知識庫

在 Synology NAS 安裝 SSL 證書

The purpose of this article is to describe the SSL installation process on Synology NAS server and point out the possible issues with it.

Pre-requisites for Synology NAS server users

- First of all, to get a trusted certificate, you need to own a domain name which can be assigned to your Synology DDNS service*, since the SSL certificates offered on our website can only be issued for a FQDN (fully qualified domain name).
* the DDNS service is offered for free for Synology users here.

- Set up your DDNS service before you go to the next step;

- Then, a CNAME DNS forwarder from the domain or subdomain (yourdomain.com) to the DDNS service (such as name.synology.me) should be added.

Here is a quick guide below:

Log in to your cPanel, find the 'Domains' box and click on Advanced DNS Zone Editor.

install_synology_01

Under 'Add a Record' fill in each box with your own information. There should be a domain name in the 'Name' field and the Synology NAS hostname in the 'CNAME' field. Then click on 'Add Record'.

install_synology_02

- Please make sure Port Forwarding has been configured on your router.

SSL installation

Note: The instructions are written for DSM5.0 and higher.Only models from 2009 and earlier cannot update to the latest DSM, so for models manufactured in the past 5 years an update to the latest DSM is recommended.

CSR code generation

Before you install an SSL certificate on your Synology NAS, you need to generate a Certificate Signing Request (CSR code) and activate the certificate.

Importing the SSL Certificate to Synology:

Once the certificate is issued, you will receive an email from the Certificate Authority containing the SSL files. Now you are ready to import the trusted certificate to your Synology server using the steps below.

  1. Go back to Synology, navigate to Control Panel > Security > Certificate and click on 'Import Certificate'

    install_synology_03

  2. Browse and import the following files for each field: (In this guide we are using PositiveSSL certificate as an example, the installation will be the same for other SSL types with different CA Bundles).

    Private Key - Server.key
    Certificate - domain_com.crt (received from the CA .zip file in email)
    Intermediate certificate - CA Bundle files from the fulfillment email, PositiveSSLBundle contains:
    COMODO RSA Domain Validation Secure Server CA
    COMODO RSA Certification Authority
    AddTrust External CA Root

    Then click on 'Next'.

    install_synology_04

    Note: Please use the decrypted Private key file, there may be issues during the process if you use the Encrypted one. Presumably, these issues may occur with the outdated versions of Synology server, this is why Synology highly recommends the latest version to be used. By the time the article was written, it was DiskStation Manager 5.1 (DSM 5.1).

    'Invalid cipher type' error

    There are a few more possible issues during the installation process, and one of them is 'Invalid cipher type' error.

    The error may pop up if the Private key file does not have in header (has -----BEGIN PRIVATE KEY and -----END PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----);

    Solution: modify the file in text editor.

    'Illegal certificate' error

    The 'Illegal certificate' error may pop up during the installation when importing the certificate. There are few possible reasons for the issue:
    - it usually pops up if the .zip archive was opened in a text editor without unzipping, and there was a text left before -----BEGIN CERTIFICATE----- header in there;

    Solution: unzip the archive and open each certificate file separately with a text editor.

  3. Synology web server will now restart which should only take a few seconds. Then the Control Panel 'Certificate' page will look like this:

    install_synology_05

    Once the certificate is installed, all should be clear. However, please make sure that you've created a CNAME record for the domain and not just a URL redirect from name.synology.me, so the common name of the certificate does not match the domain in the URL. Otherwise, you may get 'Common name mismatch' error in browser if you try to connect to your Synology via https://

    Solution: create a CNAME for the domain.

    Now when the certificate is installed, simply try to access your NAS using your domain/subdomain (example: https://yourdomain.com ) - no warnings and a padlock icon in the address bar proves that the connection is now secured by a trusted SSL.