Skip to content
Arkadii edited this page Nov 5, 2021 · 9 revisions

Issuing wildcard certs for Synology DSM with Synology DNS Server installed

As you know standard certificate issuing wizard supports wildcards only for Synology DDNS. If you want to issue wildcard certificate for your own domain you can use 3rd-party ACME Client. At first I've tried to use Certbot in Docker with no success. Then I found acme.sh that is working fine on Synology DSM (mine is 6.2.3 on DS918+). Below you can find a short list for issuing, updating and deploying wildcard cert for you own domain on Synology DSM with Synology DNS Server.

1. Requirements

  • Synology DNS Server package installed and running
  • Git (can be installed with Git Server package)
  • acme.sh is installed and running on Synology NAS

2. Installing acme.sh

Open SSH client's terminal, go to any folder with write access permissions (e.g. /tmp or ~ folder), download and install acme.sh:

git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install \
  --home /usr/local/acme.sh \
  --cert-home /usr/local/acme.sh/certs \
  --config-home /usr/local/acme.sh/data \
  --accountemail "email@example.com" \
  --force # use it with elevation (sudo) for all commands

After successful installation remove the downloaded folder and restart the terminal in order to apply changes to the ACME-client settings (environment variables):

cd ..
rmdir acme.sh

3. Issuing cert

acme.sh supports several ways of domain approving (you can find all in acme.sh documentation). Since I'm using my own DNS Server on Synology DSM I've created my own DNS API hook for acme.sh

It's a good idea first trying to issue cert using test server (with debug log):

/usr/local/acme.sh/acme.sh --staging --debug 2 --issue --dns dns_synology_dsm -d example.com -d *.example.com --log

After successful issuing cert on staging server you can issue the real one:

/usr/local/acme.sh/acme.sh --issue --dns dns_synology_dsm -d example.com -d *.example.com --log

*) use --force when using elevation (sudo)

4. Updating cert

Updating can be realized using daily task. Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Update Cert' (run as root):

export LE_WORKING_DIR="/usr/local/acme.sh"
export LE_CONFIG_HOME="/usr/local/acme.sh/data"
/usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --renew-all

Since deploying cert (next step) sometimes is not working properly yet you would like to be informed with Synology notification panel when the cert is updated. So you need to replace lines above with the following:

export LE_WORKING_DIR="/usr/local/acme.sh"
export LE_CONFIG_HOME="/usr/local/acme.sh/data"
response=$(/usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --renew-all)
echo "$response"
updated=$(echo "$response" | grep "Skipped")
if [ -z "$updated" ]; then
  synodsmnotify <syno_user_to_be_notified> "Let's Encrypt cert was updated" "$response"
fi

*) don't forget to replace <syno_user_to_be_notified> with existing Synology user

5. Deploying cert

And at last the cert should be deployed to all modules. This can be done by adding another periodical task (e.g. monthly). Go to Control Panel -> Task Scheduler and add the new task with the name 'Lets Encrypt Deploy Cert' (run as root):

export LE_WORKING_DIR="/usr/local/acme.sh"
export LE_CONFIG_HOME="/usr/local/acme.sh/data"
export SYNO_Create=1
export SYNO_Certificate="example.com" # Description text in Control Panel -> Security -> Certificates
/usr/local/acme.sh/acme.sh --config-home /usr/local/acme.sh/data --deploy -d example.com --deploy-hook synology_dsm

So that's all folks!

In some time I would like to rewrite the deployment hook using synowebapi in order to get rid of password saving. Keep following the latest news ;)