I already imported private key, server certificate and intermediate CA from StartSSL (Control Panel -> Security -> Certificate). I guess you need to import something once, so DSM will properly configure his Apache. Do not "Create Certificate", Import something valid. Also, you need domain name, and your DSM must have Web Services enabled, and listen on port 80, and so on.
Install ACME client
Since DSM have very limited shell, I chose acme.sh client. Install to /volume1/.acme.sh, do not create cronjob:
$ ssh firstname.lastname@example.org BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. ds410> cd /volume1/ ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh --2017-02-16 14:34:05-- https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh Resolving raw.githubusercontent.com... 184.108.40.206 Connecting to raw.githubusercontent.com|220.127.116.11|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 132328 (129K) [text/plain] Saving to: 'acme.sh' 100%[==========================================================>] 132,328 --.-K/s in 0.1s 2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328] ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'. [Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode. [Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning. [Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh [Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile' [Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh [Thr Feb 16 14:36:10 MSK 2017] OK ds410> . /volume1/.acme.sh/acme.sh.env ds410>
This is a bit tricky. DSM uses Apache web server with some crazy configuration. And they don't have apachectl.
ds410> acme.sh --issue \ -d your.domain.name \ --webroot /var/lib/letsencrypt \ --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \ --keypath /usr/syno/etc/ssl/ssl.key/server.key \ --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt \ --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'
Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line "Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge". Otherwise, it would be "/volume1/web" or wherever your vHost points too, refer to Web Services documentation.
Go to Control Panel -> Task Scheduler and create task with User-defined script:
/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh
That's all, folks!