How to get a certificate from Let's Encrypt on synology
Go to [Control Panel][Security][Certificate]
Click 'Add' button.
check creation mode 'Add a new certificate', then click 'Next' button .
check the third item 'Get a cerficiate from Let's Encrypt'.
if you would use the cerfiticate to be created now as default, check 'Set as default certificate', but you can change default certificate afterwards.
click 'Next' button.
you have three item to be entered this time.
1. Domain Name: it's domain name which you have, have to issue new certificate for. In my case I typed 'zdigger.com' at edit box.
2. Email: email address you have, use mainly.
3. Subject Alternative Name: it's main item to be typed carefully to issue new certificate of yours successfully.
"Let's Encrypt" checks the connectivity at '80' port of each item for Subject Alternative Name list typed at edit box.
here, you may show some error messages, which say new certificate creation failure.
I met two error message during creation of new certificate as below.
1. The operation failed. Please log in to DSM again and retry.
=> In my case, I rebooted DSM. Ok.
2. Failed to connect to Let’s Encrypt. Please make sure your Diskstation and router have port 80 open to Let’s Encrypt domain validation from the Internet. All other communications with Let’s Encrypt go over HTTPS to keep your Diskstation secure.
=> I said above, Let's Encrypt check 80 port of each item for Subject Alternative Name, which is semicolon-separated.
If you would encounter this error message, you should check some configuration in relation with Subject Alternative Name.
Please make sure that spelling of each Subject Alternative Name is the same with site or sub-domain name registered at your domain registrra.
If you manage DNS server directly, you have to check the site list registered at your DSN server.
It's Ok from here. So, you must check the 'HSTS' configuration of each Subject Alternative Name, if any.
If the 'HSTS' configuration of some subject alternative name is enabled, DSM maybe forward or redirect the connection of that.
after setting 'HSTS' configuration unchecked-state, you try again. In my case, I issued new certificate with 'HSTS' configuration unchecked-state.
It's Ok? No?
So next, you may also have to check 'reverse proxy' configuration when you have Subject Alternative Name which is used at [control panel][application portal][reverse proxy ]. This 'reverse proxy' also may be related to issue new certificate from the view of checking connectivity for the 80 port in terms of Let's Encrypt.
=> In my case, I delete all items of reverse proxy. Ok.
In sums, Let's Encrypt check the connectivity of 80 port.
check whether Subject Alternative Name is valid(spelling, registered at DNS serve or domain registrra)
unchecked HSTS configuration of each all Subject Alternative Name.
delete reverse proxy if you use Subject Alternative Name at reverse proxy configuration.