xFelix
xFelix
Issue Synology Let's Encrypt Cert by acme.sh docker

I wrote a previous blog talking about how to issue and install letsencrypt ssl cert on Synology 3 years ago. I also participated in updating the early version of Synology NAS Guide wiki of acme.sh. At that time, acme.sh was installed on Synology DSM OS directly. It was running well and smoothly if you follow my blog instruction.

However, recently I notice acme.sh tries to move away from using root user or sudo to run the script. This leaves some concern if we still use the old way of managing Let’s Encrypt certificate on DSM is not that appropriate. Also considering the limitation I highlighted in both my blog and acme wiki, after each major DSM firmware upgrade, need manually fix the broken acme environment. And the last, lot of people like me want to keep the system clean, and are fan of Docker virtual instance. After 3 years, I believe most Synology users have upgraded their equipments already that support Docker. So this new guide is talking about how to use acme.sh docker to issue Let’s Encrypt certificate for Synology DSM.

Again, I use Cloudflare DNS as example.

After 3 years, Cloudflare also improved their API and permissions. Now you can generate individual API key for specific service instead of giving out global API key. You can also control the permission required for different service.

  • Go to your Cloudflare dashboard and get your API key.
  • The API key only requires Zone:Zone:Read, and Zone:Dns:Edit permission, Zone resources need to include all zones from your account.
  • Copy your generated new API key and Account ID with below format and save to /volume1/docker/acme/account.conf
export CF_Token="32jfjsah3wjhfalfxxxxxxx"
export CF_Account_ID="6axxxxxxxxxxxxxxxxxxxxx"
  • Log into Synology DSM and open Docker app
  • In the Registry, search and find neilpang/acme.sh. Download the latest image.
  • Launch the container with the downloaded neilpang/acme.sh image
  • Go to Advanced setting, map the volume folder dock/acme with /acme.sh and set the container network to use the same as host. Environment command ‘daemon’

  • Then start the container and with auto-restart
  • Go to container Terminal – Create – Launch with command

  • Enter a command: ‘sh’

  • In ‘sh’ terminal command, type in acme.sh cert issue command you need.
  • eg.
    acme.sh --issue --dns dns_cf -d a.example.com

  • After successfully issue the certificate, the cert files will be stored at /volume1/docker/acme/a.example.com/
  • You can now create a scheduled task in DSM to regularly copy cert files to DSM system directories.
rsync -avh "/volume1/docker/acme/a.example.com/a.example.com.cer" "/usr/syno/etc/certificate/_archive/Random PATH/cert.pem"
rsync -avh "/volume1/docker/acme/a.example.com/a.example.com.key" "/usr/syno/etc/certificate/_archive/Random PATH/privkey.pem"
rsync -avh "/volume1/docker/acme/a.example.com/fullchain.cer" "/usr/syno/etc/certificate/_archive/Random PATH/fullchain.pem"
rsync -avh "/volume1/docker/acme/a.example.com/ca.cer" "/usr/syno/etc/certificate/_archive/Random PATH/chain.pem"
/usr/syno/etc/rc.sysv/nginx.sh reload
  • It’s all done. No need to modify DSM system configuration and repair broken acme.sh env anymore.
Written by Felix. Licensed under CC BY-NC-SA 3.0 Unported.

Leave a Reply

textsms
account_circle
email

  • jason8612

    I’m a bit confused. acme.sh –issue –dns dns_cf -d a.example.com part does issue me a cert for my domain and the scheduled task does replace the old cert in synology, but to update the cert, it seems that I need to manually go to the container, terminal, sh and enter acme.sh –issue –dns dns_cf -d a.example.com then run the scheduled task.
    Is there a wat to automate this in the scheduled task?
    for instance the task would run the docker with acme.sh –issue –dns dns_cf -d a.example.com then copy the files and restart nginx?

    4 weeksago replied
    • jason8612

      @jason8612: docker exe CONTAINERNAME acme.sh –issue –force –dns dns_cf -d a.example.com
      sleep 2m
      rsync -avh “/volume1/docker/acme/a.example.com/a.example.com.cer” “/usr/syno/etc/certificate/_archive/Random PATH/cert.pem”
      rsync -avh “/volume1/docker/acme/a.example.com/a.example.com.key” “/usr/syno/etc/certificate/_archive/Random PATH/privkey.pem”
      rsync -avh “/volume1/docker/acme/a.example.com/fullchain.cer” “/usr/syno/etc/certificate/_archive/Random PATH/fullchain.pem”
      rsync -avh “/volume1/docker/acme/a.example.com/ca.cer” “/usr/syno/etc/certificate/_archive/Random PATH/chain.pem”
      /usr/syno/etc/rc.sysv/nginx.sh reload

      4 weeksago replied
    • FelixOwner

      @jason8612: Let the docket container run in Daemon mode which acme.sh will check whether issued cert is due to renew. No need to force renew by yourself.
      What you need to run a schedule task to copy the certificates issued from container to DSM default cert path.

      4 weeksago replied

xFelix

Issue Synology Let's Encrypt Cert by acme.sh docker
I wrote a previous blog talking about how to issue and install letsencrypt ssl cert on Synology 3 years ago. I also participated in updating the early version of Synology NAS…
Scan QR code to continue reading
2020-04-17