Introduction
I’ve just setup a Let’s encrypt certificate for my OpenWRT router. I would like to do the same for my Synology NAS. However, this one is a bit more complex, since I’m running a lot of docker container on that machine and also use the reverse proxy feature. So I’ll need a wildcard certificate. Unfortunately, DSM doesn’t support Let’s encrypt certificates using DNS validation, so I’ll have to do things manually. Luckily some people already experimented with this problem and documented them.
Create Ionos API credentials
See this documentation on how to create a new API key. I’ve created additonally a subdomain local which I’ll be using for all my local network stuff. I assume you’ll need to have the subdomain already configured in Ionos before you’ll request any certificates for subdomains.
Preparations
The suggestion is to run the ACME script inside a docker container. Additionally a separate DSM admin user should be used for managing the certificate renewal process. The user must be an admin, but can be denied access to all DSM Applications. You’ll have to login once for this user, to complete the 2FA setup.
ACME container
We’ll run the ACME script inside a docker container. So assuming you’ve already got docker installed on your DSM and setup.
account.conf
Create a new folder and put the following content into the file account.conf. I’ve put mine under /volume1/docker/acme
export IONOS_PREFIX="yourusername"
export IONOS_SECRET="yourpassword"
export SYNO_Username="yoursynologyadminuser"
export SYNO_Password="yoursynologyadminuserpassword"
export SYNO_Certificate=""
export SYNO_Scheme="https"
export SYNO_Port="5001"
export SYNO_Hostname="yoursynologyFQDN"
export SYNO_Create=1
Change the values to your needs. The SYNO_Username and password are of the account you’ve created earlier. The IONOS_ parameters are from the API credential creation of Ionos.
The Container
I’m using Portainer for most of my docker stuff. But since I’m following these instructions I’ll be configuring this container via the DSM console.
Enabe automatic restarts and give it a simple name like acme.
Connect to the Terminal like it is described. Change the default CA to letsencrypt:
acme.sh --set-default-ca --server letsencrypt
Now comes the interesting part, issueing a new certificate:
acme.sh --issue --dns dns_ionos -d yourdomain -d *.yourdomain
Note the double -d parameters. We want a wildcard certificate for any subdomains and also an ASN for the domain of the DSM as a host. If the execution is successful, you’ll have new signed certificates in /volume1/docker/acme.
Now we’ll deploy them to the Synology:
acme.sh --deploy -d yourdomain -d *.yourdomain --deploy-hook synology_dsm --insecure
I had problems with my existing certs which weren’t trusted by the docker container, so I had to disable verification with –insecure. After execution I’ve got an error that the restart of the HTTP services failed:
[Fri Oct 13 00:12:28 UTC 2023] Getting certificates in Synology DSM
[Fri Oct 13 00:12:28 UTC 2023] Generate form POST request
[Fri Oct 13 00:12:28 UTC 2023] Upload certificate to the Synology DSM
[Fri Oct 13 00:12:29 UTC 2023] Restarting HTTP services failed
[Fri Oct 13 00:12:29 UTC 2023] Success
The list of certificates now show the uploaded certificate from lets encrypt, but its not in use anywhere inside the DSM. According to this wiki, it must be assigned manually:
Afterwards, the certificate should show up inside Control Panel -> Security -> Certificates & can be assigned to specific services or set as the default certificate.
When I assign it manually, it will trigger a restart of the webserver automatically. The new certificate is now in use
Conclusion
After some minor problems with the synology_dsm deploy hook, I’ve got it all running. It will be interesting to see how things will end up in 90 days, when the certificate expire. Ideally the docker container will handle the renewal process automatically. In combination with the deploy hook, the DSM should pretty much maintenance free.