Installing a Free LetsEncrypt SSL certificate on DSM 5.x

To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

Let’s Encrypt is a nonprofit.  Their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

By securing your domain, you’ll also have the immediate benefit of your browser not warning you about potentially going to an untrusted website.

 

insecure

Credit to http://blog.raorn.name/2017/02/lets-encrypt-certificates-on-synology.html for the bulk of the information.  I’ve added some supplementary material and added some additional detail.

LetsEncrypt also allows you to generate a SSL certificate for *.ddns.net domains, which many certificate authorities do not allow (such as StartSSL).

Enable Web Station

Control Panel -> Web Services.  Tick “Enable Web Station” and “Enable HTTPS connection for web services”

webstation

Port Forward 80 & 443 (TCP)

On your router, ensure you forward ports 80 & 443/TCP to your Synology.  This is required to allow the certificate authority to challenge the validity of your domain.

Install the ACME Client

Since DSM has a very limited shell, you’ll need to download and install the acme.sh client.

  • An ACME protocol client written purely in Shell (Unix shell) language.
  • Full ACME protocol implementation.
  • Support ACME v1 and ACME v2
  • Support ACME v2 wildcard certs
  • Simple, powerful and very easy to use. You only need 3 minutes to learn it.
  • Bash, dash and sh compatible.
  • Simplest shell script for Let’s Encrypt free certificate client.
  • Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
  • Just one script to issue, renew and install your certificates automatically.
  • DOES NOT require root/sudoer access.
  • Docker friendly
  • IPv6 support

It’s probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let’s Encrypt.

Install to /volume1/.acme.sh, and do not create cronjob:

$ ssh root@ds410.local
BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ds410> cd /volume1/
ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
--2017-02-16 14:34:05--  https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
Resolving raw.githubusercontent.com... 151.101.12.133
Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132328 (129K) [text/plain]
Saving to: 'acme.sh'

100%[==========================================================>] 132,328     --.-K/s   in 0.1s    

2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328]

ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode.
[Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning.
[Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh
[Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile'
[Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh
[Thr Feb 16 14:36:10 MSK 2017] OK
ds410> . /volume1/.acme.sh/acme.sh.env
ds410>

 

Issue certificate

ds410> acme.sh --issue -d your.domain.name --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'

Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line “Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge“. Otherwise, it would be “/volume1/web” or wherever your vHost points too, refer to Web Services documentation.

You can check that it’s successfully installed by going into Control Panel -> Security -> Certificate.

letsencryptcert

Automatic renew

Certificates are valid for 90 days.  To automate the renewal, go to Control Panel -> Task Scheduler and create task with User-defined script:

/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh

That’s all, folks!

 

Where are the certficates stored?

/usr/syno/etc/ssl/ssl.crt/server.crt (server certificate)
/usr/syno/etc/ssl/ssl.crt/ca.crt (certificate authority)
/usr/syno/etc/ssl/ssl.key/server.key (server certificate private key)
/usr/syno/etc/ssl/ssl.key/ca.key (CA private key)

This is useful if you have packages and other applications running off your NAS so you can create a symbolic link to these when your certificate gets renewed.

ln -s /usr/syno/etc/ssl/ssl.crt/server.crt /<your app>/cert.pem

6 thoughts on “Installing a Free LetsEncrypt SSL certificate on DSM 5.x

  1. I did get Let’s Encrypt on my NAS, but I’m wondering how I can use it as well for access to some of my Worldpress pages ( in fact Woocommerce checkout ) Any suggestion.
    Thanks

    Like

    1. You can use the ssl certificate on any application that supports it including WordPress. You would need to refer to the WordPress instructions as it is app specific

      Like

  2. Awesome guidelines!

    The SSL certificate can be applied to DSM successfully after executing the script. However, it doesn’t apply to Web Station / Photo Station, unless manually uncheck and re-check the ‘Enable HTTPS connection for web services’ after each certificate renewal, may I know if this can be automated as well?

    Thanks in advance!

    Like

    1. Sorry I’m not sure. I assumed that the native apps used the same cert location as the main system. Perhaps someone in the community can answer this one. Good luck!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s