github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity

Updated Synology NAS Guide (markdown)

master
Fernando Miguel 2017-04-28 14:35:03 +01:00
parent 0140ffb2dd
commit df7660b476
1 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Synology-NAS-Guide.md

@ -1,40 +1,52 @@
Since Synology introduced [Let's Encrypt](https://letsencrypt.org/), many of us benefit from free SSL. Since Synology introduced [Let's Encrypt](https://letsencrypt.org/), many of us benefit from free SSL.
On the other hand, many of us don't want to expose port 80/443 to the Internet. The alternative is to use the DNS-01 protocol. Sadly the Synology implementation of Let's Encrypt currently (1-Jan-2017) only supports the HTTP-01 method which requires exposing port 80 to the Internet. On the other hand, many of us don't want to expose port 80/443 to the Internet. The alternative is to use the DNS-01 protocol. Sadly the Synology implementation of Let's Encrypt currently (1-Jan-2017) only supports the HTTP-01 method which requires exposing port 80 to the Internet.
But we can access the NAS via SSH and configure it to renew certs instead of using the web dashboard. But we can access the NAS via SSH and configure it to renew certs instead of using the web dashboard.
Here's the HowTo (xpopst https://forum.synology.com/enu/viewtopic.php?f=7&t=123007). Here's the HowTo (xpopst https://forum.synology.com/enu/viewtopic.php?f=7&t=123007).
I've used https://github.com/Neilpang/acme.sh which is a 3rd party client for Let's Encrypt, based on Shell scripting. No extra dependencies are required. I've used https://github.com/Neilpang/acme.sh which is a 3rd party client for Let's Encrypt, based on Shell scripting. No extra dependencies are required.
I've also used it with the DNS-01 protocol, which means, I don't have any ports open on the router to do the validation, instead it uses the [Cloudflare API](https://api.cloudflare.com/), where I host my domain. I've also used it with the DNS-01 protocol, which means, I don't have any ports open on the router to do the validation, instead it uses the [Cloudflare API](https://api.cloudflare.com/), where I host my domain.
Install: Install:
```
$ export FORCE=1 $ export FORCE=1
$ wget -O - https://get.acme.sh | sh $ wget -O - https://get.acme.sh | sh
```
so install is done :) so install is done :)
It will ask you to logout and login back again, to set shell settings.
next step is to do the configuration: next step is to do the configuration:
```
$ cd ~/.acme.sh/ $ cd ~/.acme.sh/
$ vi account.conf ```
set your email, cloudflare account and API (https://www.cloudflare.com/a/account/my-account) set your email, cloudflare account and API (https://www.cloudflare.com/a/account/my-account)
ctrl+c
:wq (and you are out of VI(M))
```
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="xxxx@sss.com"
```
Now to create your certificate: Now to create your certificate:
$ ./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem $ ./acme.sh --issue -d YOURDOMAIN.TLD --dns dns_cf --certpath /usr/syno/etc/certificate/system/default/cert.pem --keypath /usr/syno/etc/certificate/system/default/privkey.pem --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem --reloadcmd "/usr/syno/etc/rc.sysv/nginx.sh reload" --dns_sleep 10
You'll need to restart the webserver with:
$ /usr/syno/etc/rc.sysv/nginx.sh reload
simple right? simple right?
Since acme.sh installs a cron, it will take care of the renewal for you. Since acme.sh installs a cron, it will take care of the renewal for you.
HTH HTH