immwind

长风

life, the programming and everything
HomeArchives

Apply SSL certificate for Synology NAS through Docker and set up automatic renewal.

#NAS#Docker#群晖#HTTPS892
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a guide on how to use acme.sh, a tool for automatically applying and updating certificates. It involves registering a Cloudflare token, enabling SSH login on Synology NAS, and applying for and deploying certificates. The guide also includes instructions for automatically renewing certificates using a scheduled task. The environment used in the guide is DSM 7.2 and Docker 20.10.23.

Introduction#

  • acme.sh: Tool for automatic certificate application and renewal
  • Cloudflare: Domain resolution and hosting platform (one of the services)
  • Let's Encrypt: Free certificate authority (valid for three months)

Preparation#

Applying for a Cloudflare Token#

Because domain verification is required, you need to apply for a token with editing permissions for the corresponding domain DNS:

  1. Click Create Token at User API Tokens
  2. Click Use Template in the Edit Zone DNS section
  3. Then select the domain name for which you want to apply for a certificate in Zone Resources
  4. Save

Enabling Synology SSH Login#

Log in to Synology Web and go to Control Panel -> Terminal & SNMP. Check Enable SSH Service and save.

Note: Another option is to directly execute each operation through Synology's Task Scheduler.

Certificate Application#

The following operations are performed after successfully connecting to Synology via SSH. The export variables before each operation only need to be executed once and do not need to be repeated. They are displayed in the code for better clarity.

By default, Synology accounts are not added to the Docker group. Therefore, switch to the root account for easier operation. Of course, you can also prefix each command with sudo to execute. Here is an example of switching to the root account:

sudo -i

Then create a folder to store the domain certificate:

mkdir -p /volume1/docker/acme.sh

Registering an ACME Account#

export ACMEPATH="/volume1/docker/acme.sh" # The path created in the previous step
export EMAIL="mail@example.com" # Email used for registering with Let's Encrypt

docker run --rm \
  -v "${ACMEPATH}":/acme.sh \
  --net=host \
  neilpang/acme.sh \
  --register-account \
  -m "${EMAIL}" \
  --server letsencrypt
  • --rm: Indicates that the container will be immediately destroyed after use
  • --server: Specifies the server

Applying for a Certificate#

export ACMEPATH="/volume1/docker/acme.sh"
export DOMAIN="mail@example.com"
export CFTOKEN="Gl8exdSXRRwGxg5EjVnTDzYY42" # Token obtained from Cloudflare

docker run --rm \
  -v "${ACMEPATH}":/acme.sh \
  -e CF_Token="${CFTOKEN}" \
  --net=host \
  neilpang/acme.sh \
  --issue \
  --dns dns_cf \
  --ocsp \
  --server letsencrypt \
  -d "${DOMAIN}" \
  -d "*.${DOMAIN}"

Replace the CFTOKEN variable with the Token obtained from Applying for a Cloudflare Token.

Deploying the Certificate#

export ACMEPATH="/volume1/docker/acme.sh"
export DOMAIN="immwind.com"
export USERNAME="username"  # Synology login account
export PASSWORD="password"  # Synology login password
export PORT="5001"          # HTTPS port

docker run --rm \
  -v "${ACMEPATH}":/acme.sh \
  -e SYNO_Username="${USERNAME}" \
  -e SYNO_Password="${PASSWORD}" \
  -e SYNO_Scheme="https" \
  -e SYNO_Port="${PORT}" \
  -e SYNO_Certificate="A different certificate" \
  --net=host \
  neilpang/acme.sh \
  --deploy --insecure \
  --deploy-hook synology_dsm \
  -d "${DOMAIN}" -d "*.${DOMAIN}"
  • SYNO_Certificate: The description below the domain name in the Synology certificate interface

After the deployment is complete, you can view and configure the applied domain certificate in Control Panel -> Security -> Certificate.

Automatic Certificate Renewal Configuration#

After logging in to Synology Web, go to Control Panel:

  1. Select Task Scheduler
  2. Click Create -> Scheduled Task -> User-defined script
  3. Fill in the following content (including variables) in the Run command section of the task settings:
export ACMEPATH="/volume1/docker/acme.sh"
export DOMAIN="immwind.com"
export CFTOKEN="Gl8exdSXRRwGxg5EjVnTDzYY42"

export USERNAME="username"  # Synology login account
export PASSWORD="password"  # Synology login password
export PORT="5001"          # HTTPS port

docker run --rm \
  -v "${ACMEPATH}":/acme.sh \
  -e CF_Token="${CFTOKEN}" \
  --net=host \
  neilpang/acme.sh \
  --renew --force \
  --dns dns_cf \
  --ocsp \
  --server letsencrypt \
  -d "${DOMAIN}" -d "*.${DOMAIN}"

docker run --rm \
  -v "${ACMEPATH}":/acme.sh \
  -e SYNO_Username="${USERNAME}" \
  -e SYNO_Password="${PASSWORD}" \
  -e SYNO_Scheme="https" \
  -e SYNO_Port="${PORT}" \
  -e SYNO_Certificate="A different certificate" \
  --net=host \
  neilpang/acme.sh \
  --deploy --insecure \
  --deploy-hook synology_dsm \
  -d "${DOMAIN}" -d "*.${DOMAIN}"

The task can be scheduled to run once a month. However, to ensure that the task runs properly, you can manually execute it once to check if it is successful.

Finally#

After configuring it, I suddenly remembered that the certificate for [[ESXi]] has also been expired for a long time. Maybe I can tinker with it as well.

Information#

Environment#

  • DSM 7.2
  • Docker 20.10.23

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.