Automatic SSL renewal with Let’s Encrypt on DSM 5.x / Synology DS1010+ via dns-01 verification

The one downside with Let’s Encrypt has always been the limitation that for verification any internal server needed to open up ports. Using Cloudflare and acme.sh gives my old Synology DS1010+ new life with a proper SSL certificate (the acme.sh supports a number of other DNS providers other than Cloudflare as well):

As long as you have a CloudFlare account (or any other DNS provider supported by acme.sh DNS API) the installation and automation is really simple.

First we will install acme.sh – for this you need SSH / Telnet access into your Synology:

cd /tmp
curl -L -o /tmp/master.tgz https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf master.tgz
cd acme.sh-master/
./acme.sh --install --nocron

The above downloads the acme.sh installer and then installs it with the “nocron”-option (since my Synology does not have a scheduler running which is supported by acme.sh). The installer completes quickly:

After you closed and re-opened the terminal, we then configure acme.sh to automatically update itself:

acme.sh --upgrade --auto-upgrade

As the last step you will need to adjust ACCOUNT_EMAIL in ~/.acme.sh/account.conf and add your CloudFlare Global API key and Email:

ACCOUNT_EMAIL='[email protected]'

export CF_Key="MyCloudFlare-Global-API-Key"
export CF_Email="MyCloudFlare-Account-Email-Address"

Next we run the Let’s Encrypt certificate installation (adjust the domain name accordingly):

MuffinStation> acme.sh --issue --post-hook "/usr/syno/sbin/synoservicectl --restart httpd-sys" -d muffinstation.naschenweng.info --dnssleep 30 --dns dns_cf --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --fullchainpath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt

[Fri Jan  6 10:58:37 CAT 2017] Registering account
[Fri Jan  6 10:58:41 CAT 2017] Registered
[Fri Jan  6 10:58:43 CAT 2017] Update success.
[Fri Jan  6 10:58:43 CAT 2017] Creating domain key
[Fri Jan  6 10:58:44 CAT 2017] Single domain='muffinstation.naschenweng.info'
[Fri Jan  6 10:58:44 CAT 2017] Getting domain auth token for each domain
[Fri Jan  6 10:58:44 CAT 2017] Getting webroot for domain='muffinstation.naschenweng.info'
[Fri Jan  6 10:58:44 CAT 2017] _w='dns_cf'
[Fri Jan  6 10:58:44 CAT 2017] Getting new-authz for domain='muffinstation.naschenweng.info'
[Fri Jan  6 10:58:46 CAT 2017] The new-authz request is ok.
[Fri Jan  6 10:58:46 CAT 2017] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Fri Jan  6 10:58:51 CAT 2017] Adding record
[Fri Jan  6 10:58:53 CAT 2017] Added, OK
[Fri Jan  6 10:58:53 CAT 2017] Sleep 120 seconds for the txt records to take effect
[Fri Jan  6 11:00:54 CAT 2017] Verifying:muffinstation.naschenweng.info
[Fri Jan  6 11:01:00 CAT 2017] Success
[Fri Jan  6 11:01:07 CAT 2017] Verify finished, start to sign.
[Fri Jan  6 11:01:09 CAT 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgISA3j+N+B+isSFGszBg+iR4NW+MA0GCSqGSIb3DQEBCwUA
...
...

jixZJvwJjKwXm4QyiE4mpYJI9As=
-----END CERTIFICATE-----
[Fri Jan  6 11:01:09 CAT 2017] Your cert is in  /root/.acme.sh/muffinstation.naschenweng.info/muffinstation.naschenweng.info.cer
[Fri Jan  6 11:01:09 CAT 2017] Your cert key is in  /root/.acme.sh/muffinstation.naschenweng.info/muffinstation.naschenweng.info.key
[Fri Jan  6 11:01:09 CAT 2017] The intermediate CA cert is in  /root/.acme.sh/muffinstation.naschenweng.info/ca.cer
[Fri Jan  6 11:01:09 CAT 2017] And the full chain certs is there:  /root/.acme.sh/muffinstation.naschenweng.info/fullchain.cer
[Fri Jan  6 11:01:09 CAT 2017] Run post hook:'kill -USR1 cat /run/httpd/httpd-sys.pid'
[Fri Jan  6 11:01:09 CAT 2017] Installing cert to:/usr/syno/etc/ssl/ssl.crt/server.crt
[Fri Jan  6 11:01:09 CAT 2017] Installing key to:/usr/syno/etc/ssl/ssl.key/server.key
[Fri Jan  6 11:01:09 CAT 2017] Installing full chain to:/usr/syno/etc/ssl/ssl.intercrt/server-ca.crt

Lastly, you need to add a Crontab entry via vi /etc/crontab:

3       2       *       *       2       root    /root/.acme.sh/acme.sh --cron

Older Synology’s had issues with the format of the crontab – so make sure that you use tabs between the sections. Run the cronjob to verify that everything is fine: