Automatic SSL renewal with Let’s Encrypt on DSM 5.x / Synology DS1010+ via dns-01 verification

The one downside with Let’s Encrypt has always been the limitation that for verification any internal server needed to open up ports. Using Cloudflare and acme.sh gives my old Synology DS1010+ new life with a proper SSL certificate (the acme.sh supports a number of other DNS providers other than Cloudflare as well):

As long as you have a CloudFlare account (or any other DNS provider supported by acme.sh DNS API) the installation and automation is really simple.

First we will install acme.sh – for this you need SSH / Telnet access into your Synology:

The above downloads the acme.sh installer and then installs it with the “nocron”-option (since my Synology does not have a scheduler running which is supported by acme.sh). The installer completes quickly:

After you closed and re-opened the terminal, we then configure acme.sh to automatically update itself:

As the last step you will need to adjust ACCOUNT_EMAIL in ~/.acme.sh/account.conf and add your CloudFlare Global API key and Email:

Next we run the Let’s Encrypt certificate installation (adjust the domain name accordingly):

Lastly, you need to add a Crontab entry via vi /etc/crontab:

Older Synology’s had issues with the format of the crontab – so make sure that you use tabs between the sections. Run the cronjob to verify that everything is fine:

 

Print Friendly
  • alea

    Hi Gerd, thanks a lot for your nice solution! It can save me a lot of headaches!!

    I tried the procedure, but, when I entered the command:

    ./acme.sh –issue –post-hook “kill -USR1 cat /run/httpd/httpd-sys.pid” -d etc…

    the system answered:

    syntax error: unexpected end of file

    I see that the command ends with:

    … -fullchainpath /usr/syno/etc/ssl/ssl.inter

    maybe there is some typo?

    Thanks again!

    • Hi there,

      I noticed that WordPress somehow messed up the command in the code-preview – I think it is fixed now, but try as:

      acme.sh –issue –post-hook “kill -USR1 cat /run/httpd/httpd-sys.pid” -d muffinstation.naschenweng.info –dns dns_cf –certpath /usr/syno/etc/ssl/ssl.crt/server.crt –keypath /usr/syno/etc/ssl/ssl.key/server.key –fullchainpath /usr/syno/etc/ssl/ssl.inter

      • Bob ten Berge

        Actually, the last part of the path is cut short.
        It should say “/usr/syno/etc/ssl/ssl.intercrt”.

        PS: Other than that, excellent howto!

  • David T

    You don’t happen to have any experience with this in DSM6 do you?

    • ahdi

      you don’t need experience with DSM 6 – it supports let’s encrypt natively.