Jump to content
XPEnology Community

Search the Community

Showing results for tags 'lets encrypt'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Information
    • Readers News & Rumours
    • Information and Feedback
    • The Noob Lounge
  • XPEnology Project
    • F.A.Q - START HERE
    • Loader Releases & Extras
    • DSM Updates Reporting
    • Developer Discussion Room
    • Tutorials and Guides
    • DSM Installation
    • DSM Post-Installation
    • Packages & DSM Features
    • General Questions
    • Hardware Modding
    • Software Modding
    • Miscellaneous
  • International
    • РУССКИЙ
    • FRANÇAIS
    • GERMAN
    • SPANISH
    • ITALIAN
    • KOREAN

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me

Found 4 results

  1. Привет всем! Сделал хук на проверку домена (DNS API) для ACME-клиента acme.sh Если у Вас есть желание потестировать - вэлкам. Процедуру описал на англоязычном форуме. Жду комментариев.
  2. As you know standard certificate issuing wizard supports wildcards only for Synology DDNS. If you want to issue wildcard certificate for your own domain you can use 3rd-party ACME Client. At first I've tried to use Certbot in Docker with no success. Then I found acme.sh that is working fine on Synology DSM (mine is 6.2 on DS918+). Below you can find a short list for issuing, updating and deploying wildcard cert for you own domain on Synology DSM with Synology DNS Server. 1. Installing acme.sh Open SSH client's terminal, go to any folder with write access permissions (e.g. /tmp or ~ folder), download and install acme.sh: git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install \ --home /usr/local/acme.sh \ --cert-home /usr/local/acme.sh/certs \ --config-home /usr/local/acme.sh/data \ --accountemail "email@example.com" \ --force # use it with elevation (sudo) for all commands After successful installation remove the downloaded folder and restart the terminal in order to apply changes to the ACME-client settings (environment variables): cd .. rmdir acme.sh 2. Issuing cert acme.sh supports several ways of domain approving (you can find all in acme.sh documentation). Since I'm using my own DNS Server on Synology DSM I've created my own DNS API hook for acme.sh and I would like to ask you for help in testing the hook. For now the hook (dns_synology_dsm) is in development state and you can find it here only: https://github.com/arabezar/acme.sh/blob/dev/dnsapi/dns_synology_dsm.sh It's a good idea first trying to issue cert using test server (with debug log): /usr/local/acme.sh/acme.sh --staging --debug 2 --issue --dns dns_synology_dsm -d example.com -d *.example.com --log After successful issuing cert on staging server you can issue the real one: /usr/local/acme.sh/acme.sh --issue --dns dns_synology_dsm -d example.com -d *.example.com --log *) use --force when using elevation (sudo) 3. Updating cert Updating can be realized using daily task. Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Update Cert' (run as root): export LE_WORKING_DIR="/usr/local/acme.sh" export LE_CONFIG_HOME="/usr/local/acme.sh/data" /usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --renew-all 4. Deploying cert And at last the cert should be deployed to all modules. This can be done by adding another periodical task (e.g. monthly). Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Deploy Cert' (run as root): export LE_WORKING_DIR="/usr/local/acme.sh" export LE_CONFIG_HOME="/usr/local/acme.sh/data" export SYNO_Create=1 # Create cert if not exists yet export SYNO_Certificate="example.com" # Description text in Control Panel -> Security -> Certificates /usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --deploy -d example.com --deploy-hook synology_dsm Also you have to export some personal data such as admin (root) pass and device id once you start the deployment. Please read the appropriate instructions here. These values would be stored in config file for later usage. In some time I would like to rewrite the deployment hook (actually it's not mine) using synowebapi in order to get rid of password saving. Keep following the latest news So that's all folks! Please feel free to ask any questions. And of course I will appreciate any help in testing the DNS API hook.
  3. This is my first attempt at a tutorial here, so please go easy on me. I've spent some time yesterday understanding the process and various issues and common errors we can easily make. This guide is based on 6.2.2-24922 U6. It may work with other versions of DSM, but I've tested it and managed to get it working on this one. First, a few pre-requisites: You need a domain name for which you have administrative access and control. I already had one I could use. I think getting it to work on free dynamic DNS domain names is very difficult due to Let's Encrypt (LE) limiting the number of SSL certs for a given domain name. So any "popular" domain will have already exceeded the number. I initially tried, but couldn't get it working and as I had my own domain name I could use, I concentrated on getting it working with that. Note that if you have full control of a primary domain name, say, my-example.com, you can easily create a subdomain (i.e. myxpenology.my-example.com) with a totally different IP address (your public home IP address) even if the main domain is used for another server / service already on the internet. This is the case for me where I used a domain which is active and points to a server in a datacenter and then created a subdomain and had the DNS point to my home IP where I have my Xpenology server. Your ISP must allow incoming traffic on ports 80 and 443. If they block this, then you will not be able to create a LE certificate. You must be able to port forward traffic from your internet router to your server. I haven't used the wizard in DSM as my router is not supported, so I just set up port forwarding manually via my router's web interface. It helps if you have a static / non-changing public Internet IP address. I think most ISPs now don't change your IP that often. If it does change, you'll have to keep track and update your DNS entry. As mentioned previously, due to LE's policy on the number of certificates issues to a primary domain, your chances of using a free dynamic DNS system are pretty small. You need to install the Web Station package. No other packages are required (Apache, PHP, etc). You don't need to create a personal web page. Domain Name configuration Here, let's assume your public IP is 81.10.11.12, and you want to use domain my-example.com I use Linode for my public hosting and have all my domains managed by Linode so I log into my control panel and do it from there. The appearance of this will change depending on your DNS admin console. If you haven't already done so, create your domain entry, here, my-example.com. Now, you need to create a new A/AAAA record with your domain name directing to your home IP address. If you want to use myxpenology.my-example.com, go to your ex-ample.com entry. Add an A/AAAA record with the name "myxpenology" and your IP address. This will effectively create a DNS entry for myxpenology.example.com and point that to your IP. If you have an option for TTL, make it small, like 5 minutes. So if your IP does change, you can edit it and updates should be reflected within 5 minutes as opposed to the default value which could be hours or even days. I clicked on Save to then see the entry appear as a subdomain: You will then have to wait some time before this comes live. DNS update frequency varies I guess. Linode update every 15 minutes, but it can take longer for that to propogate to your ISP's DNS servers or Google's if you use theirs. You can check if this works by pinging your new domain name. It will either say unknown host: C:\>ping myxpenology.my-example.com Ping request could not find host myxpenology.my-example.com. Please check the name and try again. (so it's not rippled through) or come back with your public IP. Don't worry if your public IP times out. Your home router / firewall might configured not to reply to ICMP ping requests. This is what you want to see: C:\>ping myxpenology.my-example.com Pinging myxpenology.my-example.com [80.10.11.12] with 32 bytes of data: Request timed out. Now that your domain is set up and pointing to your home IP address, you can set up port forwarding Port Forwarding Again, this will depend on your router's admin page. You need to forward port 80 to port 80 on your internal IP address where your server is. You need to repeat this for port 443. This is what it looks like on my router, my server uses the private IP of 192.168.0.38: Note that we're forwarding to ports 80 and 443, not to ports 5000 and 5001 where the DSM web interface runs. This is normal and necessary for LE to generate the certificate. Save the changes. We will soon be able to test whether it works or if your ISP blocks incoming traffic on ports 80 and/or 443. Install Web Station In DSM, if not already installed, install the Web Station package. This is the only package you need to install, you don't need to add an Apache webserver or PHP. Once installed, open it and check the settings are OK. You just need to ensure the Default server status is normal and nginx is up and running. You do not need to set up a personal website. Check this is working properly by opening up a web browser and going to your internal IP address (here, 192.168.0.38) and ensure you get the Web Station page: And also check that the secure version is up and running by going to https://<your server ip> (here 192.168.0.38). If you get a warning certificate, you should be good. The warning is because the current certificate (the one provided by Synology) doesn't match your IP address: Now we can see if your ISP has these ports open from the public Internet. Check your ISP allows incoming traffic on ports 80 and 443 There are a couple of ways you can do this. If you have another Internet connection you can use (for example mobile 3G / 4G from your mobile phone), then you can use that and try opening your browser and going to your public IP address (80.10.11.12). If you get the same pages as before with both http and https, you're good. If you don't have another Internet connection available, you can use any online port checker. I just tried https://www.yougetsignal.com/tools/open-ports/ which works. Ensure you have your public IP in the remote address box and test port 80 and then re-test with port 443. Both must come back as open. If this is all good, then you're now ready to create the certificate using the wizard in DSM. If the tests above come back with no reply or closed, then the chances are your ISP is blocking incoming traffic on those 80 and 443 ports and there's nothing more you can do. You can try calling their support line, but I doubt they'd be able to help. Create the certificate in DSM Finally! In DSM, go to Control Panel -> Security -> Certificate tab Click on Add a new certificate and click Next. Add a description if you wish (I just use the domain name) and tick the "Get a certificate from Let's Encrypt" radio button. Also tick the Set as default certificate option. Click Next. Now enter the domain name you're using (myxpenology.my-example.com), enter a valid email address. Leave the SAN field empty. Finally, click Apply. Hopefully, all goes well and you'll get a new certificate created and installed and used as the default certificate. I can't show a screenshot of that as I don't own and so cannot create the myxpenology.my-example.com certificate (and my photoshop skills aren't that good :p). But you'll end up with two entries: one for the certificate you've just created and made default and the already-existing synology one that was used beforehand. Accessing DSM over HTTPS on your home network Now that you've set up the certificate, you can access DSM securely with no error messages, but there's an extra step for that to work. If you were to go to https://192.168.0.38:5001 for example, you'd still get the warning about an invalid certificate because despite it no longer being self-signed, it's not valid as it doesn't have your private IP address in it. Unfortunately, you cannot specify that IP address in the SAN field earlier either as you cannot obtain an LE certificate containing an IP address. The workaround is to modify your local hosts file to include your public domain name and have it direct to your internal IP address. In Windows, you need to open notepad as an administrator (search for notepad in start menu, right click, run as administrator). The hosts file is located in C:\Windows\System32\drivers\etc Edit it to add the following line at the bottom, editing for your domain name and internal IP address: 192.168.0.38 myxpenology.my-example.com Save the file. You should now be able to access the DSM webpage over HTTPS from your computer without a certificate warning message: https://myxpenology.my-example.com:5001 Accessing DSM over HTTPS over the Internet Currently, we've set up port forwarding for the web pages to allow Let's Encrypt to create the certificate. If you want to access the DSM Web GUI, we need to add port forwarding for 5001. I would suggest only forwarding 5001 (the HTTPS version) and NOT forwarding port 5000 as that's insecure and you don't want to be doing that! So again, back in your router, add a third port forwarding entry for 5001 to 5001. Here, I've named it HTTPS-DSM-GUI to clarify You should now be able to access the DSM webpage over the internet. Again, this can only truly be tested from an independent Internet connection (3G/4G from mobile phone). You can ask a friend if they can access your DSM login by going to https://myxpenology.my-example.com:5001 I hope that helps. If you have any questions, maybe this can become the Let's Encrypt questions thread. I'll try to help if I can
  4. Hello all, as my Let's Encrypt certificates weren't no longer extended, I tried it manually using: /usr/syno/sbin/syno-letsencrypt renew-all -v But this didn't work so I checked the debug message: DEBUG: start to renew [/usr/syno/etc/certificate/XXXXXX. DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory DEBUG: strat to do new-authz for www.XXX.tld DEBUG: ==> start new authz. DEBUG: new authz: do new-authz. DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz DEBUG: Not synology DDNS. DEBUG: DNS challenge failed, reason: {"error":108,"file":"challenge.cpp","msg":"Not synology DDNS."} DEBUG: Normal challenge failed, reason: {"error":200,"file":"client.cpp","msg":"new_authz: unexpect httpcode."} Does this mean only original Synologys (with enabled Quick Connect) can extend the certificates? Thanks!
×
×
  • Create New...