How to assign existing Synology DDNS subdomain LetsEncrypt certificate to HAOS virtual machine on NAS for https UI?

Installation
, ,
1

Hi folks. I’m new to HA and struggling to find the missing configuration puzzle piece needed to access the Home Assistant web UI securely, via on a Synology DDNS subdomain URL, on a DS 220+ VM.

I’m trying to extend the working arrangement for my DDNS domain on on https://mysubdomain.synology-ddns-domain.me and NAS DSM’s subdomain, on https://dsm.mysubdomain.synology-ddns-domain.me

However, whilst HA is available (insecurely) on 192.168.1.nnn:8123 (with nnn is fixed by my router), https://ha.mysubdomain.synology-ddns-domain.me currently reaches a (secure) Synology page with message “Sorry, the page you are looking for is not found.”.

Current configuration includes:

  1. Home Assistant: installed and working via a native HAOS virtual machine
  2. Synology DDNS is setup with a wildcard LetsEncrypt for mysubdomain.synology-ddns-domain.me and *.mysubdomain.synology-ddns-domain.me
  3. LetsEncrypt wildcard certificate is configured for ha.mysubdomain.synology-ddns-domain.me
  4. Router is forwarding port 443 to the NAS
  5. Synology Login Portal Reverse proxy: for Home Assistant maps source HTTPS, ha.mysubdomain.synology-ddns-domain.me, 443 to destination HTTPS, 192.168.1.nnn:8123
  6. Home Assistant configuration.yaml file:
http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24
    - 172.30.232.0/24
    - 172.30.32.0/24

I’m guessing that currently the HAOS virtual machine can’t access the host NAS certificate folder to use the LetEncrypt wildcard certificate but I can’t find where or how this is set.

Grateful for any tips.

2

Hi @Clarkey,

If you aren’t aware (likely you are) that wildcard certificates only cover the domain in question and one level of subdomains.

Thus for the domain name example.com the SANs needed are example.com and *.example.com and that would cover
one.example.com
two.example.com
three.example.com

But not
four.subdomain.example.com
five.subdomain.example.com
six.subdomain.example.com
to cover those you also need SANs of subdomain.example.com and *subdomain.example.com on a certificate.

3

Thanks @Bruce5051 I think the wildcard certificate is OK, as it only covers two levels:

  1. my primary DDNS service URL level, which feeds my NAS web service, plus
  2. subdomains for my NAS’ DSM subdomain and the placeholder page for Home Assistant that displays “Sorry, the page you are looking for is not found.”.

The issue is why this Home Assistant subdomain placeholder page is being rendered (albeit securely), which suggests configuration issues with one or more of:

  • Synology reverse proxy
  • HAOS virtual machine setup
  • Home Assistant setup, whether configuration.yaml or perhaps some missing add-on.

I’m new to most of this so don’t even know if there are logs or diagnostic tools somewhere that can help localise the likely cause.

1 Like