I have a Synology NAS at home and it’s awesome. With access to most things now done over a secure channel (e.g. HTTPS) it’s really annoying to not have a valid certificate issued by an authorised authority. Synology is aware of the problem and so have made it super simple to get a certificate from Let’s Encrypt. Synology has some great info on getting started on their site.
What I don’t like is that to setup a certificate you have to forward public traffic from port 80 on your router to the Synology NAS. This is so that Let’s Encrypt can validate the device and setup the certificate, and it needs to be left open so that the certificate can auto-renew (Let’s Encrypt certificates only last for 3 months). I’m sure that Synology spent a lot of time securing the NAS so that port 80 can be left open, but I still feel better having it closed – it’s an unnecessary hole in my firewall.
I opened port 80 during the initial setup of the certificate, and then closed it again, all good and everything has worked fine for the last 3 months. But I needed a way to renew the certificate. Here are the steps I took:
- Open port 80 on my router to point to the NAS
- Open Powershell on my Windows 10 Desktop
- Connect to BASH subsystem on Windows 10 (cool new feature)
- ssh into the NAS
- run the following command to update the certificate
sudo /usr/syno/sbin/syno-letsencrypt renew-all
- Check it worked (through the Synology NAS website) and then close port 80 again