Create and maintain a Let's Encrypt certificate on a Synology NAS.
Uses lego and the ACME DNS-01 challenge for any of the supported DNS Providers.
To install or update synology-letsencrypt, run the install script. To do that, either download and run the script manually, or use the following cURL command:
curl -sSL https://raw.githubusercontent.com/dominictayloruk/synology-letsencrypt/master/install.sh | bash
The script has to be run as root. To run it as root, you can SSH into your NAS with an admin user and then issue sudo -i
to become root (the password is the same as the admin user's).
Update /usr/local/etc/synology-letsencrypt/env
with domain(s), email, and DNS API-key:
DOMAINS=(--domains "example.com" --domains "*.example.com")
EMAIL="[email protected]"
# Should you need it; additional options can be passed directly to lego
#LEGO_OPTIONS=(--key-type "rsa4096")
# Specify DNS Provider (this example is from https://go-acme.github.io/lego/dns/cloudflare/)
DNS_PROVIDER="cloudflare"
export [email protected]
export CF_DNS_API_TOKEN=ThIsIsYoRSecReTAPIt0kEn
Note: If you are generating a wildcard certificate, you must include the base domain next to the wildcard domain. For example, if you want to create a certificate for *.example.com
, you must also include example.com
in the DOMAINS
value.
Now you should be able to run /usr/local/bin/synology-letsencrypt.sh
.
To schedule a daily task, log into the Synology DSM and add a user-defined script:
Synology DSM -> Control Panel -> Task Scheduler
Create -> Scheduled Task -> User-defined script
General -> User = root
Task Settings -> User-defined script = /bin/bash /usr/local/bin/synology-letsencrypt.sh
If you need to generate more than one certificate, you can parameterize synology-letsencrypt.sh with the path of a certificate configuration:
$ /usr/local/bin/synology-letsencrypt.sh -p /usr/local/bin/synology-letsencrypt/example.com
$ /usr/local/bin/synology-letsencrypt.sh -p /usr/local/bin/synology-letsencrypt/other-example.com
This creates an entire configuration in
/usr/local/etc/synology-letsencrypt/example.com/env
and
/usr/local/etc/synology-letsencrypt/other-example.com/env
respectively, which
you can tune according to your needs. That extends to modifying the hook
in
each one to match your needs.
You might want this if you require more than one certificate on the Synology, or if you want to generate a certificate for another host on your Synology.
By default, synology-letsencrypt.sh
will overwrite any changes you make to the
hook script to preserve the core functionality of this client. If you have customized your script, you can preserve its changes by adding the -c
parameter to your invocation:
$ /usr/local/bin/synology-letsencrypt.sh -c
To uninstall synology-letsencrypt, run the uninstall script. To do that, either download and run the script manually, or use the following cURL command:
curl -sSL https://raw.githubusercontent.com/dominictayloruk/synology-letsencrypt/master/uninstall.sh | bash