station package. This is the only package you need to install, you don't need to add an Apache webserver or PHP. Once installed, open it and check the settings are OK. You just need to ensure the Default server status is normal and nginx is up and running. You do not need to set up a personal website. Check this is working properly by opening up a web browser and going to your internal IP address (here, 192.168.0.38) and ensure you get the Web Station page: And also check that the secure version is up and running by going to https://<your server ip> (here 192.168.0.38). If you get a warning certificate, you should be good. The warning is because the current certificate (the one provided by Synology) doesn't match your IP address: Now we can see if your ISP has these ports open from the public Internet. Check your ISP allows incoming traffic on ports 80 and 443 There are a couple of ways you can do this. If you have another Internet connection you can use (for example mobile 3G / 4G from your mobile phone), then you can use that and try opening your browser and going to your public IP address (80.10.11.12). If you get the same pages as before with both http and https, you're good. If you don't have another Internet connection available, you can use any online port checker. I just tried https://www.yougetsignal.com/tools/open-ports/ which works. Ensure you have your public IP in the remote address box and test port 80 and then re-test with port 443. Both must come back as open. If this is all good, then you're now ready to create the certificate using the wizard in DSM. If the tests above come back with no reply or closed, then the chances are your ISP is blocking incoming traffic on those 80 and 443 ports and there's nothing more you can do. You can try calling their support line, but I doubt they'd be able to help. Create the certificate in DSM Finally! In DSM, go to Control Panel -> Security -> Certificate tab Click on Add a new certificate and click Next. Add a description if you wish (I just use the domain name) and tick the "Get a certificate from Let's Encrypt" radio button. Also tick the Set as default certificate option. Click Next. Now enter the domain name you're using (myxpenology.my-example.com), enter a valid email address. Leave the SAN field empty. Finally, click Apply. Hopefully, all goes well and you'll get a new certificate created and installed and used as the default certificate. I can't show a screenshot of that as I don't own and so cannot create the myxpenology.my-example.com certificate (and my photoshop skills aren't that good :p). But you'll end up with two entries: one for the certificate you've just created and made default and the already-existing synology one that was used beforehand. Accessing DSM over HTTPS on your home network Now that you've set up the certificate, you can access DSM securely with no error messages, but there's an extra step for that to work. If you were to go to https://192.168.0.38:5001 for example, you'd still get the warning about an invalid certificate because despite it no longer being self-signed, it's not valid as it doesn't have your private IP address in it. Unfortunately, you cannot specify that IP address in the SAN field earlier either as you cannot obtain an LE certificate containing an IP address. The workaround is to modify your local hosts file to include your public domain name and have it direct to your internal IP address. In Windows, you need to open notepad as an administrator (search for notepad in start menu, right click, run as administrator). The hosts file is located in C:\Windows\System32\drivers\etc Edit it to add the following line at the bottom, editing for your domain name and internal IP address: 192.168.0.38 myxpenology.my-example.com Save the file. You should now be able to access the DSM webpage over HTTPS from your computer without a certificate warning message: https://myxpenology.my-example.com:5001 Accessing DSM over HTTPS over the Internet Currently, we've set up port forwarding for the web pages to allow Let's Encrypt to create the certificate. If you want to access the DSM Web GUI, we need to add port forwarding for 5001. I would suggest only forwarding 5001 (the HTTPS version) and NOT forwarding port 5000 as that's insecure and you don't want to be doing that! So again, back in your router, add a third port forwarding entry for 5001 to 5001. Here, I've named it HTTPS-DSM-GUI to clarify You should now be able to access the DSM webpage over the internet. Again, this can only truly be tested from an independent Internet connection (3G/4G from mobile phone). You can ask a friend if they can access your DSM login by going to https://myxpenology.my-example.com:5001 I hope that helps. If you have any questions, maybe this can become the Let's Encrypt questions thread. I'll try to help if I can
  2. Bonjour à tous, voilà, j'ai un petit soucis avec la configuration du NAT sur ma livebox. j'ai fait une installe qui fonctionnait bien et j'ai voulu l'améliorer en apportant un vrai nom de domaine à mon syno. J'ai acheté le nom chez OVH, j'ai configuré mes redirecteurs, tout fonctionne, je n'ai plus besoin de mettre le numéro de port pour accéder à distance sur mon syno. Sauf que maintenant, mon certificat Let's Encrypt arrive à expiration et je n'arrive pas à faire en sorte qu'il se renouvelle... je pense que le soucis vient de la configuration de ma livebox voici comment elle est configurée : configuration NAT/PAT livebox Application/service Port Interne Port Externe Protocole Equipement SYNO-HTTP 5000 80 TCP SYNO SYNO-HTTPS 5001 443 TCP SYNO J'ai le pare-feu de mon synology qui est aussi activé et qui est ouvert pour les ports liés aux applications "Web Mail, HTTPS, Reverse Proxy" (port 80 et 443) qui sont configurés pour communiquer uniquement avec les adresses IP française et celles des USA (1ère règle) et uniquement sur l'adresse IP public de ma box (2ème règle). Je me dis que ça joue peut être sur le blocage du renouvellement de mon certificat ?! En fait, mon objectif à terme c'est de pouvoir utiliser le reverse proxy et de pouvoir utiliser toutes mes applications sans avoir à renseigner le port au bout de l'adresse, mais là, à court terme ça reste le renouvellement de mon certificat de sécurité Je ne sais pas si j'ai été très clair ou même si je suis au bon endroit, en tout cas je vous remercie à tous d'avance pour l'aide que vous pourrez m'apporter. bonne journée/soirée à vous tous Vlaneo
  3. Hello all, as my Let's Encrypt certificates weren't no longer extended, I tried it manually using: /usr/syno/sbin/syno-letsencrypt renew-all -v But this didn't work so I checked the debug message: DEBUG: start to renew [/usr/syno/etc/certificate/XXXXXX. DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory DEBUG: strat to do new-authz for www.XXX.tld DEBUG: ==> start new authz. DEBUG: new authz: do new-authz. DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz DEBUG: Not synology DDNS. DEBUG: DNS challenge failed, reason: {"error":108,"file":"challenge.cpp","msg":"Not synology DDNS."} DEBUG: Normal challenge failed, reason: {"error":200,"file":"client.cpp","msg":"new_authz: unexpect httpcode."} Does this mean only original Synologys (with enabled Quick Connect) can extend the certificates? Thanks!