Wildcard certs auto renewal in Synology NAS with DNS challenge via acme.sh
While Synology supports generating certs, it doesn't support generating wildcard certs via DNS challenge. I prefer DNS challenge as it avoids exposing the NAS to the public. We will be using docker to install acme.sh which will request and deploy the certs in our Synology NAS. The following instructions has been tested with DSM 7.
- Create a new user called
administratorprivilege. While you can use an existing admin user that you already have, using a dedicated user will allow you to limit access to other apps and settings.
- SSH into your Synology NAS.
- Create a acme and config folder in your NAS.
mkdir -p /volume1/docker/acme/config
- Get the
idof the user
$ id acme uid=1030(acme) gid=100(users) groups=100(users),101(administrators)
- Create a docker-compose.yml in
/volume1/docker/acmeand replace with necessary values.
version: "2" services: acme.sh: image: neilpang/acme.sh container_name: acme environment: - PUID=1030 # acme user id from the above command - PGID=101 # administrators group - TZ=America/Los_Angeles - UMASK_SET=002 # CloudFlare API - CF_Token="__REPLACE_ME_WITH_CLOUDFLARE_TOKEN___" - CF_Email="__REPLACE_ME_WITH_EMAIL__" # SYNO Deploy hook - SYNO_Scheme="https" - SYNO_Hostname="__REPLACE_ME_" # The IP or hostname you can reach your NAS on - SYNO_Port="5001" - SYNO_Username="acme" - SYNO_Password="__REPLACE_ME_WITH_USER_ACME_PASSWORD__" - SYNO_TOTP_SECRET="__REPLACE_ME_WITH_TOTP_SECRET__" - SYNO_DID="__REPLACE_ME_WITH_DID_COOKIE_VALUE__" - SYNO_Certificate="somedomain.com" - SYNO_Create=1 network_mode: host volumes: - /volume1/docker/acme/config:/acme.sh command: daemon restart: unless-stopped
- Start the
If you are setting up the certs for the first time, you might need to change the
SYNO_Scheme to be
$ sudo docker-compose up -d
You can always run
sudo docker-compose down, edit the
docker-compose.yml file and run
sudo docker-compose up -d.
- Change the default CA to Let's Encrypt
$ sudo docker-compose exec acme.sh --set-default-ca --server letsencrypt
- Generate the initial certs for your root domain as well as the wildcard domain. Replace
mydomain.comwith appropriate values.
$ sudo docker-compose exec acme.sh --issue --dns dns_cf -d "mydomain.com" -d "*.mydomain.com"
You should be able to see the certs generated in
/volume1/docker/acme/config/mydomain.comfolder which you can manually import to Synology.
If you would like to auto deploy whenever a new cert is created or renewed, run the following command. acme.sh defaults to renewing certs automatically every 60 days.
$ sudo docker-compose exec acme.sh --deploy --insecure -d domain.com --deploy-hook synology_dsm --debug
You can verify the certificate has been imported correctly by visiting
Control Panel > Security > Certificate.
This should automatically renew your certs as it is near expiry so you never have to worry about certs again.
- Update your DSM login portal from
Control Panel > Login Portal > DSM > Domain > Customized Domainto
nas.somedomain.com. This will allow you to visit
https://nas.somedomain.comto access your Synology DSM UI.