Renew SSL Certificates on Synology

On the woes of renewing custom domain Synology SSL Certificates.

Rebind Ports 80 and 443 from Traefik

To make larger reverse proxy rule management easier, I switched from using Synology's built in GUI reverse proxy to a Traefik instance running in Docker. In another post I outlined how I set that up.

One complexity was unbinding ports 80 and 443 from Synology DSM so that Traefik via Docker could bind to them and handle all reverse proxy routing. I found a great script online that managed that.

But in this case, to renew the DSM certificates which are what the Synology mobile apps for Photos, Surveillance...etc terminate SSL against, DSM needed to own 80 and 443. Reversing the script allowed me to restore from backup the factory default NGINX config, and on reboot Synology DSM owns 80 and 443 ports again, and can renew the certificate.

Copycopy code to clipboard
$ cp /volume1/docker/services/traefik-reverse-proxy/nginx-backups/*.mustache /usr/syno/share/nginx/
$ nginx -s reload
# Potentially need to hard restart server
$ sudo netstat -tulpn | grep LISTEN | grep ':80 \|:443 '
# Renew the certificate in DSM
# Re-run the unbind ports script to free 80/443
# Restart the server to go back to the Traefik reverse proxy

HTTP Autoupgrade to HTTPS Facepalm

Turns out an optimization in my router configuration to auto-upgrade HTTP requests to HTTPS became a head scratcher when the built in Synology Certificate Manager wouldn't renew a certificate for my home server services.

I had setup a redirect such that all traffic on port 80 (HTTP) to my router forwards to my home server port 4080 where my home server can reverse proxy to different services running in Docker containers on different ports. Thus, the Certificate Manager, which relies on access to port 80 and port 443, would fail since all of the requests to port 80 would end up going through my redirect to port 4080 and the reverse proxy rule which upgrades it to https.

Temporarily updating my router rule to forward requests on port 80 to Synology as port 80 allowed the Certificate Manager to succeed.

What revealed this to me was when I tried to renew the certificate manually using certbot and then dehydrated and realized that when I ran dehydrated on the Synology server, the logs showed that ACME verification over port 443 succeeded but over port 80 failed.