- Synology NAS ( I have DS1817+ running DSM 7.11, anything above 6.2 should be ok) + your own domain ( I will use mydomain.com in this post)
- Have Cloudflare set up for acme authentication ( Step 3 and 4 from this guide ) and have your Cloudflare API Token follow step 1 or Global API Key (This is possible with other DNS providers, you’ll need Email and Token https://github.com/acmesh-official/acme.sh)
- You will need to have a folder on your NAS for acme.sh and know a path to it (e.g I have a share called “Certs” and in there I have a folder acme.sh so the full path is
/volume1/Certs/acme.sh) - This one is not really important, I just like to have a separate admin user, as you will have to use admin user/pwd and cookie combination to deploy the cert.
How-to
- First you will have to enable SSH on your NAS so we can connect to it. I have the default port disabled and use a custom one. I will use port 1234 for the purpose of this guide. I use CMD in Windows to run all of these commands.you just need to edit the commands with your details and paste it in cmd by right clicking inside of the window
ssh -p 1234 [email protected]
- This will get you connected to your NAS via SSH
- -p 1234 is your custom port, if you are using the default one you can skip -p altogether
- user is your admin username
- 192.168.1.1 is the IP of your NAS
2) Now we will have to download acme.sh to the NAS and install it to our folder:
sudo su
wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf master.tar.gz
cd acme.sh-master/
./acme.sh --install --nocron --home /volume1/Certs/acme.sh --accountemail "[email protected]"
source ~/.profile
- sudo su Gives us admin rights to access and modify files
- wget Downloads latest acme.sh package
- tar Unzips your downloaded package
- –home /volume1/Certs/acme.sh This is where you have to use your own path, where acme.sh will be installed
3) Now we have to set up the access to your DNS provider in order for acme.sh to be able to verify that you own your domain.
cd /volume1/Certs/acme.sh
export CF_Key="IF_YOU_USE_GLOBAL_API_KEY"
export CF_Token="IF_YOU_USE_API_TOKEN"
export CF_Email="[email protected]"
export CERT_DOMAIN="mydomain.com"
export CERT_DNS="dns_cf"
- CF_Key you use this with your Cloudflare Global API Key that you can find in “My Account” in Cloudflare dashboard
- CF_Token you use this if you create your own API Token
- CF_Email Same email address as we used for installation in the step above
- CERT_DOMAIN This tells acme.sh which domain you want to get certs for
- CERT_DNS This tells acme.sh which DNS provider we are using for authentication
4) Now we get the cert created with acme.sh:
./acme.sh --register-account -m [email protected] --issue --force --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS" --server letsencrypt
- –register-account -m This is to check for an account and register if it doesn’t find one. You probably don’t need this part, but I was having issues, where sometimes it would not find my account.
- –force This is another one that you probably dont need. By default acme.sh checks if there is a cert already and does not run if there is one. This parameter makes sure to force creation of new certs.
5) Now that we have the cert created, we need to set up details for the deployment part:
export SYNO_Username="Admin_User"
export SYNO_Password="password"
export SYNO_DID='DID_COOKIE_VALUE'
export SYNO_Hostname="192.168.1.1"
export SYNO_Scheme="https"
export SYNO_Port="5001"
export SYNO_Certificate="default"
export SYNO_Create=1
- SYNO_Username= This is where you have to use your Administrator credentials, as I mentioned above I didn’t want to use my main account so a created a separate Admin account where I only allowed access to DSM and restricted everything else.
- SYNO_Password= This is where you put your password
- SYNO_DID= If you are using OTP, as you should, in order for the deployment to work, you have to get a “did” cookie value. To Get this you open your browser in private window and you log in with your admin user, you have to make sure that both “Stay Signed” and “remember this device” are checked when logging in. Once you are logged in press ctrl+shift+i go to “Application” tab and in “Storage” click on Cookies. Open it and in there you should have “did” value which you need to copy over to the command
- SYNO_Hostname This is where you put your NAS IP
- SYNO_Scheme This is to use HTTPS connection#
- SYNO_Port This is to tell acme.sh which port to use, default is 5001 for secure connection
- SYNO_Certificate= This is the description name of the certificate, I want it to replace mine which has a description of “default”
- SYNO_Create=1 This tells acme.sh to create a new certificate in the DSM if it isn’t already
6) Now, after we set up the deploy information, we need to deploy the cert to DSM:
./acme.sh --insecure --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
7) Now you should be able to see your cert in the DSM – Control Panel – Security – Certificates. If you do, we just need to set up a Task in Task Scheduler:
- In DSM control panel, open the ‘Task Scheduler’ and create a new scheduled task for a user-defined script.
- General Setting: Task – Update default Cert. User – root
- Schedule: Setup a weekly renewal. For example, 11:00 am every saturday.
- Task setting: User-defined-script:
/volume1/Certs/acme.sh/acme.sh --cron --insecure --force --home /volume1/Certs/acme.sh/
- The first part is pointing to acme.sh and the second one is pointing to the folder where acme.sh is located at
- –cron This is to run the cert renewal job
- –insecure This is to ignore any SSL issues when deploying the cert
- –force This is again to force creation of a new cert even though there might be one already present.
- You can just SSH to your Synology and run this command via CMD (you will see in real time all the steps being done and if it finishes succesfully)
That should be it. Now if you refresh your DSM page, it should ask you to verify the certificate again, which means that it has successfully created and deployed the certificate. I’ve found loads of other guides on the internet but none of them worked fully, either I would get the first part working but deployment wouldn’t work or vice versa.