Third Party Certificate for Synology NAS - What is that for?

Hi!

I have a very limited knowledge on networking. I currently have a Synology NAS that I backup my small business’s onedrive and computers to & run a plex server off of.

I am starting to take advantage of some of the other features. I setup DDNS, but I did not check “Get a certificate from Let’s Encrypt and set it as default”. When I connect via the synology photos App – I get a message warning me that it is not secure/ I do not have a verified certificate. It let me proceed to logging in just fine. Is this a problem? I just want to make sure I am not making the server vulnerable or my traffic from phone to server vulnerable.

I read this on Synology’s website I see a "Not Secure" warning when connecting to my Synology device via HTTPS. What can I do? - Synology Knowledge Center
Item 3 in the notes sections on that page says, “Certificates only guarantee secure connections with a specific domain (e.g., example.synology.me), not including connections via QuickConnect ID on Synology mobile applications.”

Does that mean there is not a secure connection from the app to the server?

Let me know if any additional information would be helpful.

Thanks!
Smoke

The certificate error is likely due to the device using a self-signed certificate. It does not mean that the connection is not encrypted, it means that the authenticity of the server (your nas) can’t be verified by the certificate chain. So the certificates can’t verify WHO you’re talking to even if nobody else can listen in.

If it’s on your home network behind your router firewall, the local IP of the device is a good indicator it’s the right one If you have decent enough reasons to trust it’s your device then you’re good to go. I actually have the same situation and I trust it because mine is on my VPN.

If you expose the NAS to the public internet you can tick on the let’s encrypt setting and you’ll get a certificate. In fact, if you are using synology’s domain name for this you might as well try and see if you get a working signed cert. I don’t use the QuickConnect feature personally.

To fully understand what’s going on here you want to learn about web certificates and HTTPS. That’s the fuzzy area you’re asking about. I hope this sheds a little light on it.

Thank you! That is very helpful. I definitely trust that its the right device. I am not using QuickConnect either.

Let’s encrypt is just providing a certificate, correct? It is not going to provide any information or give any sort of access?

Yes

Yes, Let’s Encrypt (LE) is just issuing the certificate.

As part of a larger cert-feature-with-lets-encrypt, it’s the ACME protocol at work wherein LE is the Certificate Authority. How It Works - Let's Encrypt provides an overview.

In our case Synology has it’s own ACME protocol and associated code to copy the cert into the server/proxy synology runs and it uses LE as the CA in the ACME process. The reason the synology needs to be exposed to the internet to make the feature work is that it uses the server to carry out the domain verification challenge as part of the ACME protocol. There are other challenge methods such as DNS API verification. This is the way to go if you want a cert AND don’t want to expose your Synology to the internet.