I’m attempting to build upon Markus Lippert’s article (https://lippertmarkus.com/2020/03/14/synology-le-dns-auto-renew/) with a newer DSM (DiskStation Manager) version (6.2.3). Some of the instructions from that post were slightly different from what my experience was.
I don’t have my Synology device accessible on the internet, so using a DNS challenge was the best option available. The built-in Synology Let’s Encrypt implementation relies on having your DSM instance accessible from the internet on port 443. Gross. Maybe some day they’ll implement DNS challenges in the UI, but until then we’re stuck doing things via command-line.
I’m using Amazon’s Route53 for this tutorial. The instructions for other DNS providers aren’t too dissimilar – usually just exporting a few variables with different names. You can see a list of the supported providers for this script here. I’m also going to assume you’re mostly familiar with setting up a hostname in an existing Route53 zone and setting up an IAM user for updating zone records programmatically. You’ll need an access key and secret key for said IAM user later.
To start, I created a new Synology DSM administrator user – I called it
certadmin, which I’ll be referring to for the rest of this article, but you can name it whatever you choose. I didn’t give it access to any applications, and the only shared folder I allowed access to was
homes so the user had access to its own home directory:
Ensure that SSH access is enabled in the DSM Control Panel, under
Terminal & SNMP:
certadmin with the user you created, and replace
10.0.0.100 with the IP of your Synology device. You’ll be prompted for a password – enter the password for the user you created. Note that if you changed the port for the SSH service to something other than
22, you will need to specify the port when connecting. For example, if you changed the port number to
2222 you would use:
ssh -p 2222 email@example.com
We’re going to download
acme.sh as our tool of choice to perform Let’s Encrypt renewals. The master branch is updated with all the good stuff nowadays. Again, in the example below, replace
certadmin with the user you created:
wget -O /tmp/acme.sh.zip https://github.com/acmesh-official/acme.sh/archive/master.zip
sudo 7z x -o/usr/local/share /tmp/acme.sh.zip
sudo mv /usr/local/share/acme.sh-master/ /usr/local/share/acme.sh
sudo chown -R certadmin/usr/local/share/acme.sh/
Now we’re going to run
acme.sh to get a base configuration created. Replace
*.example.com with the hostname you created in Route53:
./acme.sh --issue -d "*.example.com" --dns dns_aws --home $PWD
And we’ll need to export some variables used by the script. Replace
AWS_SECRET_ACCESS_KEY values with the specific ones for the IAM user you’re using in AWS. Replace the
SYNO_Password values with DSM user credentials:
export SYNO_Certificate="Let's Encrypt" # Replace with a friendly description
export SYNO_Create=1 # Create the certificate if it doesn't already exist
And then run
acme.sh for real to perform DNS validation and generate your certificate:
./acme.sh -d "*.example.com" --deploy --deploy-hook synology_dsm --home $PWD
Assuming all of the commands went well, you should now see your certificate in the DSM Control Panel Under Security -> Certificate with the name you provided in the
Syno_Certificate variable :
You may have to Click the
Configure button in this window and select your new certificate as the default. Once you do this, it should prompt you to restart the web service in order to utilize the new certificate.
Hooray, the most difficult steps should be done! Now all we have to do is set up a scheduled task in DSM to automatically renew our Let’s Encrypt certificate.
In the DSM Control Panel, head to the
Task Scheduler section:
Scheduled Task ->
User-defined script. On the General Settings tab give the task a memorable description and set it to run as
certadmin or whichever user you created. On the schedule tab, I have mine set to run daily in the morning. The time doesn’t really matter. On the Task settings tab the Run command will look like:
/usr/local/share/acme.sh/acme.sh --renew -d "*.example.com" --home /usr/local/share/acme.sh
It should be fine to run daily, as the script will detect that a renewal isn’t necessary and skip the operation until the next renewal time. I’ve found that the
acme.sh script will exit with a return code of
2 if renewal isn’t necessary. You can view the execution result if you highlight the task in DSM and click on
Enjoy using HTTPS on your Synology device! Hopefully this post was helpful. Please post a comment if you were successful, or if there were issues you encountered.