Let’s Encrypt and Synology DSM 6.1+
If you’re like me and have your Synology NAS safely on your local network, without it being accessible from the big bad internet, you’ll likely find this post quite interesting.
I have encountered a few blogs with different approaches to solve the Let’s Encrypt issue on the latest current DSM release, version 6.1.
None of the solutions I found worked for me, because either the commands were outdated or they were referring to a cronjob, that is no longer available.
In this blog, I am assuming you have your DNS and Cloudflare already set up.
Below are the steps I took to get Let’s Encrypt! working on my Synology DS1515+.
Installing acme.sh and getting your SSL certificate
First, install acme.sh as root (log in SSH using your admin account):
1 2 3 4 | curl -L -o /tmp/master.tgz https://github.com/Neilpang/acme.sh/archive/master.tar.gztar xvf /tmp/master.tgzcd acme.sh-master/sudo ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "MyEmail@domain.com" |
Let acme.sh update itself:
1 | sudo acme.sh --upgrade --auto-upgrade |
Configure your Cloudflare API account.
Edit /usr/local/share/acme.sh/account.conf with your favorite editor and put this in:
1 2 3 4 | ACCOUNT_EMAIL='MyEmail@domain.com' export CF_Key="MyCloudFlare-Global-API-Key"export CF_Email="MyCloudFlare-Account-Email-Address" |
Here is the final command that actually works.
1 2 3 4 5 6 | acme.sh --issue -d fqdn.domain.com --home /usr/local/share/acme.sh \ --dns dns_cf --cert-file /usr/syno/etc/certificate/system/default/cert.pem \ --key-file /usr/syno/etc/certificate/system/default/privkey.pem \ --ca-file /usr/syno/etc/certificate/system/default/syno-ca-cert.pem \ --fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \ --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dnssleep 10 |
And that’s it, now you have a valid Let’s Encrypt SSL certificate on your Synology DSM.
Edit:
If you want to automatically renew the certificate, check out my follow-up post.
Sources:
Some snippets were borrowed from this blog and from the acme.sh author mentioned below:
https://www.naschenweng.info/2017/01/06/automatic-ssl-renewal-encrypt-dsm-5-x-synology-ds1010-dns-01-verification/
https://github.com/Neilpang/acme.sh/wiki/Synology-NAS-Guide
This is the last command used on naschenweng’s blog, it works on DSM 5.2:
1 2 3 | acme.sh --issue --post-hook "kill -USR1 `cat /run/httpd/httpd-sys.pid`" \ -d muffinstation.naschenweng.info --dns dns_cf --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \ --keypath /usr/syno/etc/ssl/ssl.key/server.key --fullchainpath/usr/syno/etc/ssl/ssl.intercrt |
And this is the last command taken from Neilpang’s github documentation:
1 2 3 4 5 | acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath \/usr/syno/etc/certificate/system/default/cert.pem --keypath \/usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath \/usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh \reload" --dnssleep 10 |
Thanks for your helpful post.
BTW. You might want to edit your final command to add –accountconf /path/to/account.conf for setting cloudflare account info.
Thanks for the tip Bryan. You don’t actually need that parameter with the commands I’ve shown here.