Synology Letsencrypt DNS-01 cert issue and install

Install the acme.sh Client

  • SSH to Synology DiskStation.
  • sudo -i to root login.
  • Install acme.sh manually.
    $ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
    $ tar xvf master.tar.gz
    $ cd acme.sh-master/
    $ ./acme.sh --install --nocron --home /usr/local/sbin/acme.sh
    

Logout and login back again. so install is done :)

  • next step is to do the configuration:
    $ cd /usr/local/sbin/acme.sh
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="[email protected]"
  • Issue and install the certs. The code below to reflect your own path and domain name.
./acme.sh  --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/_archive/PATH/cert.pem --keypath /usr/syno/etc/certificate/_archive/PATH/privkey.pem --fullchainpath /usr/syno/etc/certificate/_archive/PATH/fullchain.pem --capath /usr/syno/etc/certificate/_archive/PATH/chain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload"
  • Configure Crontab for root
$ vi /etc/crontab 
Add the following line to the crontab. Remember to use tab for spacing.
0    10    2    *    *    root    root /usr/local/sbin/acme.sh/acme.sh --cron --home /usr/local/sbin/acme.sh/

Create Scheduled Task to Publish New Certs to System Default Cert Store

Before we setup a scheduled task to manage copying your certificate and keyfiles from their DSM store to the default location, I would recommend launching Control Panel / Security / Certificate and verifying that your self-signed certificate has been replaced by your new Let’s Encrypt certificate.
Once your certificate is in good working order, log into DSM on your DiskStation and launch Control Panel. Next, open the Task Scheduler and create a new scheduled task for a user-defined script.

In DSM control panel, open the ‘Task Scheduler’ and create a new scheduled task for a user-defined script.

  • General Setting: Task – Update default Cert. User – root
  • Schedule: Setup the time according to your acme.sh crontab schedule. For example, 11:00 am of the 2nd day every month.
  • Task setting: User-defined-script
rsync -avzh /usr/syno/etc/certificate/_archive/PATH/ /usr/syno/etc/certificate/system/default/
/usr/syno/etc/rc.sysv/nginx.sh reload

 

To fix the env after Synology DSM upgrade

ssh to DSM after DSM upgrade complete, use the below the command to fix the broken env.

cd /usr/local/sbin/acme.sh
./acme.sh --upgrade --nocron --home /usr/local/sbin/acme.sh