I recently decided to add a trusted SSL certificate to my Synology NAS from a Certificate Authority (CA) so that Synology Apps such as the Amazon Fire TV Stick version of the DS-Video app can connect to my Synology securely.
Unfortunately my initial attempts to use Let’s Encrypt for the SSL certificate failed as it appears the recent updates of the DiskStation operating system have fundamentally broken the Let’s Encrypt installation.
After a few frustrating days, I decided to fork-out some cash for an SSL certificate, I used GoDaddy as I have an account with them already and I know their SSL platform well.
Installing the certificate was reasonable easy once I’d issued a CSR (Certificate Signing Request) on the Synology. I made my shiny new certificate the default for all of the Synology applications and removed all other certificates.
I logged in via a Chrome on my PC to confirm that the SSL certificate was working and can clearly see the browser is establishing a connection to my Synology NAS using the GoDaddy certificate.
Unfortunately, no matter what I do, my Amazon Fire TV sticks refuse to connect, telling me that the SSL certificate of the DiskStation is not trusted (more details below). To try and diagnose this, I did some testing with various app versions on various platforms.
The workaround is detailed in the summary below.
Behaviour of DS-Video on Android Mobile Devices
On all of my Android devices, the DS-Video app and the DS-Cam both ask for the new certificate to be accepted but will still refuse the connection after this point, giving the error message:
The SSL certificate of the DiskStation is not trusted. This may mean that it is a self-signed certificate, or someone may be trying to intercept your connection.
To fix this, you have to deselect the Verify Certificate option under the login settings (click the cog icon at the login screen).
If you untick, Verify Certificate the problem goes away – this is all despite my SSL cert being a full third party trusted certificate. There are reports of this issue going back as far as 2015 on the Synology forums: https://forum.synology.com/enu/viewtopic.php?t=108437.
Behaviour of Fire TV DS-Video on Amazon Fire TV Sticks
Unlike the standard Android app, the DS-Video app from the Amazon Fire TV Appstore doesn’t work with SSL. I suspect this is because this version of the app suffers from the same issue as the standard app (it doesn’t correctly verify SSL certificates) but with one big difference: there is no option to disable certificate verification (whatever they mean by that) as there is not Verify Certificate checkbox to select.
Behaviour of Standard DS-Video Side-loaded on to Amazon Fire TV Sticks
In the early days of the Amazon Fire TV sticks the DS-Video app wasn’t available in the Appstore and so the only way to get it on to a fire stick was to sideload it (I wrote a blog entry explaining how to do this here). I reverted to this technique to sideload the non-fireTV version of the App to see how it behaves.
As expected, the standard version of the DS-Video app behaves exactly the same as when installed on an Android mobile device. It doesn’t work over SSL when the Verify Certificate checkbox is selected but as soon as that is unchecked, voila! We have an SSL connection to the Synology NAS.
Behaviour of Firefox on Amazon Fire TV Sticks
In an attempt to diagnose the issues above, I also installed the Firefox app (from the FireTV Appstore) to see how it handled the SSL certificate – interestingly, it refused to connect to my Synology NAS, giving a similar error about the certificate being untrusted. This despite the fact that on any other device (PC, Tablet) on any other browser (Firefox, Chrome, Edge) the certificate is correctly identified and used with no problems (no need to ‘override’ a security warning, etc).
Summary
Its difficult to know what’s going on here but I suspect there is more than one issue at play causing similar problems:
- Deploying the non-FireTV version of the DS-Video app enables it to connect via SSL to a Synology NAS (instructions here)
- There appears to be a problem with Synology Android apps generally where the ‘Verify Certificate’ process doesn’t work.
- It appears that some Apps from the Amazon Fire TV Appstore may also have trouble with some SSL certificates too. I don’t know if my evidence of this (Firefox flagging a problem) could be down to something else such as the FireTV Firefox app using the Silk browser infrastructure (a service design for compression of the HTML, etc), perhaps it is acting as proxy? Pure conjecture as I’ve now lost the will to live in the pursuit of an answer! 🙂
It’s probable you didn’t install the proper intermediate SSL certs. Web browsers these days will use the intermediate certs they’ve picked up from other sites and use them rather than complaining about the problem. There are online SSL checker sites that flag such issues, or you can create a new blank profile in your browser, don’t let it go to ANY sites (even the default) and visit your SSL site first… Then you’ll see the problem.
Hi Stan,
Thanks for commenting! If you could explain a bit more it would be helpful because my understanding of intermediate certificates is that they are used to *sign* the end certificates (generally by certificate authorities rather than the end certificate users). For my part, I have tried both Let’s Encrypt certificates and also a purchased one, using a CSR (Certificate Signing Request) to reduce the likelihood of problems. This certificate is what I have installed and it works fine with all browsers/applications *apart* from those on an Amazon FireTV Stick.
UPDATE: I tried an SSL checker as recommended and you’re right, it suggested problems with the ‘intermediate’ SSL certificate – I didn’t realise this was part of what was contained in the ‘*bundle.crt’ file. I’m pretty sure I included this but have re-keyed, installed and will try again! Thanks again for the help.
Alas no joy on this front – I have it working on some fire tv sticks and not working on others and can’t seem to see any commonality 🙁