Wildcard certs auto renewal in Synology NAS with DNS challenge via acme.sh

While Synology supports generating certs, it doesn't support generating wildcard certs via DNS challenge. I prefer DNS challenge as it avoids exposing the NAS to the public. We will be using docker to install acme.sh which will request and deploy the certs in our Synology NAS. The following instructions has been tested with DSM 7.

mkdir -p /volume1/docker/acme/config
$ id acme
uid=1030(acme) gid=100(users) groups=100(users),101(administrators)
version: "2"
    image: neilpang/acme.sh
    container_name: acme
      - PUID=1030   # acme user id from the above command
      - PGID=101    # administrators group
      - TZ=America/Los_Angeles
      - UMASK_SET=002
      # CloudFlare API
      - CF_Email="__REPLACE_ME_WITH_EMAIL__"
      # SYNO Deploy hook
      - SYNO_Scheme="https"
      - SYNO_Hostname="__REPLACE_ME_" # The IP or hostname you can reach your NAS on
      - SYNO_Port="5001"
      - SYNO_Username="acme"
      - SYNO_Certificate="somedomain.com"
      - SYNO_Create=1
    network_mode: host
      - /volume1/docker/acme/config:/acme.sh
    command: daemon
    restart: unless-stopped

If you are setting up the certs for the first time, you might need to change the SYNO_Scheme to be http.

$ sudo docker-compose up -d

You can always run sudo docker-compose down, edit the docker-compose.yml file and run sudo docker-compose up -d.

$ sudo docker-compose exec acme --set-default-ca --server letsencrypt
$ sudo docker-compose exec acme --issue --dns dns_cf -d "mydomain.com" -d "*.mydomain.com"
$ sudo docker-compose exec acme --deploy --insecure -d domain.com --deploy-hook synology_dsm --debug

You can verify the certificate has been imported correctly by visiting Control Panel > Security > Certificate.

This should automatically renew your certs as it is near expiry so you never have to worry about certs again.