Problems renewing and updating a web server certificate provided by Synology NAS

I previously provided a write-up on my adventures leveraging the features of my Synology NAS to request a Let’s Encrypt certificate and then subsequently copying that off the NAS and making use of it with my DEVONthink web server. I seem to have hit a stumbling block and need help figuring out how to renew it now that I’ve learned those certificates are good only for three months at a time.

First, the good news: it was a piece of cake to renew the certificate again using the built-in features of the Synology NAS. I’ll explain how I did that here:

  1. Logged into the admin web site for my NAS. Started the control panel, chose the “Security” option from the “Connectivity” option on the left, and clicked the “Certificate” option at the top.
  2. I then selected the certificate that had expired, click the “Action” dropdown above the list of certificates, chose the “Renew certificate option”, and let it do its thing.

After about a minute or so, the process completed successfully, and when I refreshed the admin page to my NAS I saw the certificate had been updated. At that point, I figured updating the certificate used by DEVONthink would be a piece of cake. I got the updated certificate files from the NAS, used the same openssl utility as before to create a new *.p12 file from the updated cert.pem and privkey.pem files, and then loaded that up in DEVONthink as before.

Unfortunately, my every attempt to connect to the DEVONthink web server keeps telling me the certificate file expired days ago. I know that’s not true because the same certificate file secures my connections to the NAS just fine on my home network through the certificate’s domain name, so the very same certificate should secure the same domain name on a different port for my DEVONthink web server just fine. It almost seems like somehow DEVONthink has “cached” or somehow otherwise retained and is still using the old certificate file, even though I’ve told it to use the new one.

Can somebody help me out with this? Maybe point me in the right direction? I don’t understand why the very same procedure that worked to set it up in the first place is now not working with an updated set of files.

Did you check the keychain for outdated/duplicate certificates? DEVONthink on its own doesn’t cache or store certificates.

A friend of mine had a similar problem (but not related to DT) in one of his macOS machines but not in others. All of them but one accepted the password and certificate from the keychain.

His solution was completely remove the local keychain (read: local) and restart. Once the local keychains synchronised from the iCloud one, it worked. (Don’t ask me how to do it, because he told it in one of his podcasts and I don’t know how that can be done as it must be a last resource solution).

I don’t even know how to do that as I’ve never interacted with the keychain for certificates. I “installed” the older version of the certificate I have using the DEVONthink preferences dialog by loading the *.p12 file I mentioned and then choosing the domain. Does DEVONthink somehow store that in the keychain? If so, can you maybe offer some guidance as to how to check that? I don’t think I’ve ever directly used the keychain app for anything before, only its indirect prompts to remember or provide a password.

I have exact same configuration than you: Let’s Encrypt auto-renew certificate and never had any issue.

However, my procedure is a little bit different. I set in the Synology itself and after that I didn’t any other interaction. I connect my DEVONthings (macOS, iPads, iPhone) pointing with the WebDAV URI, password and it is done. Never had any issue and never had to install or mess with the certificate itself. Since years.

Just launch the Keychain app and search for the name of the certificate and whether multiple entries of the same kind but having a different expiration date are returned.

That’s easy and different: the OP uses the same certificate for their DT server instance. And while the Synology automatically updates certificates issued by Let‘s Encrypt, the DT server does not, since it’s not using Let’s Encrypt.
So, the OP has to manually update their certificate on the server each time it’s updated on the NAS, I suppose.

1 Like

Ah, now I understand. Sorry.

No need to be sorry :wink: this certificate stuff is complicated and convoluted.


That did it. Thanks. For future reference for others, when you tell DEVONthink what certificate to use for its web server, whatever it does apparently “installs” that into the local keychain as well. I still don’t understand this problem for the life of me as there were a total of three certificates listed for my domain, two of which were out of date. Don’t ask me how I went from having two certificates with one out of date and one valid and it worked, to having three certificates with two out of date and one valid and it fails. That makes zero bloody sense to me. But as soon as I deleted all but the updated certificate from the keychain access app, I stopped having the problems. Thanks!