Let’s Encrypt and Synology DSM 6.1+
If you’re like me and have your Synology NAS safely on your local network, without it being accessible from the big bad internet, you’ll likely find this post quite interesting.
I have encountered a few blogs with different approaches to solve the Let’s Encrypt issue on the latest current DSM release, version 6.1.
None of the solutions I found worked for me, because either the commands were outdated or they were referring to a cronjob, that is no longer available.
In this blog, I am assuming you have your DNS and Cloudflare already set up.
Below are the steps I took to get Let’s Encrypt! working on my Synology DS1515+.
Installing acme.sh and getting your SSL certificate
First, install acme.sh as root (log in SSH using your admin account):
curl -L -o /tmp/master.tgz https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf /tmp/master.tgz
cd acme.sh-master/
sudo ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"
Let acme.sh update itself:
sudo acme.sh --upgrade --auto-upgrade
Configure your Cloudflare API account.
Edit /usr/local/share/acme.sh/account.conf with your favorite editor and put this in:
ACCOUNT_EMAIL='[email protected]'
export CF_Key="MyCloudFlare-Global-API-Key"
export CF_Email="MyCloudFlare-Account-Email-Address"
Here is the final command that actually works.
acme.sh --issue -d fqdn.domain.com --home /usr/local/share/acme.sh \
--dns dns_cf --cert-file /usr/syno/etc/certificate/system/default/cert.pem \
--key-file /usr/syno/etc/certificate/system/default/privkey.pem \
--ca-file /usr/syno/etc/certificate/system/default/syno-ca-cert.pem \
--fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \
--reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dnssleep 10
And that’s it, now you have a valid Let’s Encrypt SSL certificate on your Synology DSM.
Edit:
If you want to automatically renew the certificate, check out my follow-up post.
Sources:
Some snippets were borrowed from this blog and from the acme.sh author mentioned below:
https://www.naschenweng.info/2017/01/06/automatic-ssl-renewal-encrypt-dsm-5-x-synology-ds1010-dns-01-verification/
https://github.com/Neilpang/acme.sh/wiki/Synology-NAS-Guide
This is the last command used on naschenweng’s blog, it works on DSM 5.2:
acme.sh --issue --post-hook "kill -USR1 `cat /run/httpd/httpd-sys.pid`" \
-d muffinstation.naschenweng.info --dns dns_cf --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \
--keypath /usr/syno/etc/ssl/ssl.key/server.key --fullchainpath/usr/syno/etc/ssl/ssl.intercrt
And this is the last command taken from Neilpang’s github documentation:
acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath \
/usr/syno/etc/certificate/system/default/cert.pem --keypath \
/usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath \
/usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh \
reload" --dnssleep 10
Thanks for your helpful post.
BTW. You might want to edit your final command to add –accountconf /path/to/account.conf for setting cloudflare account info.
Thanks for the tip Bryan. You don’t actually need that parameter with the commands I’ve shown here.