To get a Let’s Encrypt certificate on your Synology, the knowledge base says:
- Make sure the domain name points to the correct IP address.
- Check the A record for IPv4, or the AAAA record for IPv6.
- You can verify it with nslookup for your Synology’s FQDN.
- Compare that with the public IP shown by curl checkip.synology.com or curl checkipv6.synology.com over SSH. [8]
- Make sure port 80 is open and forwarded to your Synology NAS/router.
- DSM says Let’s Encrypt certificates are valid for 90 days and can be renewed automatically before expiration.
- Port 80 must be open for domain validation and certificate renewal. [9] [15]
- In DSM, if the certificate is not renewed automatically, go to:
- Control Panel > Security > Certificate
- Select the Let’s Encrypt certificate, right-click it, and choose Renew certificate. [9]
Why issuance or renewal may fail, based on the fragments:
- Wrong DNS/IP mapping for the domain. [8]
- Port 80 is not open or not forwarded. [9] [11] [15]
- The certificate request may exceed Let’s Encrypt limits for email accounts or certificates per domain. [11] [12] [13]
- For Synology Router/SRM, there is also a note that SRM will automatically renew after successful validation, and port 80 must be open. [11]
- Synology also notes that certificates must be in X.509 PEM format, and private keys must be RSA and not passphrase protected. [2]
- For older DSM issues, Synology mentions updating DSM to at least 6.2.2 Update 3 if you got a Let’s Encrypt email notification asking you to use ACME v2. [9]
Additional Synology-specific note:
- If you use Synology DNS/Let’s Encrypt and later export OpenVPN settings, VPN Server had a fixed issue where the exported OpenVPN configuration could contain the wrong certificate chain, especially with Let’s Encrypt. In that case, Synology says to update the package and re-export the configuration file to the OpenVPN client. This is from the VPN Server release notes and refers to older versions. [1]
If you want, I can also summarize this as a short checklist for DSM or SRM.
Sources used: [2], [8], [9], [11], [15], [1]