I recently decided to add a trusted SSL certificate to my Synology NAS from a Certificate Authority (CA) so that Synology Apps such as the Amazon Fire TV Stick version of the DS-Video app can connect to my Synology securely.
Unfortunately my initial attempts to use Let’s Encrypt for the SSL certificate failed as it appears the recent updates of the DiskStation operating system have fundamentally broken the Let’s Encrypt installation.
After a few frustrating days, I decided to fork-out some cash for an SSL certificate, I used GoDaddy as I have an account with them already and I know their SSL platform well.
Installing the certificate was reasonable easy once I’d issued a CSR (Certificate Signing Request) on the Synology. I made my shiny new certificate the default for all of the Synology applications and removed all other certificates.
I logged in via a Chrome on my PC to confirm that the SSL certificate was working and can clearly see the browser is establishing a connection to my Synology NAS using the GoDaddy certificate.
Unfortunately, no matter what I do, my Amazon Fire TV sticks refuse to connect, telling me that the SSL certificate of the DiskStation is not trusted (more details below). To try and diagnose this, I did some testing with various app versions on various platforms.
The workaround is detailed in the summary below.
Behaviour of DS-Video on Android Mobile Devices
The SSL certificate of the DiskStation is not trusted. This may mean that it is a self-signed certificate, or someone may be trying to intercept your connection.
To fix this, you have to deselect the Verify Certificate option under the login settings (click the cog icon at the login screen).
If you untick, Verify Certificate the problem goes away – this is all despite my SSL cert being a full third party trusted certificate. There are reports of this issue going back as far as 2015 on the Synology forums: https://forum.synology.com/enu/viewtopic.php?t=108437.
Behaviour of Fire TV DS-Video on Amazon Fire TV Sticks
Unlike the standard Android app, the DS-Video app from the Amazon Fire TV Appstore doesn’t work with SSL. I suspect this is because this version of the app suffers from the same issue as the standard app (it doesn’t correctly verify SSL certificates) but with one big difference: there is no option to disable certificate verification (whatever they mean by that) as there is not Verify Certificate checkbox to select.
Behaviour of Standard DS-Video Side-loaded on to Amazon Fire TV Sticks
In the early days of the Amazon Fire TV sticks the DS-Video app wasn’t available in the Appstore and so the only way to get it on to a fire stick was to sideload it (I wrote a blog entry explaining how to do this here). I reverted to this technique to sideload the non-fireTV version of the App to see how it behaves.
As expected, the standard version of the DS-Video app behaves exactly the same as when installed on an Android mobile device. It doesn’t work over SSL when the Verify Certificate checkbox is selected but as soon as that is unchecked, voila! We have an SSL connection to the Synology NAS.
Behaviour of Firefox on Amazon Fire TV Sticks
In an attempt to diagnose the issues above, I also installed the Firefox app (from the FireTV Appstore) to see how it handled the SSL certificate – interestingly, it refused to connect to my Synology NAS, giving a similar error about the certificate being untrusted. This despite the fact that on any other device (PC, Tablet) on any other browser (Firefox, Chrome, Edge) the certificate is correctly identified and used with no problems (no need to ‘override’ a security warning, etc).
Its difficult to know what’s going on here but I suspect there is more than one issue at play causing similar problems:
- Deploying the non-FireTV version of the DS-Video app enables it to connect via SSL to a Synology NAS (instructions here)
- There appears to be a problem with Synology Android apps generally where the ‘Verify Certificate’ process doesn’t work.
- It appears that some Apps from the Amazon Fire TV Appstore may also have trouble with some SSL certificates too. I don’t know if my evidence of this (Firefox flagging a problem) could be down to something else such as the FireTV Firefox app using the Silk browser infrastructure (a service design for compression of the HTML, etc), perhaps it is acting as proxy? Pure conjecture as I’ve now lost the will to live in the pursuit of an answer! 🙂