Forked from catchdave/replace_synology_ssl_certs.sh
Last active
March 16, 2023 20:03
CLI script to programmatically replace SSL certs on Synology NAS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# *** For DSM v7.x *** | |
# | |
# CAUTION: DSM removes files from ~root on various system updates/upgrades. That's why this is copied across from pfSense each time. | |
# This version augmented with: | |
# - switches to use alt port instead of 22 | |
# - configuration for several popular packages that use SSL (including correct permission updates) | |
# - instructions on finding all other installed packages using SSL | |
# - latest nginx restart | |
# - copying all four *.pem files from pfSense, and includes renaming from the acme version | |
# - fixed bugs in use of sudo (don't put perm in sudoers, it will be removed; sudo runs as root not $USER) | |
# | |
# To catalog all cert sets on your NAS: sudo find /usr -name 'chain.pem' -printf '%Tc %M %u:%g %s %p\n' | |
# (This shows dates, sizes, owner:group plus full name) | |
# | |
# How to use this script: | |
# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, chain.pem, fullchain.pem, cert.pem) | |
# and put into a directory (this will be $CERT_DIRECTORY). (.key->privkey, .ca->chain, .fullchain->, .crt->cert | |
# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup). | |
# This user will need to be able to login w/o using a password, sudo as root (i.e. add this line to sudoers.d/sudu-USER, <USER> is the user you create): | |
# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_synology_ssl_certs.sh | |
# (CAUTION: do NOT add directly to sudoers! All user-supplied edits are removed when DSM updates.) | |
# 3. Call this script from pfSense root user as follows (replace "foo" with your domain from /conf/acme): | |
# cd ~ \ | |
# && mkdir -pv tmpcerts \ | |
# && cp -f /conf/acme/foo.key tmpcerts/privkey.pem \ | |
# && cp -f /conf/acme/foo.ca tmpcerts/chain.pem \ | |
# && cp -f /conf/acme/foo.fullchain tmpcerts/fullchain.pem \ | |
# && cp -f /conf/acme/foo.crt tmpcerts/cert.pem \ | |
# && sudo scp -P nnnnn ${CERT_DIRECTORY}/{privkey,chain,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \ | |
# && sudo scp -P nnnnn replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ \ | |
# && ssh -p nnnnn $USER@$SYNOLOGY_SERVER 'sudo ~$USER/replace_synology_ssl_certs.sh' \ | |
# && ssh -p nnnnn $USER@SYNOLOGY_SERVER 'rm /tmp/{privkey,chain,fullchain,cert}.pem' | |
# Script start. | |
# Packages | |
# Script only uses the folders you actually have | |
SCSITARGET_DIR=/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/ | |
SYNODRIVE_DIR=/usr/local/etc/certificate/SynologyDrive/SynologyDrive/ | |
WEBDAV_DIR=/usr/local/etc/certificate/WebDAVServer/webdav/ | |
ACTIVEBACK_DIR=/usr/local/etc/certificate/ActiveBackup/ActiveBackup/ | |
SMBFTPD_DIR=/usr/syno/etc/certificate/smbftpd/ftpd/ | |
# Standard folders | |
REVERSE_PROXY=/usr/syno/etc/certificate/ReverseProxy | |
FQDN_DIR=/usr/syno/etc/certificate/system/FQDN | |
DEFAULT_DIR= | |
DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT) | |
if [ "$DEFAULT_DIR_NAME" != "" ]; then | |
DEFAULT_DIR="/usr/syno/etc/certificate/_archive/${DEFAULT_DIR_NAME}" | |
fi | |
# mv /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/ | |
cp -f /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/ | |
if [ "$?" != 0 ]; then | |
echo "Halting because of error copying files" | |
exit 1 | |
fi | |
chown root:root /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem | |
if [ "$?" != 0 ]; then | |
echo "Halting because of error chowning files" | |
exit 1 | |
fi | |
echo "Certs copied from /tmp & chowned." | |
if [ -d "${FQDN_DIR}/" ]; then | |
echo "Found FQDN directory, copying certificates to 'certificate/system/FQDN' as well..." | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "${FQDN_DIR}/" | |
chown root:root "${FQDN_DIR}/"{privkey,chain,fullchain,cert}.pem | |
fi | |
if [ -d "$DEFAULT_DIR" ]; then | |
echo "Found upload dir (used for Application Portal): $DEFAULT_DIR_NAME, copying certs to: $DEFAULT_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$DEFAULT_DIR/" | |
chown root:root "$DEFAULT_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find upload dir (Application Portal): $DEFAULT_DIR_NAME" | |
fi | |
if [ -d "$REVERSE_PROXY" ]; then | |
echo "Found reverse proxy certs, replacing those:" | |
for proxy in $(ls "$REVERSE_PROXY"); do | |
echo "Replacing $REVERSE_PROXY/$proxy" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$REVERSE_PROXY/$proxy" | |
chown root:root "$REVERSE_PROXY/$proxy/"{privkey,chain,fullchain,cert}.pem | |
done | |
else | |
echo "No reverse proxy directory found" | |
fi | |
# Replace certs for packages (if found) | |
if [ -d "$SCSITARGET_DIR" ]; then | |
echo "Found ScsiTarget dir, copying certs to: $SCSITARGET_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SCSITARGET_DIR/" | |
chown root:root "$SCSITARGET_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find ScsiTarget dir: $SCSITARGET_DIR" | |
fi | |
if [ -d "$SYNODRIVE_DIR" ]; then | |
echo "Found SynologyDrive dir, copying certs to: $SYNODRIVE_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SYNODRIVE_DIR/" | |
chown SynologyDrive:SynologyDrive "$SYNODRIVE_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find SynologyDrive dir: $SYNODRIVE_DIR" | |
fi | |
if [ -d "$WEBDAV_DIR" ]; then | |
echo "Found WebDAV dir, copying certs to: $WEBDAV_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$WEBDAV_DIR/" | |
chown root:root "$WEBDAV_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find WebDAV dir: $WEBDAV_DIR" | |
fi | |
if [ -d "$ACTIVEBACK_DIR" ]; then | |
echo "Found ActiveBackup dir, copying certs to: $ACTIVEBACK_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$ACTIVEBACK_DIR/" | |
chown ActiveBackup:ActiveBackup "$ACTIVEBACK_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find ActiveBackup dir: $ACTIVEBACK_DIR" | |
fi | |
if [ -d "$SMBFTPD_DIR" ]; then | |
echo "Found smbftpd dir, copying certs to: $SMBFTPD_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SMBFTPD_DIR/" | |
chown root:root "$SMBFTPD_DIR/"{privkey,chain,fullchain,cert}.pem | |
else | |
echo "Did not find smbftpd dir: $SMBFTPD_DIR" | |
fi | |
# Reboot Synology services | |
# comment out the ones not used... | |
echo -n "Rebooting services that use certs..." | |
/usr/syno/bin/synow3tool --gen-all && systemctl reload nginx | |
# /usr/syno/bin/synosystemctl restart nmbd | |
/usr/syno/bin/synosystemctl restart avahi | |
# /usr/syno/bin/synosystemctl reload ldap-server | |
# reboot packages | |
/usr/syno/bin/synopkg restart ScsiTarget | |
/usr/syno/bin/synopkg restart SynologyDrive | |
/usr/syno/bin/synopkg restart WebDAVServer | |
/usr/syno/bin/synopkg restart ActiveBackup | |
echo " done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment