How to Solve Synology Let’s Encrypt TLS-SNI-01 end of life

by

How to Solve Synology Let's Encrypt TLS-SNI-01 end of life

Recently many people have been contacting me about the following issue: they all received an email from Let’s Encrypt with the following message:

Action may be required to prevent your Let’s Encrypt certificate renewals from
breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 7 days.

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th,
2019. Any certificates issued before then will continue to work for 90
days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you’d like to
test whether your system will work after February 13, you can run against
staging….

What does this email mean? Let’s Encrypt now requires that certificates are created with HTTP validation HTTP-01, DNS-01, TLS -ALPN-01. Which in practical terms means you need to issue a new certificate with one of those validation options.

Does your Synology server use the TLS-SNI-01 method? The current Synology DSM version 6.2.1-23824-4 doesn’t use the TLS-SNI-01 method. DSM 6.2.1 uses HTTP validation (HTTP-01). You shouldn’t have any problem if you have ports 80 and 443 both TCP and UDP already opened on your router when you renew your Let’s Encrypt certificate (which you can do in Settings in the Port Forwarding area).

Do you need to worry? No, absolutely not! Though TLS-SNI-01 validation is reaching end-of-life, the Synology Let’s Encrypt certificate will not be affected. Synology absolutely supports the HTTP-01 and DNS-01 methods for validation and no clients will be affected after February 13. Know that nothing will break with new or existing certificates.

Why have you received this email from Let’s Encrypt? This email is, for the most part, automatic. It’s likely your Synology server has used this outdated authentication method “TLS-SNI-01” in the past, but it does not anymore. Synology 6.2.1 currently uses the HTTP validation method HTTP-01.

When you try to renew your expired certificate you’ll see that everything will work without any issues. Don’t forget to open ports 80 and 443 both TCP and UDP on your router (to do this, you need to access your router settings and go to the port forwarding area). You can follow the instructions in my article How To Renew Let’s Encrypt Certificate On Synology NAS. In the article you will find a step by step guide to help you easily update your Let’s Encrypt Certificate.

This post was updated on Monday / August 23rd, 2021 at 1:21 AM

🧡 I Need Your Help!