Installing a Free LetsEncrypt SSL certificate on DSM 5.x

To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

Let’s Encrypt is a nonprofit.  Their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

By securing your domain, you’ll also have the immediate benefit of your browser not warning you about potentially going to an untrusted website.



Credit to for the bulk of the information.  I’ve added some supplementary material and added some additional detail.

LetsEncrypt also allows you to generate a SSL certificate for * domains, which many certificate authorities do not allow (such as StartSSL).

Enable Web Station

Control Panel -> Web Services.  Tick “Enable Web Station” and “Enable HTTPS connection for web services”


Port Forward 80 & 443 (TCP)

On your router, ensure you forward ports 80 & 443/TCP to your Synology.  This is required to allow the certificate authority to challenge the validity of your domain.

Install the ACME Client

Since DSM has a very limited shell, you’ll need to download and install the client.

  • An ACME protocol client written purely in Shell (Unix shell) language.
  • Full ACME protocol implementation.
  • Support ACME v1 and ACME v2
  • Support ACME v2 wildcard certs
  • Simple, powerful and very easy to use. You only need 3 minutes to learn it.
  • Bash, dash and sh compatible.
  • Simplest shell script for Let’s Encrypt free certificate client.
  • Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
  • Just one script to issue, renew and install your certificates automatically.
  • DOES NOT require root/sudoer access.
  • Docker friendly
  • IPv6 support

It’s probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let’s Encrypt.

Install to /volume1/, and do not create cronjob:

$ ssh root@ds410.local
BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ds410> cd /volume1/
ds410> wget
--2017-02-16 14:34:05--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132328 (129K) [text/plain]
Saving to: ''

100%[==========================================================>] 132,328     --.-K/s   in 0.1s    

2017-02-16 14:34:05 (916 KB/s) - '' saved [132328/132328]

ds410> sh ./ --install --nocron --home /volume1/
[Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode.
[Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning.
[Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/
[Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/
[Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile'
[Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using
[Thr Feb 16 14:36:10 MSK 2017] OK
ds410> . /volume1/


Issue certificate

ds410> --issue -d --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'

Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line “Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge“. Otherwise, it would be “/volume1/web” or wherever your vHost points too, refer to Web Services documentation.

You can check that it’s successfully installed by going into Control Panel -> Security -> Certificate.


Automatic renew

Certificates are valid for 90 days.  To automate the renewal, go to Control Panel -> Task Scheduler and create task with User-defined script:

/volume1/ --cron --home /volume1/

That’s all, folks!


Where are the certficates stored?

/usr/syno/etc/ssl/ssl.crt/server.crt (server certificate)
/usr/syno/etc/ssl/ssl.crt/ca.crt (certificate authority)
/usr/syno/etc/ssl/ssl.key/server.key (server certificate private key)
/usr/syno/etc/ssl/ssl.key/ca.key (CA private key)

This is useful if you have packages and other applications running off your NAS so you can create a symbolic link to these when your certificate gets renewed.

ln -s /usr/syno/etc/ssl/ssl.crt/server.crt /<your app>/cert.pem

12 thoughts on “Installing a Free LetsEncrypt SSL certificate on DSM 5.x

  1. I did get Let’s Encrypt on my NAS, but I’m wondering how I can use it as well for access to some of my Worldpress pages ( in fact Woocommerce checkout ) Any suggestion.


    1. You can use the ssl certificate on any application that supports it including WordPress. You would need to refer to the WordPress instructions as it is app specific


  2. Awesome guidelines!

    The SSL certificate can be applied to DSM successfully after executing the script. However, it doesn’t apply to Web Station / Photo Station, unless manually uncheck and re-check the ‘Enable HTTPS connection for web services’ after each certificate renewal, may I know if this can be automated as well?

    Thanks in advance!


    1. Sorry I’m not sure. I assumed that the native apps used the same cert location as the main system. Perhaps someone in the community can answer this one. Good luck!


    1. well basically I got this error first:
      [Thr Sep 2 19:56:24 CEST 2021] error:Invalid response from []:
      [Thr Sep 2 19:56:24 CEST 2021] Please check log file for more details: /volume1/
      WARNING: can’t open config file: /usr/syno/ssl/openssl.cnf

      Then I tried:
      cd /usr/syno
      mkdir ssl
      cd ssl
      and issue again with –server letsencrypt

      now i get:
      Markus> –issue -d –server letsencrypt –webroot /var/lib/letsencrypt –certpath /usr/syno/etc/ssl/ssl.crt/server.crt –keypat
      h /usr/syno/etc/ssl/ssl.key/server.key –capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt –reloadcmd ‘/usr/syno/sbin/synoservicecfg –reload httpd
      [Thr Sep 2 20:02:09 CEST 2021] Using CA:
      [Thr Sep 2 20:02:09 CEST 2021] Single domain=’’
      [Thr Sep 2 20:02:09 CEST 2021] Getting domain auth token for each domain
      [Thr Sep 2 20:02:13 CEST 2021] Getting webroot for domain=’’
      [Thr Sep 2 20:02:13 CEST 2021] Verifying:
      [Thr Sep 2 20:02:14 CEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
      [Thr Sep 2 20:02:17 CEST 2021] error:Invalid response from []:
      [Thr Sep 2 20:02:17 CEST 2021] Please check log file for more details: /volume1/


      1. Note also that my file httpd.conf does not contain the mentioned alias:

        Markus> cat /etc/httpd/conf/httpd.conf | grep alias
        LoadModule alias_module modules/


  3. Dear Aaron,
    Thanks very much for this great tutorial.
    I’m not familliar with shell.
    I try to follow the steps, which works fine until issuing the certificat as I receive an error 400.

    my nas is an old one DS210J, running with the DSM 5.2 as I can’t upgrade it.

    Do you know if there is any solution to solve this error 400 ?
    Thanks in advance.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s