[Issuing and auto renewing Let's Encrypt wildcard certificates for your own domain]

These are some old scripts that gave me this idea about the complete automation. This is what people did for Synology DNS, but if you are using other DNS providers, this will not work.

 

#!/bin/sh

########################################################

#This script will create a new p12 certificate for Plex

#when Let's Encrypt automatically renew its one

########################################################

 

########################################################

#Just adapt the values below to your configuration

#Location of your script

script_folder=/volume1/scripts

#Folder and name you want for your p12 file

p12_file_path=$script_folder/syno.p12

#Add password to the p12 file (you can leave it empty)

p12cert_password=

#Synology's Default Let's encrypt folder

letsencrypt_cert_folder=/usr/syno/etc/certificate/system/default

 

########################################################

#Changes below are at your own own risk

########################################################

generate_p12=false

current_date=`date +"%s"`

current_certificate_date=`openssl x509 -enddate -noout -in $letsencrypt_cert_folder/cert.pem | cut -d'=' -f2`

current_certificate_timestamp=`date -d "$current_certificate_date" +"%s"`

 

#First of all, we check if the renew_timestamp file exists (this file keep in memory the further certificate renew date)

if [ ! -f $script_folder/renew_timestamp ]; then

    echo "Generate timestamp for the current renew date... "

    echo $current_certificate_timestamp > $script_folder/renew_timestamp

    chmod +rw $script_folder/renew_timestamp

    chown admin:users $script_folder/renew_timestamp

    #We generate the first p12 file

    generate_p12=true

else

    renew_date=`cat $script_folder/renew_timestamp`

    echo "In memory certificate expiration date is" `date -d @$renew_date` "and the current certificate expiration date is $current_certificate_date"

    #Now, we check if is it necessary to renew the certificate or not

    if expr "$current_certificate_timestamp" "!=" "$renew_date" > /dev/null; then

        #We ask to generate a new p12 file

        echo "Dates doesn't match, we have to renew the certificate..."

        generate_p12=true

        #We update the timestamp_date on the file

        echo "Updating the new timestamp date..."

        echo $current_certificate_timestamp > $script_folder/renew_timestamp

    else

        echo "It is not necessary to renew the certificate, abort."

        exit 0

    fi

fi

 

#We generate a new certificate file if we ask it, ans we relaunch Plex App to take effect

if expr "$generate_p12" "=" "true" > /dev/null; then

 

    echo "Generating the p12 certificate file..."

    openssl pkcs12 -export -out $p12_file_path -in $letsencrypt_cert_folder/cert.pem -inkey $letsencrypt_cert_folder/privkey.pem -certfile $letsencrypt_cert_folder/chain.pem -name "Domain" -password pass:$p12cert_password

 

    chmod +r $p12_file_path

    chown admin:users $p12_file_path

    echo "Relaunching Plex App..."

    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop

    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start

    echo "Done."

Fi

------------------------------------------------

[Issuing and auto renewing Let's Encrypt wildcard certificates for your own domain]

I need to add here is that you can create the automated script directly for the certificate location :

/usr/syno/etc/certificate/system/default

 

and directly at the place where Plex take it from your drive, so you do not need to manually do it at all, and forget about the expiration. 

pfx certificate can be exported to your android. DS file app can send/share a link to your email directly. Click on ..pfx certificate , enter the password and you able to watch Plex on your phone in any country. Of course , the other part is to take care port forwarding and security for your NAS. 

I hope this is useful info. 

[Issuing and auto renewing Let's Encrypt wildcard certificates for your own domain]

in Steps # 2 above.

I used DuckDNS with DSM 6.1.7 and it worked for me perfectly. But I imported the certificate to DSM using the generated files.

 

cd /usr/local/acme.sh
export DuckDNS_Token="xxx-ddf-vgvv-vvv"                               # DuckDNS token
/usr/local/acme.sh/acme.sh --insecure --issue --dns dns_duckdns -d  YOUR_DOMAIN.duckdns.org --log

 

When you run these commands. Verify that no errors, all green and success, then go to /usr/local/acme.sh/certs location and copy the generated certificates/key to your desktop folder.

In your DSM,  Go to Control Panel--> Security---> Certificate --> Add --> Import Certificate  ( choose key, certificate and intermidiate certificate) Do not choose the full chain certificate.

 

You can set up certificate Task Management script for renewal/60 days can be changed in the script acme.sh script to 89 days. 

I use the certificate to authenticate Plex login from outside world.  ---> https://imgur.com/a/9UKLh   how to modify the generated certificates and integrate with Plex.

 

[Issuing and auto renewing Let's Encrypt wildcard certificates for your own domain]

There is a lot of manual work. Also, for your DNS provide in step # 2 you need to check here https://github.com/acmesh-official/acme.sh/wiki/dnsapi

I see the certificates were created, but not imported into Xpenology interface. There are many things to consider. I have DSM 6.1.7 

[add extra license surveillance station]

Too much paranoia about the Xpenology and Survailance station. This forum does not allow providing more concrete solutions that are already available. 

It is been hacked 100%. 

A new site must be opened to continue with Xpenology development. 

It is not useful to get replies from Synology engineers here protecting their product