To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.
Let’s Encrypt is a nonprofit. Their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.
By securing your domain, you’ll also have the immediate benefit of your browser not warning you about potentially going to an untrusted website.
Credit to http://blog.raorn.name/2017/02/lets-encrypt-certificates-on-synology.html for the bulk of the information. I’ve added some supplementary material and added some additional detail.
LetsEncrypt also allows you to generate a SSL certificate for *.ddns.net domains, which many certificate authorities do not allow (such as StartSSL).
Enable Web Station
Control Panel -> Web Services. Tick “Enable Web Station” and “Enable HTTPS connection for web services”
Port Forward 80 & 443 (TCP)
On your router, ensure you forward ports 80 & 443/TCP to your Synology. This is required to allow the certificate authority to challenge the validity of your domain.
Install the ACME Client
Since DSM has a very limited shell, you’ll need to download and install the acme.sh client.
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
- Support ACME v1 and ACME v2
- Support ACME v2 wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
- Simplest shell script for Let’s Encrypt free certificate client.
- Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
- Just one script to issue, renew and install your certificates automatically.
- DOES NOT require
root/sudoer
access. - Docker friendly
- IPv6 support
It’s probably the easiest & smartest
shell script to automatically issue & renew the free certificates from Let’s Encrypt.
Install to /volume1/.acme.sh, and do not create cronjob:
$ ssh root@ds410.local BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. ds410> cd /volume1/ ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh --2017-02-16 14:34:05-- https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh Resolving raw.githubusercontent.com... 151.101.12.133 Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 132328 (129K) [text/plain] Saving to: 'acme.sh' 100%[==========================================================>] 132,328 --.-K/s in 0.1s 2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328] ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'. [Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode. [Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning. [Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh [Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh [Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile' [Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh [Thr Feb 16 14:36:10 MSK 2017] OK ds410> . /volume1/.acme.sh/acme.sh.env ds410>
Issue certificate
ds410> acme.sh --issue -d your.domain.name --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'
Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line “Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge“. Otherwise, it would be “/volume1/web” or wherever your vHost points too, refer to Web Services documentation.
You can check that it’s successfully installed by going into Control Panel -> Security -> Certificate.
Automatic renew
Certificates are valid for 90 days. To automate the renewal, go to Control Panel -> Task Scheduler and create task with User-defined script:
/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh
That’s all, folks!
Where are the certficates stored?
/usr/syno/etc/ssl/ssl.crt/server.crt (server certificate)
/usr/syno/etc/ssl/ssl.crt/ca.crt (certificate authority)
/usr/syno/etc/ssl/ssl.key/server.key (server certificate private key)
/usr/syno/etc/ssl/ssl.key/ca.key (CA private key)
This is useful if you have packages and other applications running off your NAS so you can create a symbolic link to these when your certificate gets renewed.
ln -s /usr/syno/etc/ssl/ssl.crt/server.crt /<your app>/cert.pem
Thank you so much for this ! You saved my day !
LikeLike
You’re welcome!
LikeLike
I did get Let’s Encrypt on my NAS, but I’m wondering how I can use it as well for access to some of my Worldpress pages ( in fact Woocommerce checkout ) Any suggestion.
Thanks
LikeLike
You can use the ssl certificate on any application that supports it including WordPress. You would need to refer to the WordPress instructions as it is app specific
LikeLike
Awesome guidelines!
The SSL certificate can be applied to DSM successfully after executing the script. However, it doesn’t apply to Web Station / Photo Station, unless manually uncheck and re-check the ‘Enable HTTPS connection for web services’ after each certificate renewal, may I know if this can be automated as well?
Thanks in advance!
LikeLike
Sorry I’m not sure. I assumed that the native apps used the same cert location as the main system. Perhaps someone in the community can answer this one. Good luck!
LikeLike
in 2021 I have issues with that procedure see: https://github.com/acmesh-official/acme.sh/issues/3684
LikeLike
well basically I got this error first:
[Thr Sep 2 19:56:24 CEST 2021] sv.simact.de:Verify error:Invalid response from http://sv.simact.de/.well-known/acme-challenge/y4vA7PqesRArN-XonQd2dD-dAQONi23zPQbEol1gyBM [79.231.121.83]:
[Thr Sep 2 19:56:24 CEST 2021] Please check log file for more details: /volume1/.acme.sh/acme.sh.log
WARNING: can’t open config file: /usr/syno/ssl/openssl.cnf
Then I tried:
cd /usr/syno
mkdir ssl
cd ssl
wget http://123adm.free.fr/home/pages/documents/syno-cert_fichiers/openssl.cnf
and issue again with –server letsencrypt
now i get:
Markus> acme.sh –issue -d sv.simact.de –server letsencrypt –webroot /var/lib/letsencrypt –certpath /usr/syno/etc/ssl/ssl.crt/server.crt –keypat
h /usr/syno/etc/ssl/ssl.key/server.key –capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt –reloadcmd ‘/usr/syno/sbin/synoservicecfg –reload httpd
-sys’
[Thr Sep 2 20:02:09 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thr Sep 2 20:02:09 CEST 2021] Single domain=’sv.simact.de’
[Thr Sep 2 20:02:09 CEST 2021] Getting domain auth token for each domain
[Thr Sep 2 20:02:13 CEST 2021] Getting webroot for domain=’sv.simact.de’
[Thr Sep 2 20:02:13 CEST 2021] Verifying: sv.simact.de
[Thr Sep 2 20:02:14 CEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Thr Sep 2 20:02:17 CEST 2021] sv.simact.de:Verify error:Invalid response from http://sv.simact.de/.well-known/acme-challenge/fSG63PIpjoU39XqR1uP1ji1aoPuKzam75hL9qtyP8vQ [79.231.121.83]:
[Thr Sep 2 20:02:17 CEST 2021] Please check log file for more details: /volume1/.acme.sh/acme.sh.log
LikeLike
Note also that my file httpd.conf does not contain the mentioned alias:
Markus> cat /etc/httpd/conf/httpd.conf | grep alias
LoadModule alias_module modules/mod_alias.so
LikeLike
Dear Aaron,
Thanks very much for this great tutorial.
I’m not familliar with shell.
I try to follow the steps, which works fine until issuing the certificat as I receive an error 400.
my nas is an old one DS210J, running with the DSM 5.2 as I can’t upgrade it.
Do you know if there is any solution to solve this error 400 ?
Thanks in advance.
Mat
LikeLike
You need to make sure that your DNS record points to your NAS that can accept the request.
i.e. mat.domain.com needs to point to the external IP of your router.
Other than that, the only other thing I can suggest is googling “ACME error 400”. They all suggest it’s a DNS issue.
https://github.com/win-acme/win-acme/issues/560
LikeLiked by 1 person
Thanks, will check that !
LikeLike
Thanks for this tutorial for old NAS under DSM5.2
Now, certificat cannot be renewed since oct 2021, maybe due to tls-sni-01 eol with letsencrypt, and no support of http-01 and dns-01 under DSM5.2
Found a solution : add –insecure for fist certificate or renew
/volume1/.acme.sh/acme.sh –cron –home /volume1/.acme.sh –insecure
add insecure is necessary only one time : the option is automatically added to the acme.conf
LikeLike