Let’s Encrypt and Synology DSM 6.1+

If you’re like me and have your Synology NAS safely on your local network, without it being accessible from the big bad internet, you’ll likely find this post quite interesting.

I have encountered a few blogs with different approaches to solve the Let’s Encrypt issue on the latest current DSM release, version 6.1.

None of the solutions I found worked for me, because either the commands were outdated or they were referring to a cronjob, that is no longer available.

In this blog, I am assuming you have your DNS and Cloudflare already set up.
Below are the steps I took to get Let’s Encrypt! working on my Synology DS1515+.

Installing acme.sh and getting your SSL certificate

First, install acme.sh as root (log in SSH using your admin account):

curl -L -o /tmp/master.tgz https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf /tmp/master.tgz
cd acme.sh-master/
sudo ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"

Let acme.sh update itself:

sudo acme.sh --upgrade --auto-upgrade

Configure your Cloudflare API account.
Edit /usr/local/share/acme.sh/account.conf with your favorite editor and put this in:

ACCOUNT_EMAIL='[email protected]'
export CF_Key="MyCloudFlare-Global-API-Key"
export CF_Email="MyCloudFlare-Account-Email-Address"

Here is the final command that actually works.

acme.sh --issue -d fqdn.domain.com --home /usr/local/share/acme.sh \
    --dns dns_cf --cert-file /usr/syno/etc/certificate/system/default/cert.pem \
    --key-file /usr/syno/etc/certificate/system/default/privkey.pem \
    --ca-file /usr/syno/etc/certificate/system/default/syno-ca-cert.pem \
    --fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \
    --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dnssleep 10

And that’s it, now you have a valid Let’s Encrypt SSL certificate on your Synology DSM.


If you want to automatically renew the certificate, check out my follow-up post.


Some snippets were borrowed from this blog and from the acme.sh author mentioned below:

This is the last command used on naschenweng’s blog, it works on DSM 5.2:

acme.sh --issue --post-hook "kill -USR1 `cat /run/httpd/httpd-sys.pid`" \ 
-d muffinstation.naschenweng.info --dns dns_cf --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \ 
--keypath /usr/syno/etc/ssl/ssl.key/server.key --fullchainpath/usr/syno/etc/ssl/ssl.intercrt

And this is the last command taken from Neilpang’s github documentation:

acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath \
/usr/syno/etc/certificate/system/default/cert.pem --keypath \
/usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath \
/usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh \
reload" --dnssleep 10

2 thoughts on “Let’s Encrypt and Synology DSM 6.1+

  1. Thanks for your helpful post.

    BTW. You might want to edit your final command to add –accountconf /path/to/account.conf for setting cloudflare account info.

    1. Thanks for the tip Bryan. You don’t actually need that parameter with the commands I’ve shown here.

Leave a Reply

Your email address will not be published. Required fields are marked *