Installing Let’s Encrypt SSL Certificates to give External Access to a Synology NAS running Home Assistant as a Docker Image
19 Nov 2020
When I first discovered Home Assistant, I opted to use the
core Docker image via my Synology. At the time it was a simple solution as I had
everything in place to just get started. Everything has always worked perfectly
for me since I started. I live of the opinion, if it’s not broken, don’t fix it.
I have read many other installation methods of Home Assistant and I am sure
they are also perfectly good too. I already had a Synology NAS in play as my Media
Server and, at the time, for using Surveillance Station to monitor my house.
I have a fixed IP address at home so I use a custom domain on
that IP address, although this same process can be applied with a DDNS provider
such as Duck DNS. I get 5 IP addresses via Virgin Media in the UK (they were
was free at the time, so I just took them) but thanks to my NAS I have never
used all 5. So, all I need now is a Certificate and I am on my way to secure
access. The great news is that they are free with Let’s Encrypt and simple to
setup on a Synology NAS, if you know how.
Until today I forgot the headache, I went through to achieve
this until someone asked a simple question on the Home Assistant Facebook Group
about external access for Google. I remember the pain I went though years ago
to teach myself what is a very simple process, once you know how to do it. This
inspired me to write a guide for anyone else out there struggling through the
Before I start with the guide, I would like to say if you
are reading this and you have Facebook and have not joined the Home Assistant Facebook Group,
join it now. This group is full of people just like you, asking the same
questions you are and helping each other. It is a real community and great for
everyone whatever the level. You never know, you may even pick up some ideas.
1.You know your way around the Synology NAS UI.
We do not need to download any file or do anything via the command line or
2.You have setup your DDNS or Custom Domain name
to point to your NAS. For using Let’s Encrypt to get a new certificate, you
will need to point your router ports 80 and 443 to the NAS. I am assuming this
part you are comfortable with in some way as every router is different.
3.You have setup Home Assistant as a Docker Image on
your Synology NAS (although this guide also works perfectly well for other
Docker applications etc).
Setup a certificate with Let’s Encrypt
The first thing to do is create a Let’s Encrypt certificate
on your Synology NAS.
To do this you need to head over to your Synology NAS Control
Panel and select the Security menu. Inside the Security menu you
should see an option called Certificate.
Click Add and this will open a new window
We are going to Add a new Certificate. I am assuming
if you are reading this guide you do not already have one in place. Click Next.
Synology have made it very easy to do this process and have
an option for us to get a Let’s Encrypt certificate directly. This makes life
so much easier. Fill in the Description and select this option Get a certificate
from Let’s Encrypt and click Next.
Now you need to complete your custom domain name for which
you want the certificate applied to. This is the domain name you are going to
use when you log in to Home Assistant from outside of your network, that you
have already set it up to point to your Synology NAS from your router.
You can check this by visiting your custom domain in a
browser to see if it gives you access directly to your NAS login screen without
any port number. In the above example, if I was now to visit home.proptimise.co.uk
in a web browser, it should take me to my Synology NAS login screen without the
port number added at the end. If this all works correctly click Apply.
This will now process your request and communicate with Let’s
Encrypt to verify everything is setup correctly and assign the SSL Certificate.
This can take a few minutes and if everything was a success, your certificate is
now in place and the screen will load to the main certificates overview page.
This should take you back to the overview screen with your Certificate showing
If this was successful, congratulations. We are nearly there
and just have a few more steps to finish the process in the application portal.
This means everything is set correctly and there are no apparent issues. If
this is the case you can now skip to the next step.
If on the other hand, you are like me, and have received what
I can only describe as a brick wall of failure. You are not alone, and I feel
your pain, which is why I added this section for people just like you and me.
I cannot tell you the amount of times I got the message Failed
to connect to Let’s Encrypt. Please make sure the domain name is valid. IT
IS VALID, DAMN YOU!!
No matter what I tried out there I could not get any
success. I stayed up night after night restarting everything until one day it
hit me. I had not allowed given access to the ports 80 and ports 433 to my NAS
from my router. Yes, you need both (which will seem obvious when I say it) as
port 80 is the standard port for http and port 443 for https. Once this is done,
it just works. In my case I just pointed 443 and this is not enough to get the certificate.
It needs both ports 80 and 443.
Another issue may be that you haven’t set up your DDNS
correctly or your custom domain name, but I assume if you tested earlier, this
is very unlikely.
Although most of you may already know this. I did not back
then and will leave it here in case anyone else is like I was. Heading down a
Rabbit Hole of Google searches, videos Facebook posts and more.
Hopefully now you have that set you can go back and start
the process again to get your certificate.
So we now have our certificate and if you visit your custom
domain with https:// in front of it, via a web browser, you should see the page
load with the secure padlock at the start of the web browser address. The page
at this stage should be showing your Synology NAS login page.
The next part is to tell the Synology NAS that the custom
domain you are using is for the Docker Image, in our instance, running Home
Assistant. We do this with the magic of Nginx and Reverse Proxy.
To do this you need to head over to the Application
Portal inside the Control Panel and select Reverse Proxy and
By default, you have to give a Description here. This
can be anything you like; Something like Home Assistant works just fine.
Protocol is about the incoming traffic to the NAS. As
we are adding an SSL or Certificate, we need the HTTPS option. Should
you want non encrypted access, then just duplicate the rule but this time with HTTP.
The Hostname is the custom domain name you are using.
I use many different subdomains at home for different things, but this can also
be its own domain without the first part if you have it available such as proptimise.co.uk
rather than home.proptimise.co.uk, if you so wish.
You will need the Port to be set to 433 if you
wish to access your Home Assistant externally without the need of an added port
number. If you wish to use something like home.proptimise.co.uk:8123 then you
would use 8123 instead of 443 here.
Skip the next sections until you get to the Destination
section. This is where we want our custom domain to go to. These settings are
very similar to the Source settings but this time should be more
familiar. These settings are the same settings you currently use to access your
Home Assistant instance at home locally via a local IP address such as
192.168.1.XX:8123 then these are the details, we will use.
The Protocol should be HTTP and the Hostname
should be just the local IP address of Home Assistant. Finally add the Port
which is normally 8123 unless you have changed it for any reason.
Once complete, click the top row, Custom Header.
The next step is very important and one of the most
forgotten is creating the Web Socket from the menu.
Those familiar with Nginx will understand this but it does
not matter if you don’t. There is no need to know how it works at this stage, just
accept you need it and it wont work without it and its one click as the details
are filled for you automatically.
Once these details are complete, click Advanced Settings
The final step in this process and that is to change the Proxy
Read Timeout from 60 to 86400. Click OK and the Reverse Proxy
will be setup and we have one final step to do to link it all together.
The final stage is to assign the Certificate to the service
back in the Security menu.
Click Configure and choose the Services which
will be shown by your custom domain name and select the appropriate Certificate
from the Dropdown menu. Click OK.
Now go to a web browser, and enter the URL we just setup
ensuring https:// is at the front. It should bring you to the Home Assistant
Login screen. Congratulations, you now have secure access and can use integrations
such as Samsung Smart Things, Alexa, Google and many more.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.