—Update: 17 April 2020—
If your Synology device support Docker and prefer to use Docker to issue Let’s encrypt ssl certificate, please read this post.
—————————–
Since Synology introduced Let’s Encrypt, many of us benefit from free SSL.
On the other hand, many of us don’t want to expose port 80/443 to the Internet. The alternative is to use the DNS-01 protocol. Sadly the Synology implementation of Let’s Encrypt currently (1-Jan-2017) only supports the HTTP-01 method which requires exposing port 80 to the Internet.
But we can access the NAS via SSH and configure it to renew certs instead of using the web dashboard.
The following guide will use the DNS-01 protocol using the Cloudflare API, where I host my domain.
Install the acme.sh Client
- SSH to Synology DiskStation.
- sudo -i to root login.
- Install acme.sh manually.
$ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz $ tar xvf master.tar.gz $ cd acme.sh-master/ $ ./acme.sh --install --nocron --home /usr/local/sbin/acme.sh
- Logout and login back again. so install is done :)
- next step is to do the configuration:
$ cd /usr/local/sbin/acme.sh
- set your email, cloudflare account and API (https://www.cloudflare.com/a/account/my-account)
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Email="[email protected]"
- If export env not work for you, you can modify /usr/local/sbin/acme.sh/account.conf with above CF account and api token instead.
- UPDATE: CLOUDFLARE HAS CHANGED ITS API. Please use below format of token and account id.
export CF_Token="32jfjsah3wjhfalfxxxxxxx" export CF_Account_ID="6axxxxxxxxxxxxxxxxxxxxx"
- Issue and install the certs. The code below to reflect your own path and domain name. You can go to
ls /usr/syno/etc/certificate/_archive/
first to check what is your own Random PATH it is, then replace your PATH name to below command.
./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf \ --certpath /usr/syno/etc/certificate/_archive/#Random PATH#/cert.pem \ --keypath /usr/syno/etc/certificate/_archive/#Random PATH#/privkey.pem \ --fullchainpath /usr/syno/etc/certificate/_archive/#Random PATH#/fullchain.pem \ --capath /usr/syno/etc/certificate/_archive/#Random PATH#/chain.pem \ --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload"
Create Scheduled Task to Publish New Certs to System Default Cert Store
In DSM control panel, open the ‘Task Scheduler’ and create a new scheduled task for a user-defined script.
- General Setting: Task – Update default Cert. User – root
- Schedule: Setup the time according to your acme.sh crontab schedule. For example, 11:00 am of the 2nd day every month.
- Task setting: User-defined-script
/usr/local/sbin/acme.sh/acme.sh --renew -d YOURDOMAIN.TLD --home /usr/local/sbin/acme.sh --force sleep 2m rsync -avzh /usr/syno/etc/certificate/_archive/#Random PATH#/ /usr/syno/etc/certificate/system/default/ /usr/syno/etc/rc.sysv/nginx.sh reload
Fix the env after Synology DSM upgrade
ssh to DSM after DSM upgrade complete, use the below the command to fix the broken env.
cd /usr/local/sbin/acme.sh ./acme.sh --upgrade --nocron --home /usr/local/sbin/acme.sh --force
Leave a Reply to AvdG Cancel