Jump to content
XPEnology Community

Issuing and auto renewing Let's Encrypt wildcard certificates for your own domain


Recommended Posts

As you know standard certificate issuing wizard supports wildcards only for Synology DDNS.
If you want to issue wildcard certificate for your own domain you can use 3rd-party ACME Client.
At first I've tried to use Certbot in Docker with no success.
Then I found acme.sh that is working fine on Synology DSM (mine is 6.2 on DS918+).
Below you can find a short list for issuing, updating and deploying wildcard cert for you own domain on Synology DSM with Synology DNS Server.

 

1. Installing acme.sh
Open SSH client's terminal, go to any folder with write access permissions (e.g. /tmp or ~ folder), download and install acme.sh:

git clone https://github.com/acmesh-official/acme.sh.git
  cd ./acme.sh
  ./acme.sh --install \
  --home /usr/local/acme.sh \
  --cert-home /usr/local/acme.sh/certs \
  --config-home /usr/local/acme.sh/data \
  --accountemail "email@example.com" \
  --force # use it with elevation (sudo) for all commands

After successful installation remove the downloaded folder and restart the terminal in order to apply changes to the ACME-client settings (environment variables):

cd ..
rmdir acme.sh


2. Issuing cert

acme.sh supports several ways of domain approving (you can find all in acme.sh documentation).
Since I'm using my own DNS Server on Synology DSM I've created my own DNS API hook for acme.sh and I would like to ask you for help in testing the hook.
For now the hook (dns_synology_dsm) is in development state and you can find it here only: https://github.com/arabezar/acme.sh/blob/dev/dnsapi/dns_synology_dsm.sh

It's a good idea first trying to issue cert using test server (with debug log):

/usr/local/acme.sh/acme.sh --staging --debug 2 --issue --dns dns_synology_dsm -d example.com -d *.example.com --log

After successful issuing cert on staging server you can issue the real one:

/usr/local/acme.sh/acme.sh --issue --dns dns_synology_dsm -d example.com -d *.example.com --log

*) use --force when using elevation (sudo)

 

3. Updating cert

Updating can be realized using daily task.
Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Update Cert' (run as root):

export LE_WORKING_DIR="/usr/local/acme.sh"
export LE_CONFIG_HOME="/usr/local/acme.sh/data"
/usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --renew-all

 

4. Deploying cert

And at last the cert should be deployed to all modules. This can be done by adding another periodical task (e.g. monthly).
Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Deploy Cert' (run as root):

export LE_WORKING_DIR="/usr/local/acme.sh"
export LE_CONFIG_HOME="/usr/local/acme.sh/data"
export SYNO_Create=1 # Create cert if not exists yet
export SYNO_Certificate="example.com" # Description text in Control Panel -> Security -> Certificates
/usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --deploy -d example.com --deploy-hook synology_dsm

Also you have to export some personal data such as admin (root) pass and device id once you start the deployment. Please read the appropriate instructions here. These values would be stored in config file for later usage.

In some time I would like to rewrite the deployment hook (actually it's not mine) using synowebapi in order to get rid of password saving. Keep following the latest news ;)

 

So that's all folks!
Please feel free to ask any questions.
And of course I will appreciate any help in testing the DNS API hook.

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

in Steps # 2 above.

I used DuckDNS with DSM 6.1.7 and it worked for me perfectly. But I imported the certificate to DSM using the generated files.

 

cd /usr/local/acme.sh
export DuckDNS_Token="xxx-ddf-vgvv-vvv"                               # DuckDNS token
/usr/local/acme.sh/acme.sh --insecure --issue --dns dns_duckdns -d  YOUR_DOMAIN.duckdns.org --log

 

When you run these commands. Verify that no errors, all green and success, then go to /usr/local/acme.sh/certs location and copy the generated certificates/key to your desktop folder.

In your DSM,  Go to Control Panel--> Security---> Certificate --> Add --> Import Certificate  ( choose key, certificate and intermidiate certificate) Do not choose the full chain certificate.

 

You can set up certificate Task Management script for renewal/60 days can be changed in the script acme.sh script to 89 days. 

I use the certificate to authenticate Plex login from outside world.  ---> https://imgur.com/a/9UKLh   how to modify the generated certificates and integrate with Plex.

 

Link to comment
Share on other sites

I need to add here is that you can create the automated script directly for the certificate location :

/usr/syno/etc/certificate/system/default

 

and directly at the place where Plex take it from your drive, so you do not need to manually do it at all, and forget about the expiration. 

pfx certificate can be exported to your android. DS file app can send/share a link to your email directly. Click on ..pfx certificate , enter the password and you able to watch Plex on your phone in any country. Of course , the other part is to take care port forwarding and security for your NAS. 

I hope this is useful info. 

Link to comment
Share on other sites

These are some old scripts that gave me this idea about the complete automation. This is what people did for Synology DNS, but if you are using other DNS providers, this will not work.

 

#!/bin/sh

########################################################

#This script will create a new p12 certificate for Plex

#when Let's Encrypt automatically renew its one

########################################################

 

########################################################

#Just adapt the values below to your configuration

#Location of your script

script_folder=/volume1/scripts

#Folder and name you want for your p12 file

p12_file_path=$script_folder/syno.p12

#Add password to the p12 file (you can leave it empty)

p12cert_password=

#Synology's Default Let's encrypt folder

letsencrypt_cert_folder=/usr/syno/etc/certificate/system/default

 

########################################################

#Changes below are at your own own risk

########################################################

generate_p12=false

current_date=`date +"%s"`

current_certificate_date=`openssl x509 -enddate -noout -in $letsencrypt_cert_folder/cert.pem | cut -d'=' -f2`

current_certificate_timestamp=`date -d "$current_certificate_date" +"%s"`

 

#First of all, we check if the renew_timestamp file exists (this file keep in memory the further certificate renew date)

if [ ! -f $script_folder/renew_timestamp ]; then

    echo "Generate timestamp for the current renew date... "

    echo $current_certificate_timestamp > $script_folder/renew_timestamp

    chmod +rw $script_folder/renew_timestamp

    chown admin:users $script_folder/renew_timestamp

    #We generate the first p12 file

    generate_p12=true

else

    renew_date=`cat $script_folder/renew_timestamp`

    echo "In memory certificate expiration date is" `date -d @$renew_date` "and the current certificate expiration date is $current_certificate_date"

    #Now, we check if is it necessary to renew the certificate or not

    if expr "$current_certificate_timestamp" "!=" "$renew_date" > /dev/null; then

        #We ask to generate a new p12 file

        echo "Dates doesn't match, we have to renew the certificate..."

        generate_p12=true

        #We update the timestamp_date on the file

        echo "Updating the new timestamp date..."

        echo $current_certificate_timestamp > $script_folder/renew_timestamp

    else

        echo "It is not necessary to renew the certificate, abort."

        exit 0

    fi

fi

 

#We generate a new certificate file if we ask it, ans we relaunch Plex App to take effect

if expr "$generate_p12" "=" "true" > /dev/null; then

 

    echo "Generating the p12 certificate file..."

    openssl pkcs12 -export -out $p12_file_path -in $letsencrypt_cert_folder/cert.pem -inkey $letsencrypt_cert_folder/privkey.pem -certfile $letsencrypt_cert_folder/chain.pem -name "Domain" -password pass:$p12cert_password

 

    chmod +r $p12_file_path

    chown admin:users $p12_file_path

    echo "Relaunching Plex App..."

    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop

    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start

    echo "Done."

Fi

------------------------------------------------

Link to comment
Share on other sites

  • 4 weeks later...
On 10/13/2020 at 11:31 AM, Kevin1213 said:

…for your DNS provide in step # 2 you need to check here https://github.com/acmesh-official/acme.sh/wiki/dnsapi

I see the certificates were created, but not imported into Xpenology interface. There are many things to consider. I have DSM 6.1.7 

I've just added wiki to my fork, the description to the API and an issue for bugs.

This script just issues the certificate but does not do deploy it to the NAS. If you want to deploy please use deploy/synology_dsm.sh that was written a long time ago.

 

On 10/13/2020 at 12:23 PM, Kevin1213 said:

I used DuckDNS with DSM 6.1.7 and it worked for me perfectly. But I imported the certificate to DSM using the generated files.

My script is intended to be used with Synology DNS Server only.

 

On 10/13/2020 at 12:23 PM, Kevin1213 said:

…then go to /usr/local/acme.sh/certs location and copy the generated certificates/key to your desktop folder.

In your DSM,  Go to Control Panel--> Security---> Certificate --> Add --> Import Certificate…

There will be another script (same as deploy/synology_dsm.sh) for that but without user/pass authentication. Just wait please.

 

On 10/15/2020 at 5:51 AM, Kevin1213 said:

These are some old scripts that gave me this idea about the complete automation. This is what people did for Synology DNS, but if you are using other DNS providers, this will not work.

Full automation is already done. And it works for all Synology packages. You can use my script (dnsapi/dns_synology_dsm.sh) for issuing and then script (deploy/synology_dsm.sh) for deploying.

Link to comment
Share on other sites

  • 11 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...