How to setup HTTPS for Synology NAS (DSM 7)

This tutorial will show you how to setup HTTPS certificates for a local network using a Synology NAS with DSM 7.1. It’s important to note that with this tutorial, you will not be able to access your NAS outside of your local network. The tutorial is made this way purely because it’s the best way security-wise. I personally recommend setting up a VPN instead if you want to use your NAS outside of your local network. With that out of the way, let’s begin! Please note that this tutorial assumes moderate computer knowledge.

Prerequisites

You will need:
– A Synology NAS on DSM 7
– A domain name
– A DNS server you can customize (I will be using Pihole)

Step 1: Adding the domains

The first step is pointing the domains to your IP address. For example, I want synology.telesphoreo.me to be the URL I access DSM at. You’ll want to add an A record to your domain that points to your home address. Make sure you have a static IP address. If you don’t you’ll have to update the domain records pretty often.

Example record: A synology.telesphoreo.me 1.1.1.1. Obviously, replace 1.1.1.1 with your actual IP address.

Step 2: Port forward port 80

This is likely the hardest part, but you’ll need to port forward port 80 for Let’s Encrypt. If your router doesn’t support it, then you’ll have to skip Step 3. If it does, then allow anyone on port 80 and set the destination to the IP of your NAS on port 80. Port 80 needs to be open so that Let’s Encrypt can generate the certificates. You can close port 80 after it’s done. However, you’ll have to reopen it again to renew the certificates.

Step 3: Generate the certificates

On your Synology, open up the Control Panel and go to Security > Certificates. Click on the “Add” button. You’ll want to select “Replace a certificate” and replace the default self signed Synology certificate. Now, click on “Get a certificate from Let’s Encrypt”.

For the domain name, enter the primary domain name you’ll be using, for example: synology.telesphoreo.me. Enter a valid email for the email field. This will remind you when to renew your certificates. For the “Subject Alternative Name”, this is where you enter any other domains you want to have the certificate be under. For example, if you wanted Synology Photos under HTTPS, you’d enter photos.<yourdomain>.tld. It doesn’t necessarily have to be photos, but it’s best practice to do something that makes sense. You should successfully be able to get the certificates.

Step 4: Add the domains to the applications

On the Control Panel, go to “Login Portal”. Under the DSM tab where it says “Customized domain”, this is where you enter your new URL, such as synology.telesphoreo.me. If you configured other applications, go to the “Applications” tab. Select the application(s) you added a subdomain for and where it says “Customized domain”, enter the domain you made. For example, Synology Photos would get photos.telesphoreo.me. Now, save your changes. There is one last step you must do.

Step 5: Point DNS records

This is the most challenging part because it is different for every DNS server software. On Pi-hole, go to the Local DNS > DNS Records tab. For the domain, enter the same domain you used for the HTTPS certificate. For example, I would enter synology.telesphoreo.me. For the IP address, enter the local IP address of your NAS, NOT the public one.

If you don’t have a DNS server, you can edit your hosts file instead. It depends on what operating system you use, so follow a separate tutorial on how to modify your hosts file. Once you actually have your hosts file open, you’ll want to follow the instructions as above. Enter the domain name you setup for the certificate, and point it to the local IP of the NAS. The caveat is that it will only work on the device you’ve done this to. It won’t apply network wide unless you have a DNS server you can customize.

The idea here is that you want to add the A records so that Let’s Encrypt can get the certificates. However, on your local network it will point to the local IP of your NAS. Nothing will actually be exposed on the internet because none of the applications will be port forwarded (unless you’ve chosen to do so).

Conclusion

This is a pretty technical tutorial and does assume quite a bit of computer knowledge beforehand. However, it certainly looks nicer to have your NAS point to a real URL with HTTPS. The goal was to make it local only because I did not want to expose my NAS to the internet just for HTTPS. If you want to open your NAS up to the internet, you’ll have to port forward the ports for each application. However, I do not recommend you do so as it poses a massive security risk.