github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity

Add the option to use DSM cert library for the cert installation

master
florid2 2017-06-28 15:17:35 +10:00
parent 860b5beead
commit 889f931732
1 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Synology-NAS-Guide.md

@ -43,10 +43,39 @@ Now to create your certificate:
$ ./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dnssleep 10 $ ./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dnssleep 10
simple right? Please note, in this way it will replace/overwrite your Synology NAS system default certificate directly.
Alternatively, you can change the certificates install path to your DSM cert library folder which will only replace the certificate you nominated, no impact to system default one.
Since acme.sh installs a cron, it will take care of the renewal for you. For example:
`$./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/_archive/**vPATH**/cert.pem --keypath /usr/syno/etc/certificate/_archive/**vPATH**/privkey.pem --fullchainpath /usr/syno/etc/certificate/_archive/**vPATH**/fullchain.pem --capath /usr/syno/etc/certificate/_archive/**vPATH**/chain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload"`
You need to manually replace the 'vPATH' field with the directory name under your /usr/syno/etc/certificate/_archive/ . The directory name is a six characters unique name.
Now you can check the DSM control panel - Security - Certificates to see the nominated certificate has been replaced by letsencrypt one. You can now configure to use this one as default and assign to specific services, like vpn, sftp, etc.
To auto renew the certificates in the future, you need to configure the cronjob. However, acme.sh seems not properly add tasks to Synology crontab. You have to do this manually.
Configure crontab for root
`$ vi /etc/crontab `
Add the following line to the crontab. Remember to use tab for spacing.
For example, 10:00 am of the 2nd day every month run the cronjob to check if due to renew the certificates (You can modify the cronjob schedule according to your needs)
`0 10 2 * * root /root/.acme.sh/acme.sh --cron`
The last step is to setup a schedule task to copy renewed certificates in cert library to system default directory and restart the Nginx service.
In DSM control panel, open the 'Task Scheduler' and create a new scheduled task for a user-defined script.
General Setting: Task - Update default Cert. User - root
Schedule: Setup the time according to your acme.sh crontab schedule. For example, 11:00 am of the 2nd day every month.
Task setting: User-defined-script
`rsync -avzh /usr/syno/etc/certificate/_archive/**vPATH**/ /usr/syno/etc/certificate/system/default/`
`/usr/syno/etc/rc.sysv/nginx.sh reload `
Now you should all good.
HTH HTH