I use a version of Syncthing written for Synology NAS and installed from third party packages available on Synology NAS.
Normally and without errors, I connect to the Synology NAS from Windows 10 64 bit (updated) via HTTPS:// with a string like:
https://MySynoString.synology.xx:numberport/#/signin
In this case I am not receiving security warnings from the browser as the Synology security certificate is up to date and valid.
If I try to start Syncthing (installed on the Synology NAS) - setting for HTTPS:// connection - as recommended by Syncthing at the first configuration - using a string IDENTICAL to the one used to access the Synology NAS except the port number:
https://MySynoString.synology.xx:8384/#
any 64-bit browser (Chrome, Edge, Firefox, Opera, Yandex - obviously all updated) gives me a warning like:
âWarning: Potential Security Riskâ, as if the connection was made via http:// or as if the security certificate was invalid.
Sorry for the length, I tried to be as clear as possible.
On GitHub they donât deem it to be a bug. So if itâs not a bug (defect) what is it?
Kindly, could someone help me to understand if I am wrong something?
As far as I know, most browsers have recently updated their security settings in such a way that self-signed certificates and some other certifcate classes are not regarded âsafeâ but get their warning as you describe. Hence, if you can use an older version of the browser, you can check if this is the issue.
Next step: naming: In certificates, the name of the server is in the certificate. If there are name differences, the certificate mismatch an be triggered. You can check this by selecting investigation links next to the warning message. That opens the certificate and shows the issue details.
It has been this way since 1995 , not sure if I would call that recently.
But yes this is generally correct.
Thatâs because that are different webservers. The first UI is your Synology webserver. That is probably configured with a CA-signed certificate.
The other is syncthingâs inbuild webserver. This webserver also supports HTTPS, but it doesnât have any CA-signed certificate. It instead serves a self-signed certificate by default - this gives browser warnings, as expected for self-signed certificates.
If you have a valid CA-signed certificate, you can replace the self-signed certificate from syncthing with that. In syncthings home folder, there are two files named https-cert.pem and https-key.pem. Those are the certificate and corresponding private key, which you can replace with different ones, if desired.
You can also put syncthingâs web UI behind a reverse proxy, that is configured with valid certificates.
Indeed the certificate that the Synology DSM uses for its Web GUI has nothing to do with the one Syncthing presents fit its own Web GUI. But you can copy the system one for use with Syncthing. I do this regularly because I have a Letâs Encrypt issued certificate for the DSM and it gets renewed every few weeks. Then itâs a manual process to copy the renewed cert to the Syncthing app folder and restart it. As that gets tedious, I created a script for it, but it requires logging in through SSH and running as root on the Synology because the system certificates are not accessible for regular users (obviously).
If thatâs a procedure you would be comfortable with, I can give you the script. Probably it can be further automated, but I havenât researched whether it can be run automatically as root.
The proper way forward would be to register the Syncthing package in the official DSM certificate manager UI. That way all the management tools (e.g. automatic creation and renewal of Letâs Encrypt certs) can also apply to Syncthing. I tried to add such integration to the SynoCommunity package, but got stuck because of incomplete or wrong documentation from Synology. Any help is welcome in that regard.
thanks @Nummer378, thanks @acolomb
you are kind to help me, but what you should do for me is long and boring. . .
Since I also have difficulties with English, in addition to publishing the script you should also explain step-by-step how to make it work and how to do it as root.
If you feel like it, I thank you and I really appreciate it. Maybe it will be useful to others as well
Greeting . . . .
How To Use The DiskStationâs SSL Certificate For Syncthing
Things you need to have working first:
In DSM, you need to have an admin account configured. I assume it is called admin.
You need access to the DiskStation via SSH. This is only possible for an admin user. Make sure you can log in from your desktop / laptop computer: ssh admin@MySynoString.synology.xx and you know the password. If youâre not using the command line, try logging in with the PuTTY application for example.
Root access is required for the admin user. In the SSH connection, try running sudo ls and enter your password again.
Once these prerequisites are met, you can log in to the DiskStation through SSH and create the updating script:
Find your Syncthingâs API key in the Web GUI under Actions â Settings.
Enter the command cat > syncthing-install-cert.sh.
Paste the following content, replacing the API key with your own value from the first step:
In the file listing you can verify the modification date of the https-*.pem files. The last line is Syncthingâs response to the request to restart itself.
When you have it working once, you just need to repeat the last step no. 6 every time the system default certificate is replaced. I assume you already have that part figured out. Itâs not really hard to get a certificate from Letâs Encrypt using the DSM Control Panel, once you have configured external access in your router / firewall.
Feel free to ask if you are having trouble with these instructions.
, not sure if I would call that recently.