Wildcard certs auto renewal in Synology NAS with DNS challenge via acme.sh

While Synology supports generating certs, it doesn't support generating wildcard certs via DNS challenge. I prefer DNS challenge as it avoids exposing the NAS to the public. We will be using docker to install acme.sh which will request and deploy the certs in our Synology NAS. The following instructions has been tested with DSM 7.

  • Create a new user called acme with administrator privilege. While you can use an existing admin user that you already have, using a dedicated user will allow you to limit access to other apps and settings.
  • SSH into your Synology NAS.
  • Create a acme and config folder in your NAS.
mkdir -p /volume1/docker/acme/config
  • Get the id of the user acme and the id of the administrators group.
$ id acme
uid=1030(acme) gid=100(users) groups=100(users),101(administrators)
  • Create a docker-compose.yml in /volume1/docker/acme and replace with necessary values.
version: "2"
services:
  acme.sh:
    image: neilpang/acme.sh
    container_name: acme
    environment:
      - PUID=1030   # acme user id from the above command
      - PGID=101    # administrators group
      - TZ=America/Los_Angeles
      - UMASK_SET=002
      # CloudFlare API
      - CF_Token="__REPLACE_ME_WITH_CLOUDFLARE_TOKEN___"
      - CF_Email="__REPLACE_ME_WITH_EMAIL__"
      # SYNO Deploy hook
      - SYNO_Scheme="https"
      - SYNO_Hostname="__REPLACE_ME_" # The IP or hostname you can reach your NAS on
      - SYNO_Port="5001"
      - SYNO_Username="acme"
      - SYNO_Password="__REPLACE_ME_WITH_USER_ACME_PASSWORD__"
      - SYNO_TOTP_SECRET="__REPLACE_ME_WITH_TOTP_SECRET__"
      - SYNO_DID="__REPLACE_ME_WITH_DID_COOKIE_VALUE__"
      - SYNO_Certificate="somedomain.com"
      - SYNO_Create=1
    network_mode: host
    volumes:
      - /volume1/docker/acme/config:/acme.sh
    command: daemon
    restart: unless-stopped
  • Start the acme docker container.

If you are setting up the certs for the first time, you might need to change the SYNO_Scheme to be http.

$ sudo docker-compose up -d

You can always run sudo docker-compose down, edit the docker-compose.yml file and run sudo docker-compose up -d.

  • Change the default CA to Let's Encrypt
$ sudo docker-compose exec acme.sh --set-default-ca --server letsencrypt
  • Generate the initial certs for your root domain as well as the wildcard domain. Replace mydomain.com with appropriate values.
$ sudo docker-compose exec acme.sh --issue --dns dns_cf -d "mydomain.com" -d "*.mydomain.com"

  • You should be able to see the certs generated in /volume1/docker/acme/config/mydomain.com folder which you can manually import to Synology.

  • If you would like to auto deploy whenever a new cert is created or renewed, run the following command. acme.sh defaults to renewing certs automatically every 60 days.

$ sudo docker-compose exec acme.sh --deploy --insecure -d domain.com --deploy-hook synology_dsm --debug

You can verify the certificate has been imported correctly by visiting Control Panel > Security > Certificate.

This should automatically renew your certs as it is near expiry so you never have to worry about certs again.

  • Update your DSM login portal from Control Panel > Login Portal > DSM > Domain > Customized Domain to nas.somedomain.com. This will allow you to visit https://nas.somedomain.com to access your Synology DSM UI.