Thursday, August 21, 2014

Implementing a free StartSSL cert for Synology NAS

I have a plugin for Chrome called Download Station Extension (http://www.download-station-extension.com/, also available for Safari and Opera) which allows me to tell my Synology NAS to download and initiate torrent downloads among other things. It is excessively handy.This extension supports all types of downloads that are supported by Synology's Download Station, application developed by and built into the Synology base OS. (http://www.synology.com/en-global/dsm/home_multimedia_download_station) . You can tell your Synology box to go download files quickly and easily, including: 
  • BitTorrent (both .torrent files and magnet links) 
  • Usenet news NZB files 
  • http, https, ftp, sftp and ftps downloads 
  • YouTube videos 
  • Some supported filehosting websites 
The extension does this by logging into the "Download Station" app on your Synology using your. This is great, however, there is one significant caveat. The Download Station Extension will only use http until you have a trusted SSL cert installed. In order to protect the credentials to your Synology and use SSL/https, this plugin needs a certificate that is trusted by your browser. And in order to do that, you need to install an SSL certificate on your Synology NAS that comes from a real Certificate Authority (CA).

Now, to be clear, your Synology does have a SSL certificate already, but it's a "self-signed" certificate, meaning your server generated the certificate and it also validated it as being a good, trusted certificate. 

A post in the Synology Community Site describes how to go the process of installing a free StartSSL cert, however it involved significant ssh command line work, operating with openssl directly. Turns out Steps 1-6 in this guide are no longer necessary. You could probably still do the requisite work through ssh/openssl, however, according to the Synology guide here, you no longer have to ssh into the box to generate a certificate signing request or process the certificate returned from an SSL cert provider. 

Based on that, here's what you need to do.
  1. Go to the Synology guide, and perform steps 1-7. Proceed to the next step.
  2. Use the Synology Community Site post by GNOE Inc. and perform steps 7-8.8 to generate the StartSSL-based (free) cert.
  3. Go back to the Synology guide, and perform the last steps on the page, 1-3.

Make sure that the SSL certificate domain matches the domain you're using to access your NAS through the Internet. If the SSL cert and the domain don't match, you'll still get SSL cert errors and you won't get the benefits of this whole process.

Hope this guide helps!

Chris