SKDavis

An SSL (Secure Socket Layer) certificate encrypts transmitted information and supplies information about your site to browsers. While you can run your website without an SSL certificate installed, information transmitted is vulnerable to man in the middle attacks. The SSL protocol ensures connections to your server are securely encrypted providing another layer of protection. The price for SSL certificates varies depending on the vendor, the type of certificate and the valid time period.

Before you install an SSL certificate determine your needs. If you plan on conducting monetary transactions or supplying sensitive information, you will need to purchase a certificate from a third party but If you only want a secure website, the free versions work fine in most cases. Synology provides a default certificate but it is registered to Synology and does not provide any information about your domain. Fortunately Synology offers two ways to install or a free SSL certificate. Keep in mind free versions do not include both non-www and www addresses by default but you can enter this information when you create the certificate.

The first is a self-signed certificate. While a self-signed certificate encrypts transmissions, it does not provide third party verification ensuring you are who you say you are. This may cause issues depending on the user's browser security level. When a user connects, their browser will detect a self-signed certificate and may deny a connection if the security level is set too high.

The second type is from Lets Encrypt. Synology added this feature so you can easily install a SSL certificate without going to the Lets Encrypt website. The current free version from Lets Encrypt is issued by ESET and is valid for three months. Click HERE to view installing the Lets Encrypt certificate.

To install a self-signed certificate log in to DSM and select Control Panel then select Security.



Security opens with the security tab. You can check the option boxes, as shown, improve your security.



Select the Certificate tab. When the page opens you will see the default Synology certificate.



Select Add a new certificate and select the NEXT button at the bottom of the page.



When the add option opens you are given different certificate creation options. Enter the descriptive information for your new certificate in the description window.



Select Create Self signed certificate. You can make this the default certificate by checking the box at the bottom of the window then select Next.



Here you enter your domain and site information.



Leave the private key length set to 2048.
Enter your domain name for the common name.
You must also enter the email address to use for your website.
Select your country for the region.
Enter your state or province and the City where your server resides.
You must enter an organization name. This name cannot be identical to the domain name.
Enter a department such as Marketing, Research, Sales etc.



When you are finished select next and the box reappears with the option to add aliases. You do not need to add anything here but may want to add the a www or email domain name. When finished press Apply.





Select apply and your new certificate appears in the certificate window. Notice the new certificate is now the default.

---

Install a Certificate from Lets Encrypt

Select Security from the control panel and then select the security tab.

Security opens with the security tab. You can check the option boxes, as shown, improve your security.



Select the Certificate tab. When the page opens you can see the default Synology certificate.



Select Add a new certificate and select the NEXT button at the bottom of the page.

When the create certificate window appears, enter the descriptive information for your new certificate in the description window. Select Get a certificate from Lets Encrypt. Select the Set as default certificate checkbox to make you new certificate the default.



Using the Lets Encrypt option requires minimal entries because your Synology supplies the additional information.



Enter your domain name.
The email address to use for your site
Last enter any aliases you want on the certificate. i.e. www or email addresses.
You can make this the default certificate by checking the box at the bottom of the window.



When you select apply your Synology server will connect and pass information to Lets Encrypt. When the certificate is issued it will install automatically and display on the certificate page.



If you receive a "Failed to connect to Lets Encrypt" error, make sure your domain name is valid and registered. Additional issues that will cause an error is if your domain name is already attached to another certificate or an invalid certificate.



If you want to change the default certificate, select the certificate you want make the default and select edit.



Check the Set as default certificate box. While you are in the edit screen you can add a description it you forgot to add one when the certificate was created. Select OK when you are finished.

Return to the top

Steve

I have three sites on my DiskStation. Two are wordpress.org installations, the other is a local TNG installation. All are running on http

I want to convert them to https. There are two domains and TNG is on a subdomain

I assume I can install Let's Encrypt certs for them all?

But what do I do when I get the "Make this the default" prompt? They can't all be the default. If any is default it's my Synology DDNS one?

Regards

Paul

Hi Steve

So, I wanted to upgrade one of my Synology hosted wordpress.org sites http://process-guru.net to https://

I obtained a Let's Encrypt certificate for the domain using the steps you gave. It installed successfully.

Next I went in to WordPress dashboard > general settings and updated the site URL to https://

I obviously need to do something else because, when I try to access the site using an https:// prefix, I get a browser warning that the site is not secure.

What am I missing please?

Go to web station and select virtual host then select the website and edit. Under HTTPS settings, check both boxes for HSTS and HTTP/2 then select OK.

Alternately, you can manually force an https connection using .htaccess.

Sorry I missed the Jan 15 question. The default certificate is the certificate assigned to DSM. If you connect to DSM remotely, the default certificate is used to make that connection.

Thanks. Did that, I still get a site is not secure message from the browser

I just tried process-guru.net and it is still using the barrettnas2.synology.me certificate. Go back to DSM security and attach the correct certificate to the process-guru.net website. Once you are using the correct certificate, flush your browser cache and any cookies for that website.

If you still have problems, flush the DNS cache. In windows type cmd in the search window. Right click cmd.exe and select Run as Administrator. At the prompt enter ipconfig /flushdns and press enter. Then type exit to close the command prompt window.

What I see when I edit the default certificate is this

barrettnas2.synology.me - 2019-06-09
(Default certificate)
Issued by Let's Encrypt Authority X3
Subject Alternative Name barrettnas2.synology.me
For
WebDAV Server, CardDAV Server, FTPS, System default, Log Receiving, MailPlus-Server-postfix, MailPlus-Server-dovecot, Active Backup, VPN Server, Drive, NoteStation - 9351, tng.pfbarrett.uk, bfhs.pfbarrett.uk, process- guru.net, pfbarrett.uk, www.pfbarrett.uk, rrett.me.uk

How do I unattach an associated domain name from the default certificate please?

Go to Control Panel, then select security. Select the certificate tab then select configure. The virtual hosts are listed in the left column and the SSL associated with the host is in the right column. To change a certificate, select the pull down in the right column for the virtual host you want to change. Then select the certificate you want to use. When complete press OK.

Thanks Steve. I was trying to to use "Edit"

Regrettable it still doesn't work

I have updated web station, security and the site addresses on WordPress but when I do so, and try to load the site in the front end, my browser tells me it cannot locate that address. Curiously, the backen is loading though https://

Do I need to do anything with my domain host?
Do I need to do something with .htaccess

Make sure the correct SSL certificate is attached to process-guru.net and the WordPress URL is configured for https. Add the following code at the beginning of your .htaccess file for process-guru.net. Then test if this forces a https connection when you load your site.
Make sure you enter the code correctly. Making a typo error in .htaccess can cause a server 500 error. If you have some pages that load http on a https connection you will get security errors.

After reading your post again, it appears you are trying to use one SSL for multiple domain names. If that is the case please read this post. Scanning the replies you’ll find running different domain names on one SSL fails.

While a SSL certificate is typically assigned to one domain name, you can have multiple sub domains. On the other hand you can buy a multi-site certificate but they tend to be expensive and are usually used by larger corporations. I found it cheaper to purchase multiple SSL certificates for all my domains.