I already imported private key, server certificate and intermediate CA from StartSSL (Control Panel -> Security -> Certificate). I guess you need to import something once, so DSM will properly configure his Apache. Do not "Create Certificate", Import something valid. Also, you need domain name, and your DSM must have Web Services enabled, and listen on port 80, and so on.
Install ACME client
Since DSM have very limited shell, I chose acme.sh client. Install to /volume1/.acme.sh, do not create cronjob:
$ ssh firstname.lastname@example.org BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. ds410> cd /volume1/ ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh --2017-02-16 14:34:05-- https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh Resolving raw.githubusercontent.com... 220.127.116.11 Connecting to raw.githubusercontent.com|18.104.22.168|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 132328 (129K) [text/plain] Saving to: 'acme.sh' 100%[==========================================================>] 132,328 --.-K/s in 0.1s 2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328] ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'. [Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode. [Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning. [Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh [Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile' [Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh [Thr Feb 16 14:36:10 MSK 2017] OK ds410> . /volume1/.acme.sh/acme.sh.env ds410>
This is a bit tricky. DSM uses Apache web server with some crazy configuration. And they don't have apachectl.
ds410> acme.sh --issue \ -d your.domain.name \ --webroot /var/lib/letsencrypt \ --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \ --keypath /usr/syno/etc/ssl/ssl.key/server.key \ --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt \ --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'
Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line "Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge". Otherwise, it would be "/volume1/web" or wherever your vHost points too, refer to Web Services documentation.
Go to Control Panel -> Task Scheduler and create task with User-defined script:
/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh
That's all, folks!
Hey, you are my hero. After having spend several hours trying to figure out how to get certbot and letsencrypt to work together with DSM5, I forund your blog. Then it took only two minutes.!ReplyDelete
Genial, funciona erstupendo.ReplyDelete
Muchísimas gracias. Eternamente agradecido
thats is increddible simple! thank you very much. thats awesome!ReplyDelete
Thanks. Do I need to leave port 80 open to refresh the certificate with the scheduled task?ReplyDelete
Hm... Since renew uses same mechanism - I guess so.Delete
Thank you very much, this made my day! :)ReplyDelete
I created different 5 scheduled tasks because the scheduler does not allow "repeat every xx days\months" so I made 5 events that repeat every year on 1 gen, 15 mar, 27 may, 8 aug, 20 oct (every 73 days).
Also let me tell you in advance that let's encrypt certificates will cause problems with app like "Cloud Station Drive" as the application by design will drop the connection everytime it detects the certificate has been changed and you'll have to press "edit connection" and re enter the user's password (yes, even if the certificate is valid).
I opened a ticket with the synology's helpdesk, unfortunately they told me that right now this are not going to change.
Happy it worked for you
I had less chance, I got a permission error :
[Sun Jul 1 23:39:39 CEST 2018] Getting new-authz for domain='zzz.hd.free.fr'
[Sun Jul 1 23:39:40 CEST 2018] The new-authz request is ok.
[Sun Jul 1 23:39:41 CEST 2018] Verifying:zzz.hd.free.fr
mkdir: can't create directory '/var/lib/letsencrypt/': Permission denied
/volume2/homes/.acme.sh/acme.sh: line 3: can't create /var/lib/letsencrypt/.well-known/acme-challenge/jaipnlE0s-oE-MtU1jI5KMgm9r5d4bHfVHiilK2B7bc: nonexistent directory
[Sun Jul 1 23:39:41 CEST 2018] zzz.hd.free.fr:Can not write token to file : /var/lib/letsencrypt/.well-known/acme-challenge/jaipnlE0s-oE-MtU1jI5KMgm9r5d4bHfVHiilK2B7bc
I'm logged in as admin, but It seems that root permission is required (not allowed to create the directory even manually).
Any advice please ?
Help please !ReplyDelete
Hi, I followed your guide and it worked for securing my webserver. However, for some reason ftp and ssh still use the old, expired keys. Any idea what is going wrong?ReplyDelete