How to Solve Synology Let’s Encrypt TLS-SNI-01 end of life

How to Solve Synology Let's Encrypt TLS-SNI-01 end of life

Recently many people contacted me about this issue. They all received an email from let’s encrypt with the following content inside:

Action may be required to prevent your Let’s Encrypt certificate renewals from

If you already received a similar e-mail, this one contains updated information.

Your Let’s Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 7 days.

TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th,
2019. Any certificates issued before then will continue to work for 90
days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you’d like to
test whether your system will work after February 13, you can run against

What does this email mean? Let’s Encrypt now requires that certificates are created with HTTP validation HTTP-01, DNS-01, TLS -ALPN-01 validation. Which in practical terms means you need to issue a new certificate with one of those validation options.

Your Synology uses TLS-SNI-01 method? Synology DSM 6.2.1-23824-4 doesn’t use TLS-SNI-01 method. Synology 6.2.1 DSM uses HTTP validation (HTTP-01). You shouldn’t have any problem if you have already opened ports 80 and 443 both TCP/UDP when you renew your certificate through your router port forwarding settings.

Do you need to worry? No! Though TLS-SNI-01 validation is reaching end-of-life, the Synology Let’s Encrypt certificate will not be affected. Synology absolutely supports the HTTP-01 and DNS-01 methods for validation and no clients will be affected after February 13th. Keep in mind, nothing will break with new or existing certificates.

Why have you received this email from let’s encrypt? This email in most cases is automatic. Probably, your Synology has used this outdated authentication method “TLS-SNI-01” in the past but now it does not use it anymore. Synology 6.2.1 currently uses the HTTP validation HTTP-01 method.

When you will try to renew your expired certificate everything will work without problem. Don’t forget to open ports 80 and 443 TCP/UDP using your port forwarding router settings. Please follow the instructions in my article How To Renew Let’s Encrypt Certificate On Synology NAS. You will find out a step by step guide to update your Let’s Encrypt Certificate.

This post was updated on Monday / December 21st, 2020 at 1:20 AM