Synology DSM 6.2 + Let’s Encrypt + DNS Challenge + Route53

I’m attempting to build upon Markus Lippert’s article (https://lippertmarkus.com/2020/03/14/synology-le-dns-auto-renew/) with a newer DSM (DiskStation Manager) version (6.2.3). Some of the instructions from that post were slightly different from what my experience was.

I don’t have my Synology device accessible on the internet, so using a DNS challenge was the best option available. The built-in Synology Let’s Encrypt implementation relies on having your DSM instance accessible from the internet on port 443. Gross. Maybe some day they’ll implement DNS challenges in the UI, but until then we’re stuck doing things via command-line.

I’m using Amazon’s Route53 for this tutorial. The instructions for other DNS providers aren’t too dissimilar – usually just exporting a few variables with different names. You can see a list of the supported providers for this script here. I’m also going to assume you’re mostly familiar with setting up a hostname in an existing Route53 zone and setting up an IAM user for updating zone records programmatically. You’ll need an access key and secret key for said IAM user later.

To start, I created a new Synology DSM administrator user – I called it certadmin, which I’ll be referring to for the rest of this article, but you can name it whatever you choose. I didn’t give it access to any applications, and the only shared folder I allowed access to was homes so the user had access to its own home directory:

Ensure that SSH access is enabled in the DSM Control Panel, under Terminal & SNMP:

Use some kind of SSH client (Putty or Windows Terminal if you’re on Windows, or openssh-client for Linux) and connect to the IP of your Synology device as the user you created:

ssh certadmin@10.0.0.100

Replace certadmin with the user you created, and replace 10.0.0.100 with the IP of your Synology device. You’ll be prompted for a password – enter the password for the user you created. Note that if you changed the port for the SSH service to something other than 22, you will need to specify the port when connecting. For example, if you changed the port number to 2222 you would use:

ssh -p 2222 certadmin@10.0.0.100

We’re going to download acme.sh as our tool of choice to perform Let’s Encrypt renewals. The master branch is updated with all the good stuff nowadays. Again, in the example below, replace certadmin with the user you created:

wget -O /tmp/acme.sh.zip https://github.com/acmesh-official/acme.sh/archive/master.zip
sudo 7z x -o/usr/local/share /tmp/acme.sh.zip
sudo mv /usr/local/share/acme.sh-master/ /usr/local/share/acme.sh
sudo chown -R certadmin/usr/local/share/acme.sh/

Now we’re going to run acme.sh to get a base configuration created. Replace *.example.com with the hostname you created in Route53:

cd /usr/local/share/acme.sh
./acme.sh --issue -d "*.example.com" --dns dns_aws --home $PWD

And we’ll need to export some variables used by the script. Replace AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values with the specific ones for the IAM user you’re using in AWS. Replace the SYNO_Username and SYNO_Password values with DSM user credentials:

export AWS_ACCESS_KEY_ID=XXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX
export SYNO_Username="certadmin"
export SYNO_Password="certadmin_password"
export SYNO_Certificate="Let's Encrypt" # Replace with a friendly description
export SYNO_Create=1 # Create the certificate if it doesn't already exist

And then run acme.sh for real to perform DNS validation and generate your certificate:

./acme.sh -d "*.example.com" --deploy --deploy-hook synology_dsm --home $PWD

Assuming all of the commands went well, you should now see your certificate in the DSM Control Panel Under Security -> Certificate with the name you provided in the Syno_Certificate variable :

You may have to Click the Configure button in this window and select your new certificate as the default. Once you do this, it should prompt you to restart the web service in order to utilize the new certificate.

Hooray, the most difficult steps should be done! Now all we have to do is set up a scheduled task in DSM to automatically renew our Let’s Encrypt certificate.

In the DSM Control Panel, head to the Task Scheduler section:

Click on Create -> Scheduled Task -> User-defined script. On the General Settings tab give the task a memorable description and set it to run as certadmin or whichever user you created. On the schedule tab, I have mine set to run daily in the morning. The time doesn’t really matter. On the Task settings tab the Run command will look like:

/usr/local/share/acme.sh/acme.sh --renew -d "*.example.com" --home /usr/local/share/acme.sh

It should be fine to run daily, as the script will detect that a renewal isn’t necessary and skip the operation until the next renewal time. I’ve found that the acme.sh script will exit with a return code of 2 if renewal isn’t necessary. You can view the execution result if you highlight the task in DSM and click on Action -> View Result.

Enjoy using HTTPS on your Synology device! Hopefully this post was helpful. Please post a comment if you were successful, or if there were issues you encountered.

Leave a Comment