Installing Let’s Encrypt SSL Certificates to give External Access to a Synology NAS running Home Assistant as a Docker Image

11 Jan 2021


  • Home Assitant
  • Synology NAS
  • Let's Encrypt

When I first discovered Home Assistant, I opted to use the core Docker image via my Synology. At the time it was a simple solution as I had everything in place to just get started. Everything has always worked perfectly for me since I started. I live of the opinion, if it’s not broken, don’t fix it. I have read many other installation methods of Home Assistant and I am sure they are also perfectly good too. I already had a Synology NAS in play as my Media Server and, at the time, for using Surveillance Station to monitor my house.

I have a fixed IP address at home so I use a custom domain on that IP address, although this same process can be applied with a DDNS provider such as Duck DNS. I get 5 IP addresses via Virgin Media in the UK (they were was free at the time, so I just took them) but thanks to my NAS I have never used all 5. So, all I need now is a Certificate and I am on my way to secure access. The great news is that they are free with Let’s Encrypt and simple to setup on a Synology NAS, if you know how.

Until today I forgot the headache, I went through to achieve this until someone asked a simple question on the Home Assistant Facebook Group about external access for Google. I remember the pain I went though years ago to teach myself what is a very simple process, once you know how to do it. This inspired me to write a guide for anyone else out there struggling through the same process.

Before I start with the guide, I would like to say if you are reading this and you have Facebook and have not joined the Home Assistant Facebook Group, join it now. This group is full of people just like you, asking the same questions you are and helping each other. It is a real community and great for everyone whatever the level. You never know, you may even pick up some ideas.


1.      You know your way around the Synology NAS UI. 
We do not need to download any file or do anything via the command line or putty.

2.      You have setup your DDNS or Custom Domain name to point to your NAS. For using Let’s Encrypt to get a new certificate, you will need to point your router ports 80 and 443 to the NAS. I am assuming this part you are comfortable with in some way as every router is different.

3.      You have setup Home Assistant as a Docker Image on your Synology NAS (although this guide also works perfectly well for other Docker applications etc).


1. Setup an SSL Certificate with Let’s Encrypt

The first thing to do is create a Let’s Encrypt certificate on your Synology NAS.

To do this you need to head over to your Synology NAS Control Panel and select the Security menu. Inside the Security menu you should see an option called Certificate.

Click Add and this will open a new window

We are going to Add a new Certificate. I am assuming if you are reading this guide you do not already have one in place. Click Next.

Synology have made it very easy to do this process and have an option for us to get a Let’s Encrypt certificate directly. This makes life so much easier. Fill in the Description and select this option Get a certificate from Let’s Encrypt and click Next.

Now you need to complete your custom domain name for which you want the certificate applied to. This is the domain name you are going to use when you log in to Home Assistant from outside of your network, that you have already set it up to point to your Synology NAS from your router.

You can check this by visiting your custom domain in a browser to see if it gives you access directly to your NAS login screen without any port number. In the above example, if I was now to visit in a web browser, it should take me to my Synology NAS login screen without the port number added at the end. If this all works correctly click Apply.

This will now process your request and communicate with Let’s Encrypt to verify everything is setup correctly and assign the SSL Certificate. This can take a few minutes and if everything was a success, your certificate is now in place and the screen will load to the main certificates overview page. This should take you back to the overview screen with your Certificate showing active.

If this was successful, congratulations. We are nearly there and just have a few more steps to finish the process in the application portal. This means everything is set correctly and there are no apparent issues. If this is the case you can now skip to the next step.

If on the other hand, you are like me, and have received what I can only describe as a brick wall of failure. You are not alone, and I feel your pain, which is why I added this section for people just like you and me.

I cannot tell you the amount of times I got the message Failed to connect to Let’s Encrypt. Please make sure the domain name is valid. IT IS VALID, DAMN YOU!!

No matter what I tried out there I could not get any success. I stayed up night after night restarting everything until one day it hit me. I had not allowed given access to the ports 80 and ports 433 to my NAS from my router. Yes, you need both (which will seem obvious when I say it) as port 80 is the standard port for http and port 443 for https. Once this is done, it just works. In my case I just pointed 443 and this is not enough to get the certificate. It needs both ports 80 and 443.

Another issue may be that you haven’t set up your DDNS correctly or your custom domain name, but I assume if you tested earlier, this is very unlikely.

Although most of you may already know this. I did not back then and will leave it here in case anyone else is like I was. Heading down a Rabbit Hole of Google searches, videos Facebook posts and more.

Hopefully now you have that set you can go back and start the process again to get your certificate.

So we now have our certificate and if you visit your custom domain with https:// in front of it, via a web browser, you should see the page load with the secure padlock at the start of the web browser address. The page at this stage should be showing your Synology NAS login page.

2. Setup Nginx and Reverse Proxy on Your Synology NAS

The next part is to tell the Synology NAS that the custom domain you are using is for the Docker Image, in our instance, running Home Assistant. We do this with the magic of Nginx and Reverse Proxy.

To do this you need to head over to the Application Portal inside the Control Panel and select Reverse Proxy and click Create.

By default, you have to give a Description here. This can be anything you like; Something like Home Assistant works just fine.

Protocol is about the incoming traffic to the NAS. As we are adding an SSL or Certificate, we need the HTTPS option. Should you want non encrypted access, then just duplicate the rule but this time with HTTP.

The Hostname is the custom domain name you are using. I use many different subdomains at home for different things, but this can also be its own domain without the first part if you have it available such as rather than, if you so wish.

You will need the Port to be set to 433 if you wish to access your Home Assistant externally without the need of an added port number. If you wish to use something like then you would use 8123 instead of 443 here.

Skip the next sections until you get to the Destination section. This is where we want our custom domain to go to. These settings are very similar to the Source settings but this time should be more familiar. These settings are the same settings you currently use to access your Home Assistant instance at home locally via a local IP address such as 192.168.1.XX:8123 then these are the details, we will use.

The Protocol should be HTTP and the Hostname should be just the local IP address of Home Assistant. Finally add the Port which is normally 8123 unless you have changed it for any reason.

Once complete, click the top row, Custom Header.

The next step is very important and one of the most forgotten is creating the Web Socket from the menu.

Those familiar with Nginx will understand this but it does not matter if you don’t. There is no need to know how it works at this stage, just accept you need it and it wont work without it and its one click as the details are filled for you automatically.

Once these details are complete, click Advanced Settings

The final step in this process and that is to change the Proxy Read Timeout from 60 to 86400. Click OK and the Reverse Proxy will be setup and we have one final step to do to link it all together.

3. Assign Your Lets Encrypt SSL Certificate To The Service

The final stage is to assign the Certificate to the service back in the Security menu.

Click Configure and choose the Services which will be shown by your custom domain name and select the appropriate Certificate from the Dropdown menu. Click OK.

Now go to a web browser, and enter the URL we just setup ensuring https:// is at the front. It should bring you to the Home Assistant Login screen. Congratulations, you now have secure access and can use integrations such as Samsung Smart Things, Alexa, Google and many more.

Was this article helpful?

We help people of all levels and ability with their Home Automation, Holiday Lights, Networking and Home Security installations. If you need support, no matter what stage you are at with your project, get in touch with us today to find out how we could help.

Did you notice any errors with this article or have things changed since we write this? Click here to let us know.

Design, Build, Install

Contact us today to find out about our bespoke Home Automation, Holiday Lighting, Networking and Home Security services.

Home Automation Store

Why Proptimise ?

Tried and Tested

We only sell products which have been tried and tested by our team in our own installation.

Flexible Delivery

We offer a range of flexible delivery options including free delivery on orders over £95.

Multibuy Discounts

Look out for tiered discounts when purchasing bulk quantities of the same item.

Free Support

Need a helping hand getting started with your purchase? Get free setup support from our team.