Installing a Free LetsEncrypt SSL certificate on DSM 5.x

To enable HTTPS on your website, you need to get a certificate from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host.

Let’s Encrypt is a nonprofit.  Their mission is to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS. Our services are free and easy to use so that every website can deploy HTTPS.

By securing your domain, you’ll also have the immediate benefit of your browser not warning you about potentially going to an untrusted website.

 

Credit to http://blog.raorn.name/2017/02/lets-encrypt-certificates-on-synology.html for the bulk of the information.  I’ve added some supplementary material and added some additional detail.

LetsEncrypt also allows you to generate a SSL certificate for *.ddns.net domains, which many certificate authorities do not allow (such as StartSSL).

Enable Web Station

Control Panel -> Web Services.  Tick “Enable Web Station” and “Enable HTTPS connection for web services”

Port Forward 80 & 443 (TCP)

On your router, ensure you forward ports 80 & 443/TCP to your Synology.  This is required to allow the certificate authority to challenge the validity of your domain.

Install the ACME Client

Since DSM has a very limited shell, you’ll need to download and install the acme.sh client.

• An ACME protocol client written purely in Shell (Unix shell) language.
• Full ACME protocol implementation.
• Support ACME v1 and ACME v2
• Support ACME v2 wildcard certs
• Simple, powerful and very easy to use. You only need 3 minutes to learn it.
• Bash, dash and sh compatible.
• Simplest shell script for Let’s Encrypt free certificate client.
• Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
• Just one script to issue, renew and install your certificates automatically.
• DOES NOT require root/sudoer access.
• Docker friendly
• IPv6 support

It’s probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let’s Encrypt.

Install to /volume1/.acme.sh, and do not create cronjob:

$ ssh root@ds410.local
BusyBox v1.16.1 (2016-04-26 17:11:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ds410> cd /volume1/
ds410> wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
--2017-02-16 14:34:05--  https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
Resolving raw.githubusercontent.com... 151.101.12.133
Connecting to raw.githubusercontent.com|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 132328 (129K) [text/plain]
Saving to: 'acme.sh'

100%[==========================================================>] 132,328     --.-K/s   in 0.1s    

2017-02-16 14:34:05 (916 KB/s) - 'acme.sh' saved [132328/132328]

ds410> sh ./acme.sh --install --nocron --home /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thr Feb 16 14:36:09 MSK 2017] We use nc for standalone server if you use standalone mode.
[Thr Feb 16 14:36:09 MSK 2017] If you don't use standalone mode, just ignore this warning.
[Thr Feb 16 14:36:09 MSK 2017] Installing to /volume1/.acme.sh
[Thr Feb 16 14:36:09 MSK 2017] Installed to /volume1/.acme.sh/acme.sh
[Thr Feb 16 14:36:10 MSK 2017] Installing alias to '/root/.profile'
[Thr Feb 16 14:36:10 MSK 2017] OK, Close and reopen your terminal to start using acme.sh
[Thr Feb 16 14:36:10 MSK 2017] OK
ds410> . /volume1/.acme.sh/acme.sh.env
ds410>

 

Issue certificate

ds410> acme.sh --issue -d your.domain.name --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd '/usr/syno/sbin/synoservicecfg --reload httpd-sys'

Webroot points to /var/lib/letsencrypt because /etc/httpd/conf/httpd.conf contains line “Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge“. Otherwise, it would be “/volume1/web” or wherever your vHost points too, refer to Web Services documentation.

You can check that it’s successfully installed by going into Control Panel -> Security -> Certificate.

Automatic renew

Certificates are valid for 90 days.  To automate the renewal, go to Control Panel -> Task Scheduler and create task with User-defined script:

/volume1/.acme.sh/acme.sh --cron --home /volume1/.acme.sh

That’s all, folks!

 

Where are the certficates stored?

/usr/syno/etc/ssl/ssl.crt/server.crt (server certificate)
/usr/syno/etc/ssl/ssl.crt/ca.crt (certificate authority)
/usr/syno/etc/ssl/ssl.key/server.key (server certificate private key)
/usr/syno/etc/ssl/ssl.key/ca.key (CA private key)

This is useful if you have packages and other applications running off your NAS so you can create a symbolic link to these when your certificate gets renewed.

ln -s /usr/syno/etc/ssl/ssl.crt/server.crt /<your app>/cert.pem