Contact

๐Ÿ› ๏ธ Synology NAS: How to Get a Wildcard Let’s Encrypt Certificate for Any Domain

Obtaining a wildcard Let’s Encrypt certificate on your Synology NAS can be a bit tricky due to the limitations of DSM 7 (DiskStation Manager). By default, DSM 7 supports standard domain certificates via HTTP-01 challenges, but wildcard certificates require DNS-01 challenges, which involve creating specific DNS TXT records. Unfortunately, DSM 7 does not have built-in support for automated DNS-01 challenges, so youโ€™ll need to take some extra steps. But donโ€™t worryโ€”Iโ€™ve got you covered! ๐Ÿ˜‰

Limitations and Workarounds

  • Native DSM 7 Support: Only standard domain certificates via HTTP-01 challenges are natively supported, which requires exposing your NAS to the internet.
  • Wildcard Certificates: For wildcard certificates, DSM 7 does not support automated DNS-01 challenges, making it necessary to manually configure DNS records or use third-party tools.
lets encrypt certificates on Synology NAS

๐Ÿ”‘ The Solution: Use the GitHub repository “Create and maintain a Let’s Encrypt certificate on a Synology NAS” by Jess Thrysoee, and leverage Cloudflare as your DNS provider. Cloudflare is one of the many supported DNS providers that can automate the DNS-01 challenges required for wildcard certificates.

๐Ÿ“ Step 1: Configure the Environment

First, you need to update the environment variables in the /usr/local/etc/synology-letsencrypt/env file with your domain(s), email, and DNS API key.

DOMAINS=(--domains "example.com" --domains "*.example.com")
EMAIL="user@example.com"

# Specify DNS Provider (this example is from https://go-acme.github.io/lego/dns/simply/)
DNS_PROVIDER="cloudflare"
export CLOUDFLARE_EMAIL=xxxxxxxx@gmail.com
export CLOUDFLARE_API_KEY=xxxxxxxxxxxCode language: PHP (php)

๐Ÿ”’ Important: Make sure the CLOUDFLARE_API_KEY is your “Global API Key” from Cloudflare.

๐Ÿš€ Step 2: Run the Script

Next, follow the instructions in the GitHub repository to run the script:

/usr/local/bin/synology-letsencrypt.sh

๐Ÿ”„ Automate Renewal with Task Scheduler

Let’s Encrypt certificates need to be renewed every 90 days. To avoid any service interruptions, it’s best to renew them about 30 days before they expire. You can automate this renewal process using the Task Scheduler on your Synology NAS.

Under Task Settings, set the User-defined script to:.

Go to Synology DSM -> Control Panel -> Task Scheduler.

Click Create -> Scheduled Task -> User-defined script.

Under General, set the User to root.

/bin/bash /usr/local/bin/synology-letsencrypt.sh

๐ŸŽ‰ And Thatโ€™s It!

Enjoy your new wildcard Let’s Encrypt certificate on your Synology NAS! This setup will ensure your certificates are always up to date, with minimal hassle on your part.

If you run into any issues, donโ€™t hesitate to consult the GitHub repository or ask for help from the community. Happy NAS managing! ๐ŸŒŸ

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts