ThirdMirrors
/
acme.sh
mirror of https://gitee.com/Hawkin99/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Switch to using the synology dsm deployhook as it should be easier for people to use

Brian Hartvigsen 2020-05-16 01:57:21 -06:00
parent e99cd83092
commit 9e12b41e80
1 changed files with 53 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
Synology-NAS-Guide.md

@ -8,73 +8,70 @@ But we can access the NAS via SSH and configure it to renew certs instead of usi
The following guide will use the DNS-01 protocol using the [Cloudflare API](https://api.cloudflare.com/), where I host my domain. However, [since acme.sh supports many DNS services](https://github.com/Neilpang/acme.sh/tree/master/dnsapi), you can also choose the one you like.
With the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-cert-into-synology-dsm) included in 2.8.6, it is no longer required to run acme.sh on your Synology device to rotate the certificate. acme.sh just needs to be run on something that has access to the DSM's administrative interface. Additionally, the previous deployment methods can be drastically simplified with the following instructions.
## Installation of acme.sh
$ sudo -i
$ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmailcom"
## Installation of reload-certs.sh (optional)
You can use [this third party script](https://github.com/bartowl/synology-stuff/blob/master/reload-certs.sh) to automatically restart services for which certificates were changed.
$ wget -O /usr/local/bin/reload-certs.sh https://github.com/bartowl/synology-stuff/raw/master/reload-certs.sh
$ chmod +x /usr/local/bin/reload-certs.sh
Be sure to close your session after installation and reconnect for the following steps.
```sh
$ sudo -i
$ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmailcom"
```
## Configuring DNS
For CloudFlare, we will set two environment variables that acme.sh (specifically, the `dns_cf` script from the `dnsapi` subdirectory) will read to set the DNS record. You can get your CloudFlare [API key here](https://dash.cloudflare.com/profile).
export CF_Key="MY_SECRET_KEY_SUCH_SECRET"
export CF_Email="myemail@example.com"
```sh
export CF_Key="MY_SECRET_KEY_SUCH_SECRET"
export CF_Email="myemail@example.com"
```
If you generated an API Token, instead of using your global account key, set CF_Token instead.
export CF_Token="MY_SECRET_TOKEN_SUCH_SECRET"
export CF_Email="myemail@example.com"
```sh
export CF_Token="MY_SECRET_TOKEN_SUCH_SECRET"
export CF_Email="myemail@example.com"
```
In case you use another DNS service, check the `dnsapi` directory. Instructions for many DNS providers are already included. You can also find instructions on how to add another DNS service there, although that requires some software development skills.
## Creating the certificate
Now it's time to create the certificate for your domain:
$ cd /usr/local/share/acme.sh
$ export CERT_DOMAIN="your-domain.tld"
$ export CERT_DNS="dns_cf"
$ ./acme.sh --issue -d "$CERT_DOMAIN" --dns "$CERT_DNS" \
--cert-file /usr/syno/etc/certificate/system/default/cert.pem \
--key-file /usr/syno/etc/certificate/system/default/privkey.pem \
--fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \
--reloadcmd "/usr/syno/sbin/synoservicectl --reload nginx" \
--dnssleep 20
```sh
$ cd /usr/local/share/acme.sh
$ export CERT_DOMAIN="your-domain.tld"
$ export CERT_DNS="dns_cf"
$ ./acme.sh --issue -d "$CERT_DOMAIN" --dns "$CERT_DNS"
```
Please note that this will replace your Synology NAS system default certificate directly without rolling out for other services, just the DSM console.
## Deploy the default certificate
We will use the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-cert-into-synology-dsm) to deploy our certificate. This will override the default certificate, in the next section you can see how to create new certificates to be used for other services.
---------------------------------------------------------------------------------------------------------
## Alternative and recommended method that fully integrates with Synology NAS system certificate management
This requires the reload-certs.sh script.
```sh
$ cd /usr/local/share/acme.sh
# Single quotes prevents some escaping issues if your password or username contains certain special characters
$ export SYNO_Username='Admin_Username'
$ export SYNO_Password='Admin_Password!123'
# You must specify SYNO_Certificate, for the default certificate, we use an empty string
$ export SYNO_Certificate=""
$ ./acme.sh --deploy -d "$CERT_DOMAIN" --deploy-hook synology_dsm
```
$ cd /usr/syno/etc/certificate/_archive
$ export CERT_DIR="$(mktemp -d zXXXXX)"
$ export CERT_FOLDER="/usr/syno/etc/certificate/_archive/$CERT_DIR"
$ export CERT_DOMAIN="your-domain.tld"
$ export CERT_DNS="dns_cf"
$ cp -a INFO INFO.bak
$ jq '.+={"'$CERT_DIR'":{"desc":"'$CERT_DOMAIN'","services":[]}}' INFO.bak > INFO
$ cd /usr/local/share/acme.sh
$ ./acme.sh --issue -d "$CERT_DOMAIN" --dns "$CERT_DNS" \
--cert-file "$CERT_FOLDER/cert.pem" \
--key-file "$CERT_FOLDER/privkey.pem" \
--fullchain-file "$CERT_FOLDER/fullchain.pem" \
--capath "$CERT_FOLDER/chain.pem" \
--reloadcmd "/usr/local/bin/reload-certs.sh" \
--dnssleep 20
### Deploying additional certificates
Now you can check the DSM control panel - Security - Certificates to see the new certificate that has been created.
You can now configure to use this one as default and/or assign to specific services, like vpn, sftp, etc.
By specifying a different `SYNO_Certificate` and (optionally) `SYNO_Create`, we can deploy multiple certificates to the DSM. These commands assume you are still working in the same terminal and have exported all other necessary variables described above.
```sh
$ ./acme.sh --issue -d "subdomain.$CERT_DOMAIN" --dns "$CERT_DNS"
# SYNO_Certificate is the description shown under Security -> Certificates in the DSM Control Panel
$ export SYNO_Certificate="A different certificate"
$ export SYNO_Create=1 # Says to create the certificate if it doesn't exist
$ ./acme.sh --deploy -d "subdomain.$CERT_DOMAIN" --deploy-hook synology_dsm
```
## Configuring Certificate Renewal
To auto renew the certificates in the future, you need to configure a task in the task scheduler. It is not advised to set this up as a custom cronjob (as was previously described in this wiki page) as the DSM security advisor will tell you that you have a critical warning regarding unknown cronjob(s).
@ -85,19 +82,20 @@ In DSM control panel, open the 'Task Scheduler' and create a new scheduled task
* Schedule: Setup a weekly renewal. For example, 11:00 am every saturday.
* Task setting: User-defined-script:
```
# renew certificates, this used to be explained as a custom cronjob but works just as well within this script according to the output of the task.
```sh
# renew certificates
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
```
Make sure you created the certificates with proper reloadcmd. Now you should be all good.
--------------------------------------------------------------------------------------------------------------------
## Fix a broken environment after Synology DSM upgrade
$ cd /usr/local/share/acme.sh
$ ./acme.sh --force --upgrade --nocron --home /usr/local/share/acme.sh
```sh
$ cd /usr/local/share/acme.sh
$ ./acme.sh --force --upgrade --nocron --home /usr/local/share/acme.sh
```
or manually add below line into /root/.profile
. "/usr/local/share/acme.sh/acme.sh.env"
```sh
. "/usr/local/share/acme.sh/acme.sh.env"
```