-
Notifications
You must be signed in to change notification settings - Fork 0
Home
As you know standard certificate issuing wizard supports wildcards only for Synology DDNS. If you want to issue wildcard certificate for your own domain you can use 3rd-party ACME Client. At first I've tried to use Certbot in Docker with no success. Then I found acme.sh that is working fine on Synology DSM (mine is 7.2.1 on DS918+... and was 6.2.3 when creating the script). Below you can find a short list for issuing, updating and deploying wildcard cert for you own domain on Synology DSM with Synology DNS Server.
- Synology DSM admin/root access
- Synology DNS Server package is installed and running on Synology NAS
- Git (can be installed with Git Server package) is installed on Synology NAS
- acme.sh is installed on Synology NAS
Open SSH client's terminal, go to any folder with write access permissions (e.g. /tmp or ~ folder), download and install acme.sh:
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install \
--home /usr/local/share/acme.sh \
--cert-home /usr/local/share/acme.sh/certs \
--config-home /usr/local/share/acme.sh/data \
--accountemail "[email protected]" \
--force # use it with elevation (sudo) for all commands
After successful installation remove the downloaded folder and restart the terminal in order to apply changes to the ACME-client settings (environment variables):
cd ..
rmdir acme.sh
acme.sh supports several ways of domain approving (you can find all in acme.sh documentation). Since I'm using my own DNS Server on Synology DSM I've created my own DNS API hook for acme.sh
It's a good idea first trying to issue cert using test server (with debug log):
/usr/local/share/acme.sh/acme.sh --staging --debug 2 --issue --dns dns_synology_dsm -d example.com -d *.example.com --log
After successful issuing cert on staging server you can issue the real one:
/usr/local/share/acme.sh/acme.sh --issue --dns dns_synology_dsm -d example.com -d *.example.com --log
*) use --force when using elevation (sudo)
Updating can be realized using daily task. Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Update Cert' (run as root):
export LE_WORKING_DIR="/usr/local/share/acme.sh"
export LE_CONFIG_HOME="/usr/local/share/acme.sh/data"
/usr/local/share/acme.sh/acme.sh --config-home /usr/local/share/acme.sh/data --renew-all
If you prefer to stay on the previous versions of Synology DSM (6.x) there is a possibility of notifying users with Synology notification panel when the cert is updated (unfortunately it doesn't work on DSM 7.x any more). So you need to replace the lines above with the following ones:
export LE_WORKING_DIR="/usr/local/share/acme.sh"
export LE_CONFIG_HOME="/usr/local/share/acme.sh/data"
response=$(/usr/local/share/acme.sh/acme.sh --config-home /usr/local/share/acme.sh/data --renew-all)
echo "$response"
updated=$(echo "$response" | grep "Skipped")
if [ -z "$updated" ]; then
synodsmnotify <syno_user_to_be_notified> "Let's Encrypt cert was updated" "$response"
fi
*) don't forget to replace <syno_user_to_be_notified> with existing Synology user
And at last the cert should be deployed to all modules. This can be done by adding another periodical task (e.g. monthly). Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Deploy Cert' (run as root):
export LE_WORKING_DIR="/usr/local/share/acme.sh"
export LE_CONFIG_HOME="/usr/local/share/acme.sh/data"
export SYNO_Create=1
export SYNO_Certificate="example.com" # Description text in Control Panel -> Security -> Certificates
/usr/local/share/acme.sh/acme.sh --config-home /usr/local/share/acme.sh/data --deploy -d example.com --deploy-hook synology_dsm
So that's all folks!
- API Usage: Synology DSM Synology DNS Server API
- Pull request: 3045
- Issue for bugs: 3248