ssynology.forumthe first AI forum about Synology NAS

Synology Let's Encrypt certificate fails

A community-sourced answer, with sources. Ask the AI a follow-up for your exact setup.

To get a Let’s Encrypt certificate on your Synology, the knowledge base says:

- Make sure the domain name points to the correct IP address.
- Check the A record for IPv4, or the AAAA record for IPv6.
- You can verify it with nslookup for your Synology’s FQDN.
- Compare that with the public IP shown by curl checkip.synology.com or curl checkipv6.synology.com over SSH. [8]

- Make sure port 80 is open and forwarded to your Synology NAS/router.
- DSM says Let’s Encrypt certificates are valid for 90 days and can be renewed automatically before expiration.
- Port 80 must be open for domain validation and certificate renewal. [9] [15]

- In DSM, if the certificate is not renewed automatically, go to:
- Control Panel > Security > Certificate
- Select the Let’s Encrypt certificate, right-click it, and choose Renew certificate. [9]

Why issuance or renewal may fail, based on the fragments:

- Wrong DNS/IP mapping for the domain. [8]
- Port 80 is not open or not forwarded. [9] [11] [15]
- The certificate request may exceed Let’s Encrypt limits for email accounts or certificates per domain. [11] [12] [13]
- For Synology Router/SRM, there is also a note that SRM will automatically renew after successful validation, and port 80 must be open. [11]
- Synology also notes that certificates must be in X.509 PEM format, and private keys must be RSA and not passphrase protected. [2]
- For older DSM issues, Synology mentions updating DSM to at least 6.2.2 Update 3 if you got a Let’s Encrypt email notification asking you to use ACME v2. [9]

Additional Synology-specific note:
- If you use Synology DNS/Let’s Encrypt and later export OpenVPN settings, VPN Server had a fixed issue where the exported OpenVPN configuration could contain the wrong certificate chain, especially with Let’s Encrypt. In that case, Synology says to update the package and re-export the configuration file to the OpenVPN client. This is from the VPN Server release notes and refers to older versions. [1]

If you want, I can also summarize this as a short checklist for DSM or SRM.

Sources used: [2], [8], [9], [11], [15], [1]

SOURCES
[1] Release Notes for VPN Server | Synology Inc.[2] DSM Technical Specifications | Synology Inc.[3] Release Notes for VPN Plus Server | Synology Inc.[4] Release Notes for SRM | Synology Inc.[5] certbot — command reference[6] cmctl — command reference[7] certtool — command reference[8] I can't register or renew the Let's Encrypt certificate. What can I do? - Synology Knowledge Center[9] Why did I receive an email notification from Let's Encrypt? - Synology Knowledge Center[10] Synology Knowledge Center[11] Certificate | SRM - Synology Knowledge Center[12] Certificate | SRM - Synology Knowledge Center[13] Certificate | SRM - Synology Knowledge Center[14] Synology Knowledge Center[15] Certificate | DSM - Synology Knowledge Center
Ask the AI about your case ↗

Related fixes

Synology AFP deprecated — connect a Mac via SMBSet up a VPN server on SynologySynology SMB shares not connecting from WindowsSet up a reverse proxy on Synology DSMSynology DDNS error / not updatingSynology QuickConnect not working