I wrote a previous blog talking about how to issue and install letsencrypt ssl cert on Synology 3 years ago. I also participated in updating the early version of Synology NAS Guide wiki of acme.sh. At that time, acme.sh was installed on Synology DSM OS directly. It was running well and smoothly if you follow my blog instruction.
However, recently I notice acme.sh tries to move away from using root user or sudo to run the script. This leaves some concern if we still use the old way of managing Let’s Encrypt certificate on DSM is not that appropriate. Also considering the limitation I highlighted in both my blog and acme wiki, after each major DSM firmware upgrade, need manually fix the broken acme environment. And the last, lot of people like me want to keep the system clean, and are fan of Docker virtual instance. After 3 years, I believe most Synology users have upgraded their equipments already that support Docker. So this new guide is talking about how to use acme.sh docker to issue Let’s Encrypt certificate for Synology DSM.
Again, I use Cloudflare DNS as example.
After 3 years, Cloudflare also improved their API and permissions. Now you can generate individual API key for specific service instead of giving out global API key. You can also control the permission required for different service.
- Go to your Cloudflare dashboard and get your API key.
- The API key only requires Zone:Zone:Read, and Zone:Dns:Edit permission, Zone resources need to include all zones from your account.
- Copy your generated new API key and Account ID with below format and save to /volume1/docker/acme/account.conf
export CF_Token="32jfjsah3wjhfalfxxxxxxx" export CF_Account_ID="6axxxxxxxxxxxxxxxxxxxxx"
- Log into Synology DSM and open Docker app
- In the Registry, search and find neilpang/acme.sh. Download the latest image.
- Launch the container with the downloaded neilpang/acme.sh image
- Go to Advanced setting, map the volume folder dock/acme with /acme.sh and set the container network to use the same as host. Environment command ‘daemon’
- Then start the container and with auto-restart
- Go to container Terminal – Create – Launch with command
- Enter a command: ‘sh’
- In ‘sh’ terminal command, type in acme.sh cert issue command you need.
acme.sh --issue --dns dns_cf -d a.example.com
- After successfully issue the certificate, the cert files will be stored at /volume1/docker/acme/a.example.com/
- You can now create a scheduled task (every month) in DSM to regularly copy cert files to DSM system directories. Please note: the command below is for reference only, you need to replace with the correct path of your system environment. Especially the ‘Random PATH’ is unique in your DSM.
docker exec neilpang-acme.sh1 acme.sh --issue --force --dns dns_cf -d a.example.com sleep 2m rsync -avh "/volume1/docker/acme/a.example.com/a.example.com.cer" "/usr/syno/etc/certificate/_archive/Random PATH/cert.pem" rsync -avh "/volume1/docker/acme/a.example.com/a.example.com.key" "/usr/syno/etc/certificate/_archive/Random PATH/privkey.pem" rsync -avh "/volume1/docker/acme/a.example.com/fullchain.cer" "/usr/syno/etc/certificate/_archive/Random PATH/fullchain.pem" rsync -avh "/volume1/docker/acme/a.example.com/ca.cer" "/usr/syno/etc/certificate/_archive/Random PATH/chain.pem" synosystemctl restart nginx
- It’s all done. No need to modify DSM system configuration and repair broken acme.sh env anymore.