Pages

Thursday, February 16, 2017

Let's Encrypt certificates on Synology DSM 5

Chrome and Firefox refuses to trust StartSSL certificates and gives zero fucks about that. Synology added Let's Encrypt support for their DSM 6, but for older models, like my DS410, only DSM 5 with critical security updates is available. Are there any other free CA services? I don't know and don't really want to re-issue and re-upload certificate every once in a while, so with Let's Encrypt we go, even if it's not officially supported.

Preparations


I already imported private key, server certificate and intermediate CA from StartSSL (Control Panel -> Security -> Certificate). I guess you need to import something once, so DSM will properly configure his Apache. Do not "Create Certificate", Import something valid. Also, you need domain name, and your DSM must have Web Services enabled, and listen on port 80, and so on.

Install ACME client


Since DSM have very limited shell, I chose acme.sh client. Install to /volume1/.acme.sh, do not create cronjob:

$ ssh root@ds410.local
BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ds410> cd /volume1/
ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
--2017-02-16 14:34:05--  https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
Resolving raw.githubusercontent.com... 151.101.12.133
Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132328 (129K) [text/plain]
Saving to: 'acme.sh'

100%[==========================================================>] 132,328     --.-K/s   in 0.1s    

2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328]

ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode.
[Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning.
[Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh
[Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile'
[Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh
[Thr Feb 16 14:36:10 MSK 2017] OK
ds410> . /volume1/.acme.sh/acme.sh.env
ds410>


Issue certificate


This is a bit tricky. DSM uses Apache web server with some crazy configuration. And they don't have apachectl.

ds410> acme.sh --issue \
                -d your.domain.name \
                --webroot /var/lib/letsencrypt \
                --certpath /usr/syno/etc/ssl/ssl.crt/server.crt \
                --keypath /usr/syno/etc/ssl/ssl.key/server.key \
                --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt \
                --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'

Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line "Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge". Otherwise, it would be "/volume1/web" or wherever your vHost points too, refer to Web Services documentation.

Automatic renew


Go to Control Panel -> Task Scheduler and create task with User-defined script:

/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh

That's all, folks!

9 comments:

  1. Hey, you are my hero. After having spend several hours trying to figure out how to get certbot and letsencrypt to work together with DSM5, I forund your blog. Then it took only two minutes.!

    ReplyDelete
  2. thats is increddible simple! thank you very much. thats awesome!

    ReplyDelete
  3. Thanks. Do I need to leave port 80 open to refresh the certificate with the scheduled task?

    ReplyDelete
    Replies
    1. Hm... Since renew uses same mechanism - I guess so.

      Delete
  4. Thank you very much, this made my day! :)
    I created different 5 scheduled tasks because the scheduler does not allow "repeat every xx days\months" so I made 5 events that repeat every year on 1 gen, 15 mar, 27 may, 8 aug, 20 oct (every 73 days).

    Also let me tell you in advance that let's encrypt certificates will cause problems with app like "Cloud Station Drive" as the application by design will drop the connection everytime it detects the certificate has been changed and you'll have to press "edit connection" and re enter the user's password (yes, even if the certificate is valid).
    I opened a ticket with the synology's helpdesk, unfortunately they told me that right now this are not going to change.

    ReplyDelete
  5. Hi Guys
    Happy it worked for you

    I had less chance, I got a permission error :

    ...
    [Sun Jul 1 23:39:39 CEST 2018] Getting new-authz for domain='zzz.hd.free.fr'
    [Sun Jul 1 23:39:40 CEST 2018] The new-authz request is ok.
    [Sun Jul 1 23:39:41 CEST 2018] Verifying:zzz.hd.free.fr
    mkdir: can't create directory '/var/lib/letsencrypt/': Permission denied
    /volume2/homes/.acme.sh/acme.sh: line 3: can't create /var/lib/letsencrypt/.well-known/acme-challenge/jaipnlE0s-oE-MtU1jI5KMgm9r5d4bHfVHiilK2B7bc: nonexistent directory
    [Sun Jul 1 23:39:41 CEST 2018] zzz.hd.free.fr:Can not write token to file : /var/lib/letsencrypt/.well-known/acme-challenge/jaipnlE0s-oE-MtU1jI5KMgm9r5d4bHfVHiilK2B7bc

    I'm logged in as admin, but It seems that root permission is required (not allowed to create the directory even manually).

    Any advice please ?

    ReplyDelete
  6. Hi, I followed your guide and it worked for securing my webserver. However, for some reason ftp and ssh still use the old, expired keys. Any idea what is going wrong?

    ReplyDelete