Pages

Thursday, February 16, 2017

Let's Encrypt certificates on Synology DSM 5

Chrome and Firefox refuses to trust StartSSL certificates and gives zero fucks about that. Synology added Let's Encrypt support for their DSM 6, but for older models, like my DS410, only DSM 5 with critical security updates is available. Are there any other free CA services? I don't know and don't really want to re-issue and re-upload certificate every once in a while, so with Let's Encrypt we go, even if it's not officially supported.

Preparations


I already imported private key, server certificate and intermediate CA from StartSSL (Control Panel -> Security -> Certificate). I guess you need to import something once, so DSM will properly configure his Apache. Do not "Create Certificate", Import something valid. Also, you need domain name, and your DSM must have Web Services enabled, and listen on port 80, and so on.

Install ACME client


Since DSM have very limited shell, I chose acme.sh client. Install to /volume1/.acme.sh, do not create cronjob:

$ ssh root@ds410.local
BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ds410> cd /volume1/
ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
--2017-02-16 14:34:05--  https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
Resolving raw.githubusercontent.com... 151.101.12.133
Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132328 (129K) [text/plain]
Saving to: 'acme.sh'

100%[==========================================================>] 132,328     --.-K/s   in 0.1s    

2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328]

ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode.
[Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning.
[Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh
[Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile'
[Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh
[Thr Feb 16 14:36:10 MSK 2017] OK
ds410> . /volume1/.acme.sh/acme.sh.env
ds410>


Issue certificate


This is a bit tricky. DSM uses Apache web server with some crazy configuration. And they don't have apachectl.

ds410> acme.sh --issue \
                -d your.domain.name \
                --webroot /var/lib/letsencrypt \
                --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \
                --keypath /usr/syno/etc/ssl/ssl.key/server.key \
                --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt \
                --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'

Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line "Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge". Otherwise, it would be "/volume1/web" or wherever your vHost points too, refer to Web Services documentation.

Automatic renew


Go to Control Panel -> Task Scheduler and create task with User-defined script:

/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh

That's all, folks!

3 comments:

  1. Hey, you are my hero. After having spend several hours trying to figure out how to get certbot and letsencrypt to work together with DSM5, I forund your blog. Then it took only two minutes.!

    ReplyDelete
  2. Genial, funciona erstupendo.

    Muchísimas gracias. Eternamente agradecido

    ReplyDelete
  3. thats is increddible simple! thank you very much. thats awesome!

    ReplyDelete