Synology Letsencrypt DNS-01 cert issue and install

Synology Letsencrypt DNS-01 cert issue and install

—Update: 17 April 2020—

If your Synology device support Docker and prefer to use Docker to issue Let’s encrypt ssl certificate, please read this post.


Since Synology introduced Let’s Encrypt, many of us benefit from free SSL.

On the other hand, many of us don’t want to expose port 80/443 to the Internet. The alternative is to use the DNS-01 protocol. Sadly the Synology implementation of Let’s Encrypt currently (1-Jan-2017) only supports the HTTP-01 method which requires exposing port 80 to the Internet.

But we can access the NAS via SSH and configure it to renew certs instead of using the web dashboard.

The following guide will use the DNS-01 protocol using the Cloudflare API, where I host my domain.

Install the acme.sh Client

  • SSH to Synology DiskStation.
  • sudo -i to root login.
  • Install acme.sh manually.
$ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/sbin/acme.sh
  • Logout and login back again. so install is done :)
  • next step is to do the configuration:
    $ cd /usr/local/sbin/acme.sh
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" 
export CF_Email="[email protected]" 
  • If export env not work for you, you can modify /usr/local/sbin/acme.sh/account.conf with above CF account and api token instead.
  • UPDATE: CLOUDFLARE HAS CHANGED ITS API. Please use below format of token and account id.
export CF_Token="32jfjsah3wjhfalfxxxxxxx" export CF_Account_ID="6axxxxxxxxxxxxxxxxxxxxx"
  • Issue and install the certs. The code below to reflect your own path and domain name. You can go to
    ls /usr/syno/etc/certificate/_archive/ 

    first to check what is your own Random PATH it is, then replace your PATH name to below command.

./acme.sh  --issue -d YOURDOMAIN.TLD --dns dns_cf \
--certpath /usr/syno/etc/certificate/_archive/#Random PATH#/cert.pem \
--keypath /usr/syno/etc/certificate/_archive/#Random PATH#/privkey.pem \
--fullchainpath /usr/syno/etc/certificate/_archive/#Random PATH#/fullchain.pem \
--capath /usr/syno/etc/certificate/_archive/#Random PATH#/chain.pem \
--reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload"

Create Scheduled Task to Publish New Certs to System Default Cert Store

Before we setup a scheduled task to manage copying your certificate and keyfiles from their DSM store to the default location, I would recommend launching Control Panel / Security / Certificate and verifying that your self-signed certificate has been replaced by your new Let’s Encrypt certificate.
Once your certificate is in good working order, log into DSM on your DiskStation and launch Control Panel. Next, open the Task Scheduler and create a new scheduled task for a user-defined script.

In DSM control panel, open the ‘Task Scheduler’ and create a new scheduled task for a user-defined script.

  • General Setting: Task – Update default Cert. User – root
  • Schedule: Setup the time according to your acme.sh crontab schedule. For example, 11:00 am of the 2nd day every month.
  • Task setting: User-defined-script
/usr/local/sbin/acme.sh/acme.sh --renew -d YOURDOMAIN.TLD --home /usr/local/sbin/acme.sh --force
sleep 2m
rsync -avzh /usr/syno/etc/certificate/_archive/#Random PATH#/ /usr/syno/etc/certificate/system/default/
/usr/syno/etc/rc.sysv/nginx.sh reload


Fix the env after Synology DSM upgrade

ssh to DSM after DSM upgrade complete, use the below the command to fix the broken env.

cd /usr/local/sbin/acme.sh
./acme.sh --upgrade --nocron --home /usr/local/sbin/acme.sh --force


I am the contributor of https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide wiki page. This post is licensed under CC BY-NC-SA 3.0 Unported.

Leave a Reply


  • mbonne

    Please advise readers where to store the “cloudflare account API and user” using export to store the variable in the terminal session didn’t work for me(I was able to find out using the –debug flag.
    Also, is the use of &nbsp in the cron instructions intentional? When I look at other jobs listed in that file, they don’t contain the literal representation of non-breaking space.
    Thanks for the write up.

    4 years ago Reply
    • FelixOwner

      @mbonne: Thanks, @mbonne. All good. I’ve updated the content based on your suggestion. There’s some format issue caused by new plugin that brings some confusing.

      4 years ago Reply
  • mbonne

    Also, for other readers – remember to change the path in the user define script: /usr/syno/etc/certificate/_archive/RANDOM FOLDER NAME/ the slash at end so rsync can copy out contents to /usr/syno/etc/certificate/system/default/

    4 years ago Reply
  • Mark

    Great article Felix! I used it as inspiration for an automated solution using acme.sh in Docker, you can find it here: https://github.com/markdumay/synology-tls

    4 years ago Reply
  • AvdG

    It might help to put the UPDATE at the top of the page. That way some poor sap like myself won’t go through the whole trouble of setting up the manual method just to discover there is a better way to do it using Docker at the very end. ;-)

    4 years ago Reply


Synology Letsencrypt DNS-01 cert issue and install
---Update: 17 April 2020--- If your Synology device support Docker and prefer to use Docker to issue Let's encrypt ssl certificate, please read this post. -------------…
Scan QR code to continue reading