Securing Ubooquity with Let’s Encrypt on Synology DSM

Update, 2020-06-11: I’m now using Synology’s built-in NGINX-based reverse proxy instead. The instructions below may not work.


Whew, that’s a very specific title. I don’t know if this will be useful to anyone else, but it took a fair amount of work to figure it out, so I figured I’d document it. There will be more Mac stuff soon, I promise!

If you haven’t heard, Let’s Encrypt is an excellent service, with the aim of securing the internet by offering free HTTPS certificates to anyone who requests one. In fact, I’m using one on this website right now. 🙂

With DSM 6.0, Synology added the ability to request a free certificate from Let’s Encrypt to secure your NAS. DSM handles renewing your certificate, which must happen every 90 days (one of the limitations of the free certificate, but nothing that can’t be automated).

Unrelated for the moment, but I’ve been using Ubooquity (through Docker!) for the past few months, and it’s been pretty neat. You can point Ubooquity to a directory of ePub and PDF files, and it’ll allow you to access the files remotely using reader apps like Marvin, KyBook, or Chunky. I have a habit of buying tech books and comics through Humble Bundle sales, but transferring the files to my iPad through iTunes/iBooks is clunky and requires a fair amount of disk space upfront.

Although Ubooquity supports user authentication, you’ll want that to happen over HTTPS, to keep your passwords secure. Luckily, Ubooquity supports HTTPS, but requires the certificate (and other associated files) to be in a format called a “keystore”. What?!

Here’s how to leverage DSM’s Let’s Encrypt support to secure Ubooquity, automatically.

  1. First, you’ll want to set up Let’s Encrypt in DSM’s Control Panel. See Synology’s documentation.
  2. Next, you’ll want to get Ubooquity up and running (I recommend the Docker image mentioned above). Synology’s documentation covers that, too. If your eBook library is a mess Calibre will make quick work of that.
  3. For this to work, you’ll also need the Java 8 JDK installed. This will give you access to the ‘keytool’ command you’ll need to create your keystore. Once again, see Synology’s documentation.
  4. Now, you’ll put all of this together. In a nutshell: you’re going to use the Let’s Encrypt certs that DSM has helpfully obtained for you, convert those to a keystore, put the keystore in Ubooquity’s config directory, and tell Ubooquity to use it to secure its interface. Here’s a script to get you started – note that you’ll need to edit lines 11, 12, and 15 for your environment. Thanks to Saltypoison on the Ubooquity forums for most of the code that became this script!
  5. Once you’ve successfully run the script, I recommend using DSM’s Task Scheduler to have it run once a day. This way, Ubooquity’s certificate will always be up to date with DSM’s certificate. That’s right, I’m going to link you to Synology’s documentation.
  6. Finally, you’ll need to tell Ubooquity where to find your keystore. Login to the Ubooquity admin interface, then click the Security tab. You’ll see two boxes – one for the path to your keystore, and one for the keystore password. Enter both. Click ‘Save and Restart’ at the top-right corner.
  7. Now, try accessing your Ubooquity instance using https and your FQDN! If it doesn’t work, make sure you’re forwarding the appropriate ports from your router to your Synology server – you’ll need to do this for both the eBook interface, and the admin interface (which are accessible via two different ports).

I’ll probably post more Synology/Docker stuff in the future, as I’ve been spending a lot of time with both. They’re really awesome!

Previous

Deploying JMP Pro 12.x and 13.x licenses

Next

Securing Squirrel with Let’s Encrypt on Synology DSM

10 Comments

  1. jcd

    Another way around this, which I have done, is to use the reverse proxy feature of Synology. No need to set up a keystore extra. Check out https://www.grahamleggat.com/blog/2017/8/21/synology-reverse-proxy-server.

    • Neat – I did the same thing for MunkiReport (there’s a later post about that), but I hadn’t figured it out when I got Ubooquity working.

      If the Java stuff breaks at some point, I’ll probably use the reverse proxy. Thanks for the tutorial, and the heads-up that it’d work!

  2. Chris

    Thanks for the detailed write up. Have you been able to try this out with the new URL format that ubooquity uses in their current version?

    The new format is ipaddress:port/ubooquity or ipaddress:port/ubooquity/admin.

    With this new format, it makes using the bult-in synology reverse proxy more or less impossible because you can’t add anything after the port number in the address path. Do you know if you can custom set the address to use or are you limited to the GUI options?

    Going off that, the link you provided for the java keystore documentation to synology’s site doesn’t really link to anything besides an explanation of java. Would you be able to provide more detail around using the keytool/keystore?

    I appreciate the write up and apologize if this posted twice, as the first time it didn’t seem to go through.

    • Hi Chris –

      Yep, I’m using Ubooquity 2.1.2. I ended up taking jcd’s advice and using DSM’s reverse proxy, though I got a wildcard certificate (you can buy one, or jump through some hoops to get one from Let’s Encrypt). From there, I set up ubooquity.mydomain.com and ubooquity-admin.mydomain.com, and directed each to a different HTTP port. Synology’s reverse proxy can add HTTPS in the process, so I stopped messing with the Java keystore altogether. I removed Ubooquity’s reverse proxy prefix in the admin section.

      I should really rewrite all of these articles, as I’ve completely switched over to the wildcard certificate and reverse proxy – it’s taken a lot of the complexity out of setting up these applications. I started looking into using Caddy or Traefik as an alternative to DSM’s nginx-based reverse proxy, but didn’t get too far.

      I hope this helps a little!

      Mike

      • Matt

        Any chance you could give some updated instructions, specifically Ubooquity?

        I’ve set up my DSM with a reverse proxy address (https://comics.mydomain.com) and it shows the link with the padlock as being secure, however when I go into the “Comics” link, it just times out, the “Latest Comics” link works fine.

        If I go in via the local address of 192.168.0.3:2202 on my browser, it opens fine.

        But moreso, I can’t find a way to enter the details into Chunky or Panels app to get it to connect to the server, it doesn’t want to accept https://comics.mydomain.com address as it seems to want a port, 2202 isn’t open on the router and 443 just times out.

        I thought the whole point of using the reverse proxy was that everything could go through 443 and I didn’t need to open unnecessary ports?

        Any help would be appreciated!

        • Hi Matt –

          I’ve been meaning for a while to write a reverse proxy tutorial, so I’ve got that in the works now. I added notes recently to the other articles that I don’t recommend using their methods anymore, but I left them up in case they’d be useful to someone else.

          For using Ubooquity with a reverse proxy, make sure these admin settings are adjusted:

          – In the Comics section, make sure that’s enabled. I don’t know if it’s strictly required, but I have it enabled at ‘/comics’.
          – I have Books configured similarly.
          – In Advanced, make sure ‘Enable OPDS feed’ is enabled. Reader apps like Marvin and Chunky rely on that feed to download books.
          – Also in Advanced, make sure Reverse Proxy Prefix is empty.

          I hope this helps!

          Mike

          • Matt

            I have it set up in that way, when you say you have it enabled at /comics, how do you mean? I only have an option to enable the module and which folders to share out.

            But the DSM sets it up as https://comics.mydomain.com (via the reverse proxy option and the mydomain.com is a dymanic hostname also set up in DSM) whereas it seems to want to set it up as https://mydomain.com/comics so I’m very confused as to how those two systems combine.

            I can get it working with the internal addresses, but I can’t get it to work externally.

          • In your Ubooquity admin page, click Comics at the top. Make sure “Activate comics sharing module (CBZ, CBR and PDF files)” is checked. Below that, under Shared Folders, do you see anything listed? In my case, it says “/comics” and lists the user accounts that have access.

            Also, on the Advanced tab, I’ve removed Reverse Proxy Prefix.

            For using the reverse proxy with Ubooquity, I only have two subdomains configured – one for Ubooquity, and one for Ubooquity Admin, since they’re offered on separate ports. Comics/books/etc. are offered on the ‘Ubooquity’ port. I don’t have separate subdomains based on the type of content.

  3. Matt

    Ah yes, the comics module is enabled (as I’m able to access it via the internal IP) and underneath is my share where the comics are stored.

    I still don’t understand what I’m doing wrong, I have it set up in DSM to reverse proxy https://comics.mydomain.com yet when I try to use Panels (iOS app, there’s a free testflight version with full features enabled) it doesn’t let me connect using the https secured dymanic hostname, as it only allows https connections.

    • VB

      Hi Matt,
      I thinkg your issue is resolved just by removing the reverse proxy prefix in the advance setting.
      By removing that the site opens with just the port no.

Leave a Reply to MattCancel reply

Powered by WordPress & Theme by Anders Norén