Updated Synology NAS Guide (markdown)

Synology-NAS-Guide.md

@@ -13,13 +13,13 @@ With the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wi
 ## Installation of acme.sh
 
 ```sh
-$ sudo su
+sudo su
-$ cd ~
+cd ~
-$ wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
+wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
-$ tar xvf master.tar.gz
+tar xvf master.tar.gz
-$ cd acme.sh-master/
+cd acme.sh-master/
-$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmailcom"
+./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmailcom"
-$ source ~/.profile
+source ~/.profile
 ```
 
 ## Configuring DNS
@@ -44,58 +44,62 @@ In case you use another DNS service, check the `dnsapi` directory and [DNS API g
 Now it's time to create the certificate for your domain:
 
 ```sh
-$ cd /usr/local/share/acme.sh
+# These commands assume you are still working in the same terminal and have ran necessary commands described above.
-$ export CERT_DOMAIN="your-domain.tld"
+
-$ export CERT_DNS="dns_cf"
+cd /usr/local/share/acme.sh
-$ ./acme.sh --issue --server letsencrypt --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS"
+export CERT_DOMAIN="your-domain.tld"
+export CERT_DNS="dns_cf"
+./acme.sh --issue --server letsencrypt --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS"
 ```
 
 ## Deploy the default certificate
-We will use the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm) to deploy our certificate.  This will override the default certificate, in the next section you can see how to create new certificates to be used for other services.
+We will use the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm) to deploy our certificate. This will override the default certificate, you can learn how to create new certificates to be used for other services later in this section.
+**The commands in the code block in this section assume you are still working in the same terminal and executed necessary commands described above.**
 
+### Deploy with temp or existing admin user
+
+#### (Recommend) Deploy with auto created temp admin user
+
+If you installed `acme.sh` in DSM, we recommend you to try automatic temp user auth method to deploy (DSM should already have required built-in tools, we will let you know if not):
+```sh
+export SYNO_USE_TEMP_ADMIN=1
+./acme.sh --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
+```
+Notice: the temp admin user should be automatically deleted after execution, if the script unexpectedly stopped while running (e.g., abort by pressing "Ctrl+C"), it may remain if it has already been created, in this case, you can safely delete it via Control panel.
+
+#### (Default) Deploy with existing admin user
+If you prefer to deploy with existing admin user or if the above way is not available (e.g., installed in docker), you need to provide your own credentials:
 ```sh
-$ cd /usr/local/share/acme.sh
 # Single quotes prevents some escaping issues if your password or username contains certain special characters
-$ export SYNO_Username='Admin_Username'
+export SYNO_Username='Admin_Username'
-$ export SYNO_Password='Admin_Password!123'
+export SYNO_Password='Admin_Password!123'
-# You must specify SYNO_Certificate, for the default certificate, we use an empty string
+./acme.sh --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
-# Please be aware that the empty string only works if you haven't added/changed the description for
-# the default certificate. If you have, you'll need to specify the description here.
-$ export SYNO_Certificate=""
-$ ./acme.sh --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
 ```
 
-Note that if the user entered for `SYNO_Username` has enabled two-factor authentication (2FA), the login will fail and the error states that user/password is wrong, even if both are correct.
+Note that if the user entered for `SYNO_Username` has enabled two-factor authentication (2FA), the script will ask you to manually input the TOTP code just like you were logging in on the Web UI, and obtain to store necessary info to omit the TOTP in the future.
-To fix this, simply follow the steps described at the [Synology DSM deployhook](https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm) wiki page - in short: log into your DSM via its website, making sure you've ticked `Remember this device` when asked for your OTP, get the `did` cookie's value and set the environment variable:
+> BTW, as you may know if you used to use this script to deploy, the necessary info here now is so-called parameter "Device ID", if you are a pro user and want to obtain it manually, you still can, method in short: log into your DSM via its website, making sure you've ticked `Remember this device` when asked for your OTP, get the `did` cookie's value and set the environment variable `SYNO_DEVICE_ID`:
 ```sh
-export SYNO_DID='YOUR VALUE'
+export SYNO_DEVICE_ID='YOUR VALUE'
+./acme.sh --deploy --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
 ```
 
-When we want to use https to deploy the new certificate and connect to "localhost", we need to add the --insecure option to the deploy command to prevent curl errors. refer to [https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params]. If you enabled HTTP/2 you still receive a curl 16 error probably due to missing http2 dependencies on the NAS but the script succeeds.
+### Use HTTPS to deploy
+When we want to use HTTPS to deploy the new certificate and connect to "localhost", we need to add the --insecure option to the deploy command to prevent curl errors. Refer to [https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params]. If you enabled HTTP/2 you still receive a curl 16 error probably due to missing http2 dependencies on the NAS but the script succeeds.
 
 ```sh
-$ cd /usr/local/share/acme.sh
-# Single quotes prevents some escaping issues if your password or username contains certain special characters
-$ export SYNO_Username='Admin_Username'
-$ export SYNO_Password='Admin_Password!123'
 # export SYNO_Hostname="localhost" # Specify if not using on localhost
-$ export SYNO_Scheme="https"
+export SYNO_Scheme="https"
-$ export SYNO_Port="5001"
+export SYNO_Port="5001"
-# You must specify SYNO_Certificate, for the default certificate, we use an empty string
-# Please be aware that the empty string only works if you haven't added/changed the description for
-# the default certificate. If you have, you'll need to specify the description here.
-$ export SYNO_Certificate=""
 $ ./acme.sh --deploy --insecure --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
 ```
 
 ### Deploying additional certificates
 
-By specifying a different `SYNO_Certificate` and (optionally) `SYNO_Create`, we can deploy multiple certificates to the DSM.  These commands assume you are still working in the same terminal and have exported all other necessary variables described above.
+By specifying a different `SYNO_Certificate` (and set `SYNO_Create=1` for creating), we can deploy multiple certificates to the DSM.
 
 ```sh
-$ ./acme.sh --issue --home . -d "subdomain.$CERT_DOMAIN" --dns "$CERT_DNS"
 # SYNO_Certificate is the description shown under Security -> Certificates in the DSM Control Panel
-$ export SYNO_Certificate="A different certificate"
+$ export SYNO_Certificate="A different certificate description"
 $ export SYNO_Create=1 # Says to create the certificate if it doesn't exist
 $ ./acme.sh --deploy --home . -d "subdomain.$CERT_DOMAIN" --deploy-hook synology_dsm
 ```