Synology Lets Encrypt

Synology DSM 7 with Lets Encrypt and DNS Challenge

BrianSnelgrove - August 15, 2021
Posted Under: Administration
This post outlines the steps I needed to get Let's Encrypt to work on a Synology device that has been upgraded to DSM 7 and is not accessible from the public internet.

 

Unless otherwise noted, all directions are for Debian based systems. Most steps will work for other distributions but some commands may need modifications.

Synology Fan (but not fan boy).

I have been a fan of Synology Network Attached Storage (NAS) devices for several years. I personally have one, I have installed one at a family members house, and deployed two of them for backup solutions in an enterprise environment. They have all proven to be reliable and very stable. For personal use they can be a bit expensive but in the enterprise environment they are down right cheap compared to the alternatives.

I have three complaints about the Synology devices: Surveillance Station  licenses are kinda expensive (but worth it for the features), the DSM 7 upgrade does not support DS Cloud (Android app I was using to back up my phone), and I hate the certificate errors you get when you access the DSM web interface. Unfortunately there is not much I can do about the first complaint. The second complaint was easily resolved with the use of either DS File or Synology Photos. The third complaint can also be addressed in multiple ways, that is why we are here right now!

SSL Certificates?

Secure Socket Layer (SSL) Certificates are what your browser uses to contact a website securely to protect usernames, passwords, credit cards, data, etc. There is a “self signed” certificate installed on the Synology devices by default. They DO provide security but your web browser complains about them and you have to click various buttons/links to continue to the website. Ask nearly any enterprise administrator about this annoyance and they will be used to self signed SSL certificates – they are all over the place in administrative tools. However for an end user it does not inspire confidence when they have to click through error messages to access a system that has important and potentially sensitive data on it. 

There IS a built in way to get a valid SSL certificate on a Synology device but it has one MAJOR drawback: your Synology device has to be accessible on ports 80 and 443 to the public internet OR you have to use the Synology DDNS service. For some users that may not be a big deal but I don’t imagine the majority of users will want their Synology device accessible to the public internet or have to use a strange URL (DeviceName.synology.me for example) to access their data. In my case ports 80 and 443 are blocked by my home Internet Service Provider so the first option is not available to me and I don’t like the second idea.

The solution I went with? Lets Encrypt will provide free SSL certificates and acmesh (https://github.com/acmesh-official/acme.sh) has provided a script that can be used without port 80 and 443 being open to the public internet. 

There has to be a catch.

Well, there kinda is. You will need a domain with a registrar that provides an Application Programming Interface (API) to update some information. There are LOTS of choices available but the process provided by acemsh supports: Cloudflare, DNSPod.cn, CloudXNS.com, GoDaddy.com, and several others. I personally use GoDaddy and already have a post (https://www.dr-b.io/post/DDNS-Using-GoDaddy) that involves the GoDaddy API. The other providers should work fine and most of this post should work with the others but I have only tested with GoDaddy. YMMV.

Where to start?

There are guides all over the internet (https://www.driscocity.com/synology-dsm-6-2-lets-encrypt-dns-challenge-route53/ and https://lippertmarkus.com/2020/03/14/synology-le-dns-auto-renew/ for example) that explain most of what I am about to go over but in my case it took a bit more work than they outline. While they are certainly worth a read I will try to bring attention to the steps I had to modify to get this working on my Synology DSM 7 system.

First, make sure you have a domain name registered with your registrar of choice (GoDaddy in my case) and get the API key and API secret that will be needed. For GoDaddy you can log into https://developer.godaddy.com and generate new API keys for this project. Make sure you create a production key and copy the secret before you close the window, you will not be able to retrieve the secret once you close the window. Once you have that you are ready to start!

Create a user in Synology DSM.

Log into your Synology device, click Control Panel, click User & Group, and click Create. I used certadmin as the username and give the user a good description. Make sure the user is a member of the administrators group (this is required for SSH access that we will be using in a moment) and the http group (this is required for the process to authenticate to DSM in the SSH session). The certadmin user only needs Read/Write access to the homes folder and you can deny access to all applications. NOTE: some other guides do not specify adding the user to the administrators and http groups, this is required! Once the user has been created go back to the Control Panel home and click Terminal & SNMP. Check Enable SSH service and click apply.

Now for the fun stuff!

You probably came here to figure out how to do something not read my ramblings, well here you go! Use a SSH client (https://www.putty.org is a good option for Windows but Linux users have a ssh client by default). If you are using putty enter the IP address or host name of your Synology device, make sure SSH is checked, and click open. You will be prompted with a security alert, it is OK to click Yes. You will then be prompted for the username (certadmin in my case). If you are using a Mac or Linux computer open a terminal window and use the built in SSH client by entering:

ssh certadmin@YOURHOSTorIPADDRESS

After continuing past the security warning you will be prompted for the password. Enter the password you created for the Synology user above (you may not see any input as you type) and press enter to log into the Synology device. Don't let a SSH session scare you; the command line is your friend!

The next few commands (copy/paste them one at a time if you want) will download the script, extract the zip file, move the files to a different folder, give the new user ownership of the files, and put you in the correct directory. Each of these commands should be on a single line. Most of these commands are borrowed from https://www.driscocity.com/synology-dsm-6-2-lets-encrypt-dns-challenge-route53/.

wget -O /tmp/acme.sh.zip https://github.com/acmesh-official/acme.sh/archive/master.zip

sudo 7z x -o/usr/local/share /tmp/acme.sh.zip

sudo mv /usr/local/share/acme.sh-master/ /usr/local/share/acme.sh

sudo chown -R certadmin /usr/local/share/acme.sh/

cd /usr/local/share/acme.sh

Now that we have the necessary files we will need to create a few variables for the script to work. Be sure to replace the following with your information!

export GD_Key="YOUR GODADDY KEY"
export GD_Secret="YOUR GODADDY SECRET"
export SYNO_Username="certadmin"
export SYNO_Password="YOUR CERTADMIN PASSWORD"
export SYNO_Certificate="Let's Encrypt"
export SYNO_Create=1

If you are not using GoDaddy as your domain registrar you can visit https://github.com/acmesh-official/acme.sh/wiki/dnsapi for the export commands needed for other registrars.

Use the following command to get the first certificate. Be sure to update your domain name!

./acme.sh --server letsencrypt --issue -d "*.YOURDOMAIN.NAME" --dns dns_gd --home $PWD

Other guides don’t include the --server argument that specifies letsencrypt. If you are using a different registrar you will need to reference the github page above to determine what to use for the --dns argument.

It will take about 1 minute for the process to complete. Don't worry, there is text on the screen that lets you know what is happening. This process just created and downloaded the certificate to your Synology device, it didn’t tell the Synology to start using it. That is done with this command:

./acme.sh -d "*.YOURDOMAIN.NAME" --deploy --deploy-hook synology_dsm --home $PWD

You should see some text indicating the script was able to log into your Synology device, getting the certificates, applying the certificates, and restarting the web server. If you log into your Synology device using https now you should see a valid certificate! Some guides indicate that you will have to go to the Control Panel, Security, Certificate to see the new certificate and apply it, in my case it was applied automagically. 

Now that you have a valid and working SSL certificate make sure your browsers use it! Log into the Synology device and go into the Control Panel and Login Portal. Check Automatically redirect HTTP connections to HTTPS for DSM desktop and click Save. Once you are sure things are working the way you want go back to the Control Panel and Terminal & SNMP to disable SSH access. Remember, disabling unneeded services is good security protocol!

Now what?

Well, you have the certificate installed and working but if you check the certificate you will see it is only valid for 90 days. It is easy enough to automatically renew the certificate by logging into the Synology going to the Control Panel and Task Scheduler. Click Create and select Scheduled Task and User-defined Script. Give the task a descriptive name and make sure certadmin is the selected user. Schedule the task to occur every day and enter the user-defined script in the Task Settings tab. In my case I used the following.

/usr/local/share/acme.sh/acme.sh --renew -d "*.YOURDOMAIN.NAME" --home /usr/local/share/acme.sh --server letsencrypt

There you have it!

Just a few relatively easy steps and you have a working valid SSL certificate on your Synology that will automagically renew itself before it expires. Now, get onto your next project!


Discussion - all postings are moderated