one melo a day

moon indicating dark mode
sun indicating light mode

Get HTTPS on DiskStation with Let's Encrypt

January 28, 2016

From the moment I got my DiskStation and made it available online, I wanted to try HTTPS. Organizations that issue certificates to use for HTTPS free of charge have been around for a while now (like StartSSL). However you need to own a domain and I use DDNS, but thanks to Let’s Encrypt I can finally get a certificate to secure the communication to melo.myds.me with HTTPS!

Why care about HTTPS?

You might have noticed that more and more service providers like Google and Facebook made the move to serve their content through HTTPS by default and that the adoption of HTTPS has been pushed by organizations like the EFF. Instead of deciding whether a communication requires protection or not, you simply protect all communication, thus being on the safe side and increasing the level of privacy between all of your services and your consumers. Even the US government stated:

Today, there is no such thing as non-sensitive web traffic[]

In this post I will talk about what you need to do to access your DiskStation over the internet through HTTPS. We are talking about your private device here, serving your private content over the internet. Because of this, the need to encrypt the communication between you and your DiskStation, from wherever you might access it (like from a hotel’s public Wi-Fi), should be a no-brainer. If you want to follow along, please make sure your DiskStation is accessible over the internet already through HTTP. In case you need help with that, have a look at how to configure DDNS and how to setup port forwarding rules.

What about a self-signed certificate?

As you might know, you can issue a self-signed certificate directly in DSM. So you might ask yourself: Why should I need a real certificate signed by a trusted certificate authority? Well, your self-signed certificate will not be trusted by common web browsers, because you are not recognized as a trustworthy certificate authority and thus whenever someone accesses services on your NAS with a web browser they will be presented with a warning. If your NAS is only about your private content and only you (and maybe your family) accessing it over the internet, you might be fine with this or you are willing to add your certificate to the trust store of every device that you and your family use to access your NAS.

Let’s Encrypt to the rescue

Let’s Encrypt is a new, free, automated and open certificate authority and their declared goal is

to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention.

Thanks to their efforts and the ACME protocol it is not as hard as it used to be to get a genuine certificate, even for your very own DiskStation using a DDNS domain and the certificates signed by Let’s Encrypt are trusted by all major browsers, too. There are several clients already available, however none of them run directly on a DiskStation as far as I know. So for now I decided to use the official Let’s Encrypt client in manual mode on my Linux desktop and import the generated certificate to the DiskStation. It is still quite easy to do. Just keep reading to find out how.

Let’s Encrypt client’s manual mode

Let’s Encrypt managed to establish a wonderful community that is very active and ready to help. In fact I found the solution to get a certificate for my Synology DiskStation despite not being able to run the Let’s Encrypt client directly on the NAS in their community forum. Have a look at dip987’s step-by-step guide over there. Since Let’s Encrypt is in open beta now you don’t even need to sign up and can skip step 1 and 2 in dip987’s guide. In essence, you take these steps:

  1. Get the client on a Linux OS by doing: git clone https://github.com/letsencrypt/letsencrypt
  2. Use the client in manual mode like this: ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual and type in your domain name when asked
  3. You will be asked to create a file with a specific name and content and to make it available with a specific URL on your domain, e.g.: http://melo.myds.me/.well-known/acme-challenge/\<filename> So login to DSM, start FileStation, open the web folder and create the .well-known/acme-challenge folders. For the file itself I recommend using DSM’s Text Editor and double check you use UTF-8 when saving the file
  4. Grab privkey.pem, cert.pem and chain.pem following the symlinks in /etc/letsencrypt/live
  5. Import the pem files to your DiskStation at Control Panel > Security > Certificate. Private key uses privkey.pem, Certificate uses cert.pem and Intermediate certificate needs chain.pem
  6. Make sure to include the /etc/letsencrypt folder to your scheduled backup

Congratulations! You can now visit your DiskStation services like DSM and access whatever you might have inside the web folder using HTTPS.

Outlook

We saw how to secure access to our DiskStation with a valid certificate. For certificate renewal you can use exactly the same steps as for the initial certificate creation. However this is a manual process for now, but don’t worry: Synology will be supporting Let’s Encrypt and the ACME protocol in the near future and is actually already doing so in the current DSM 6 beta. This is great news, since we soon will be able to have the entire process of creating and renewing trusted certificates for secure access to our NAS right inside DSM with the click of a button! In case you also use Tomcat: Stick around for my next post where I will show the steps required to use HTTPS for your Tomcat apps on your DiskStation.