Arabezar Posted July 21, 2020 Share #1 Posted July 21, 2020 As you know standard certificate issuing wizard supports wildcards only for Synology DDNS. If you want to issue wildcard certificate for your own domain you can use 3rd-party ACME Client. At first I've tried to use Certbot in Docker with no success. Then I found acme.sh that is working fine on Synology DSM (mine is 6.2 on DS918+). Below you can find a short list for issuing, updating and deploying wildcard cert for you own domain on Synology DSM with Synology DNS Server. 1. Installing acme.sh Open SSH client's terminal, go to any folder with write access permissions (e.g. /tmp or ~ folder), download and install acme.sh: git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install \ --home /usr/local/acme.sh \ --cert-home /usr/local/acme.sh/certs \ --config-home /usr/local/acme.sh/data \ --accountemail "email@example.com" \ --force # use it with elevation (sudo) for all commands After successful installation remove the downloaded folder and restart the terminal in order to apply changes to the ACME-client settings (environment variables): cd .. rmdir acme.sh 2. Issuing cert acme.sh supports several ways of domain approving (you can find all in acme.sh documentation). Since I'm using my own DNS Server on Synology DSM I've created my own DNS API hook for acme.sh and I would like to ask you for help in testing the hook. For now the hook (dns_synology_dsm) is in development state and you can find it here only: https://github.com/arabezar/acme.sh/blob/dev/dnsapi/dns_synology_dsm.sh It's a good idea first trying to issue cert using test server (with debug log): /usr/local/acme.sh/acme.sh --staging --debug 2 --issue --dns dns_synology_dsm -d example.com -d *.example.com --log After successful issuing cert on staging server you can issue the real one: /usr/local/acme.sh/acme.sh --issue --dns dns_synology_dsm -d example.com -d *.example.com --log *) use --force when using elevation (sudo) 3. Updating cert Updating can be realized using daily task. Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Update Cert' (run as root): export LE_WORKING_DIR="/usr/local/acme.sh" export LE_CONFIG_HOME="/usr/local/acme.sh/data" /usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --renew-all 4. Deploying cert And at last the cert should be deployed to all modules. This can be done by adding another periodical task (e.g. monthly). Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Deploy Cert' (run as root): export LE_WORKING_DIR="/usr/local/acme.sh" export LE_CONFIG_HOME="/usr/local/acme.sh/data" export SYNO_Create=1 # Create cert if not exists yet export SYNO_Certificate="example.com" # Description text in Control Panel -> Security -> Certificates /usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --deploy -d example.com --deploy-hook synology_dsm Also you have to export some personal data such as admin (root) pass and device id once you start the deployment. Please read the appropriate instructions here. These values would be stored in config file for later usage. In some time I would like to rewrite the deployment hook (actually it's not mine) using synowebapi in order to get rid of password saving. Keep following the latest news So that's all folks! Please feel free to ask any questions. And of course I will appreciate any help in testing the DNS API hook. 1 Quote Link to comment Share on other sites More sharing options...
Kevin1213 Posted October 13, 2020 Share #2 Posted October 13, 2020 There is a lot of manual work. Also, for your DNS provide in step # 2 you need to check here https://github.com/acmesh-official/acme.sh/wiki/dnsapi I see the certificates were created, but not imported into Xpenology interface. There are many things to consider. I have DSM 6.1.7 Quote Link to comment Share on other sites More sharing options...
Kevin1213 Posted October 13, 2020 Share #3 Posted October 13, 2020 in Steps # 2 above. I used DuckDNS with DSM 6.1.7 and it worked for me perfectly. But I imported the certificate to DSM using the generated files. cd /usr/local/acme.sh export DuckDNS_Token="xxx-ddf-vgvv-vvv" # DuckDNS token /usr/local/acme.sh/acme.sh --insecure --issue --dns dns_duckdns -d YOUR_DOMAIN.duckdns.org --log When you run these commands. Verify that no errors, all green and success, then go to /usr/local/acme.sh/certs location and copy the generated certificates/key to your desktop folder. In your DSM, Go to Control Panel--> Security---> Certificate --> Add --> Import Certificate ( choose key, certificate and intermidiate certificate) Do not choose the full chain certificate. You can set up certificate Task Management script for renewal/60 days can be changed in the script acme.sh script to 89 days. I use the certificate to authenticate Plex login from outside world. ---> https://imgur.com/a/9UKLh how to modify the generated certificates and integrate with Plex. Quote Link to comment Share on other sites More sharing options...
Kevin1213 Posted October 15, 2020 Share #4 Posted October 15, 2020 I need to add here is that you can create the automated script directly for the certificate location : /usr/syno/etc/certificate/system/default and directly at the place where Plex take it from your drive, so you do not need to manually do it at all, and forget about the expiration. pfx certificate can be exported to your android. DS file app can send/share a link to your email directly. Click on ..pfx certificate , enter the password and you able to watch Plex on your phone in any country. Of course , the other part is to take care port forwarding and security for your NAS. I hope this is useful info. Quote Link to comment Share on other sites More sharing options...
Kevin1213 Posted October 15, 2020 Share #5 Posted October 15, 2020 These are some old scripts that gave me this idea about the complete automation. This is what people did for Synology DNS, but if you are using other DNS providers, this will not work. #!/bin/sh ######################################################## #This script will create a new p12 certificate for Plex #when Let's Encrypt automatically renew its one ######################################################## ######################################################## #Just adapt the values below to your configuration #Location of your script script_folder=/volume1/scripts #Folder and name you want for your p12 file p12_file_path=$script_folder/syno.p12 #Add password to the p12 file (you can leave it empty) p12cert_password= #Synology's Default Let's encrypt folder letsencrypt_cert_folder=/usr/syno/etc/certificate/system/default ######################################################## #Changes below are at your own own risk ######################################################## generate_p12=false current_date=`date +"%s"` current_certificate_date=`openssl x509 -enddate -noout -in $letsencrypt_cert_folder/cert.pem | cut -d'=' -f2` current_certificate_timestamp=`date -d "$current_certificate_date" +"%s"` #First of all, we check if the renew_timestamp file exists (this file keep in memory the further certificate renew date) if [ ! -f $script_folder/renew_timestamp ]; then echo "Generate timestamp for the current renew date... " echo $current_certificate_timestamp > $script_folder/renew_timestamp chmod +rw $script_folder/renew_timestamp chown admin:users $script_folder/renew_timestamp #We generate the first p12 file generate_p12=true else renew_date=`cat $script_folder/renew_timestamp` echo "In memory certificate expiration date is" `date -d @$renew_date` "and the current certificate expiration date is $current_certificate_date" #Now, we check if is it necessary to renew the certificate or not if expr "$current_certificate_timestamp" "!=" "$renew_date" > /dev/null; then #We ask to generate a new p12 file echo "Dates doesn't match, we have to renew the certificate..." generate_p12=true #We update the timestamp_date on the file echo "Updating the new timestamp date..." echo $current_certificate_timestamp > $script_folder/renew_timestamp else echo "It is not necessary to renew the certificate, abort." exit 0 fi fi #We generate a new certificate file if we ask it, ans we relaunch Plex App to take effect if expr "$generate_p12" "=" "true" > /dev/null; then echo "Generating the p12 certificate file..." openssl pkcs12 -export -out $p12_file_path -in $letsencrypt_cert_folder/cert.pem -inkey $letsencrypt_cert_folder/privkey.pem -certfile $letsencrypt_cert_folder/chain.pem -name "Domain" -password pass:$p12cert_password chmod +r $p12_file_path chown admin:users $p12_file_path echo "Relaunching Plex App..." sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start echo "Done." Fi ------------------------------------------------ Quote Link to comment Share on other sites More sharing options...
Arabezar Posted November 7, 2020 Author Share #6 Posted November 7, 2020 On 10/13/2020 at 11:31 AM, Kevin1213 said: …for your DNS provide in step # 2 you need to check here https://github.com/acmesh-official/acme.sh/wiki/dnsapi I see the certificates were created, but not imported into Xpenology interface. There are many things to consider. I have DSM 6.1.7 I've just added wiki to my fork, the description to the API and an issue for bugs. This script just issues the certificate but does not do deploy it to the NAS. If you want to deploy please use deploy/synology_dsm.sh that was written a long time ago. On 10/13/2020 at 12:23 PM, Kevin1213 said: I used DuckDNS with DSM 6.1.7 and it worked for me perfectly. But I imported the certificate to DSM using the generated files. My script is intended to be used with Synology DNS Server only. On 10/13/2020 at 12:23 PM, Kevin1213 said: …then go to /usr/local/acme.sh/certs location and copy the generated certificates/key to your desktop folder. In your DSM, Go to Control Panel--> Security---> Certificate --> Add --> Import Certificate… There will be another script (same as deploy/synology_dsm.sh) for that but without user/pass authentication. Just wait please. On 10/15/2020 at 5:51 AM, Kevin1213 said: These are some old scripts that gave me this idea about the complete automation. This is what people did for Synology DNS, but if you are using other DNS providers, this will not work. Full automation is already done. And it works for all Synology packages. You can use my script (dnsapi/dns_synology_dsm.sh) for issuing and then script (deploy/synology_dsm.sh) for deploying. Quote Link to comment Share on other sites More sharing options...
Arabezar Posted November 5, 2021 Author Share #7 Posted November 5, 2021 Wiki updated: - Requirements - Updating cert (user informing) 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.