MrPeteH/replace_synology_ssl_certs.sh

## replace_synology_ssl_certs.sh
#!/bin/sh
#
# *** For DSM v7.x ***
#
# CAUTION: DSM removes files from ~root on various system updates/upgrades. That's why this is copied across from pfSense each time.
# This version augmented with:
# - switches to use alt port instead of 22
# - configuration for several popular packages that use SSL (including correct permission updates)
# - instructions on finding all other installed packages using SSL
# - latest nginx restart
# - copying all four *.pem files from pfSense, and includes renaming from the acme version
# - fixed bugs in use of sudo (don't put perm in sudoers, it will be removed; sudo runs as root not $USER)
#
# To catalog all cert sets on your NAS:  sudo find /usr -name 'chain.pem' -printf '%Tc %M %u:%g %s %p\n'
# (This shows dates, sizes, owner:group plus full name)
#
# How to use this script:
#  1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, chain.pem, fullchain.pem, cert.pem)
#     and put into a directory (this will be $CERT_DIRECTORY). (.key->privkey, .ca->chain, .fullchain->, .crt->cert
#  2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup).
#     This user will need to be able to login w/o using a password, sudo as root (i.e. add this line to sudoers.d/sudu-USER, <USER> is the user you create):
#       <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_synology_ssl_certs.sh
#       (CAUTION: do NOT add directly to sudoers! All user-supplied edits are removed when DSM updates.)
#  3. Call this script from pfSense root user as follows (replace "foo" with your domain from /conf/acme):
#     cd ~ \
#     && mkdir -pv tmpcerts \
#     && cp -f /conf/acme/foo.key tmpcerts/privkey.pem \
#     && cp -f /conf/acme/foo.ca  tmpcerts/chain.pem \
#     && cp -f /conf/acme/foo.fullchain tmpcerts/fullchain.pem \
#     && cp -f /conf/acme/foo.crt tmpcerts/cert.pem \
#     && sudo scp -P nnnnn ${CERT_DIRECTORY}/{privkey,chain,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \
#     && sudo scp -P nnnnn replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ \
#     && ssh -p nnnnn $USER@$SYNOLOGY_SERVER 'sudo ~$USER/replace_synology_ssl_certs.sh' \
#     && ssh -p nnnnn $USER@SYNOLOGY_SERVER 'rm /tmp/{privkey,chain,fullchain,cert}.pem'

# Script start.

# Packages
# Script only uses the folders you actually have
SCSITARGET_DIR=/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/
SYNODRIVE_DIR=/usr/local/etc/certificate/SynologyDrive/SynologyDrive/
WEBDAV_DIR=/usr/local/etc/certificate/WebDAVServer/webdav/
ACTIVEBACK_DIR=/usr/local/etc/certificate/ActiveBackup/ActiveBackup/
SMBFTPD_DIR=/usr/syno/etc/certificate/smbftpd/ftpd/

# Standard folders
REVERSE_PROXY=/usr/syno/etc/certificate/ReverseProxy
FQDN_DIR=/usr/syno/etc/certificate/system/FQDN
DEFAULT_DIR=
DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
if [ "$DEFAULT_DIR_NAME" != "" ]; then
    DEFAULT_DIR="/usr/syno/etc/certificate/_archive/${DEFAULT_DIR_NAME}"
fi

# mv /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
cp -f /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
if [ "$?" != 0 ]; then
    echo "Halting because of error copying files"
    exit 1
fi
chown root:root /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem
if [ "$?" != 0 ]; then
    echo "Halting because of error chowning files"
    exit 1
fi
echo "Certs copied from /tmp & chowned."

if [ -d "${FQDN_DIR}/" ]; then
    echo "Found FQDN directory, copying certificates to 'certificate/system/FQDN' as well..."
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "${FQDN_DIR}/"
    chown root:root "${FQDN_DIR}/"{privkey,chain,fullchain,cert}.pem
fi

if [ -d "$DEFAULT_DIR" ]; then
    echo "Found upload dir (used for Application Portal): $DEFAULT_DIR_NAME, copying certs to: $DEFAULT_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$DEFAULT_DIR/"
    chown root:root "$DEFAULT_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find upload dir (Application Portal): $DEFAULT_DIR_NAME"
fi

if [ -d "$REVERSE_PROXY" ]; then
    echo "Found reverse proxy certs, replacing those:"
    for proxy in $(ls "$REVERSE_PROXY"); do
        echo "Replacing $REVERSE_PROXY/$proxy"
        cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$REVERSE_PROXY/$proxy"
        chown root:root "$REVERSE_PROXY/$proxy/"{privkey,chain,fullchain,cert}.pem
    done
else
    echo "No reverse proxy directory found"
fi

# Replace certs for packages (if found)

if [ -d "$SCSITARGET_DIR" ]; then
    echo "Found ScsiTarget dir, copying certs to: $SCSITARGET_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SCSITARGET_DIR/"
    chown root:root "$SCSITARGET_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find ScsiTarget dir: $SCSITARGET_DIR"
fi

if [ -d "$SYNODRIVE_DIR" ]; then
    echo "Found SynologyDrive dir, copying certs to: $SYNODRIVE_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SYNODRIVE_DIR/"
    chown SynologyDrive:SynologyDrive "$SYNODRIVE_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find SynologyDrive dir: $SYNODRIVE_DIR"
fi

if [ -d "$WEBDAV_DIR" ]; then
    echo "Found WebDAV dir, copying certs to: $WEBDAV_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$WEBDAV_DIR/"
    chown root:root "$WEBDAV_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find WebDAV dir: $WEBDAV_DIR"
fi

if [ -d "$ACTIVEBACK_DIR" ]; then
    echo "Found ActiveBackup dir, copying certs to: $ACTIVEBACK_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$ACTIVEBACK_DIR/"
    chown ActiveBackup:ActiveBackup "$ACTIVEBACK_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find ActiveBackup dir: $ACTIVEBACK_DIR"
fi

if [ -d "$SMBFTPD_DIR" ]; then
    echo "Found smbftpd dir, copying certs to: $SMBFTPD_DIR"
    cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SMBFTPD_DIR/"
    chown root:root "$SMBFTPD_DIR/"{privkey,chain,fullchain,cert}.pem
else
    echo "Did not find smbftpd dir: $SMBFTPD_DIR"
fi

# Reboot Synology services
# comment out the ones not used...
echo -n "Rebooting services that use certs..."
/usr/syno/bin/synow3tool --gen-all && systemctl reload nginx
# /usr/syno/bin/synosystemctl restart nmbd
/usr/syno/bin/synosystemctl restart avahi
# /usr/syno/bin/synosystemctl reload ldap-server

# reboot packages
/usr/syno/bin/synopkg restart ScsiTarget
/usr/syno/bin/synopkg restart SynologyDrive
/usr/syno/bin/synopkg restart WebDAVServer
/usr/syno/bin/synopkg restart ActiveBackup

echo " done"
	#!/bin/sh
	#
	# * For DSM v7.x *
	#
	# CAUTION: DSM removes files from ~root on various system updates/upgrades. That's why this is copied across from pfSense each time.
	# This version augmented with:
	# - switches to use alt port instead of 22
	# - configuration for several popular packages that use SSL (including correct permission updates)
	# - instructions on finding all other installed packages using SSL
	# - latest nginx restart
	# - copying all four *.pem files from pfSense, and includes renaming from the acme version
	# - fixed bugs in use of sudo (don't put perm in sudoers, it will be removed; sudo runs as root not $USER)
	#
	# To catalog all cert sets on your NAS: sudo find /usr -name 'chain.pem' -printf '%Tc %M %u:%g %s %p\n'
	# (This shows dates, sizes, owner:group plus full name)
	#
	# How to use this script:
	# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, chain.pem, fullchain.pem, cert.pem)
	# and put into a directory (this will be $CERT_DIRECTORY). (.key->privkey, .ca->chain, .fullchain->, .crt->cert
	# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup).
	# This user will need to be able to login w/o using a password, sudo as root (i.e. add this line to sudoers.d/sudu-USER, <USER> is the user you create):
	# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_synology_ssl_certs.sh
	# (CAUTION: do NOT add directly to sudoers! All user-supplied edits are removed when DSM updates.)
	# 3. Call this script from pfSense root user as follows (replace "foo" with your domain from /conf/acme):
	# cd ~ \
	# && mkdir -pv tmpcerts \
	# && cp -f /conf/acme/foo.key tmpcerts/privkey.pem \
	# && cp -f /conf/acme/foo.ca tmpcerts/chain.pem \
	# && cp -f /conf/acme/foo.fullchain tmpcerts/fullchain.pem \
	# && cp -f /conf/acme/foo.crt tmpcerts/cert.pem \
	# && sudo scp -P nnnnn ${CERT_DIRECTORY}/{privkey,chain,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \
	# && sudo scp -P nnnnn replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ \
	# && ssh -p nnnnn $USER@$SYNOLOGY_SERVER 'sudo ~$USER/replace_synology_ssl_certs.sh' \
	# && ssh -p nnnnn $USER@SYNOLOGY_SERVER 'rm /tmp/{privkey,chain,fullchain,cert}.pem'

	# Script start.

	# Packages
	# Script only uses the folders you actually have
	SCSITARGET_DIR=/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/
	SYNODRIVE_DIR=/usr/local/etc/certificate/SynologyDrive/SynologyDrive/
	WEBDAV_DIR=/usr/local/etc/certificate/WebDAVServer/webdav/
	ACTIVEBACK_DIR=/usr/local/etc/certificate/ActiveBackup/ActiveBackup/
	SMBFTPD_DIR=/usr/syno/etc/certificate/smbftpd/ftpd/

	# Standard folders
	REVERSE_PROXY=/usr/syno/etc/certificate/ReverseProxy
	FQDN_DIR=/usr/syno/etc/certificate/system/FQDN
	DEFAULT_DIR=
	DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
	if [ "$DEFAULT_DIR_NAME" != "" ]; then
	DEFAULT_DIR="/usr/syno/etc/certificate/_archive/${DEFAULT_DIR_NAME}"
	fi

	# mv /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
	cp -f /tmp/{privkey,chain,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
	if [ "$?" != 0 ]; then
	echo "Halting because of error copying files"
	exit 1
	fi
	chown root:root /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem
	if [ "$?" != 0 ]; then
	echo "Halting because of error chowning files"
	exit 1
	fi
	echo "Certs copied from /tmp & chowned."

	if [ -d "${FQDN_DIR}/" ]; then
	echo "Found FQDN directory, copying certificates to 'certificate/system/FQDN' as well..."
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "${FQDN_DIR}/"
	chown root:root "${FQDN_DIR}/"{privkey,chain,fullchain,cert}.pem
	fi

	if [ -d "$DEFAULT_DIR" ]; then
	echo "Found upload dir (used for Application Portal): $DEFAULT_DIR_NAME, copying certs to: $DEFAULT_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$DEFAULT_DIR/"
	chown root:root "$DEFAULT_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find upload dir (Application Portal): $DEFAULT_DIR_NAME"
	fi

	if [ -d "$REVERSE_PROXY" ]; then
	echo "Found reverse proxy certs, replacing those:"
	for proxy in $(ls "$REVERSE_PROXY"); do
	echo "Replacing $REVERSE_PROXY/$proxy"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$REVERSE_PROXY/$proxy"
	chown root:root "$REVERSE_PROXY/$proxy/"{privkey,chain,fullchain,cert}.pem
	done
	else
	echo "No reverse proxy directory found"
	fi

	# Replace certs for packages (if found)

	if [ -d "$SCSITARGET_DIR" ]; then
	echo "Found ScsiTarget dir, copying certs to: $SCSITARGET_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SCSITARGET_DIR/"
	chown root:root "$SCSITARGET_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find ScsiTarget dir: $SCSITARGET_DIR"
	fi

	if [ -d "$SYNODRIVE_DIR" ]; then
	echo "Found SynologyDrive dir, copying certs to: $SYNODRIVE_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SYNODRIVE_DIR/"
	chown SynologyDrive:SynologyDrive "$SYNODRIVE_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find SynologyDrive dir: $SYNODRIVE_DIR"
	fi

	if [ -d "$WEBDAV_DIR" ]; then
	echo "Found WebDAV dir, copying certs to: $WEBDAV_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$WEBDAV_DIR/"
	chown root:root "$WEBDAV_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find WebDAV dir: $WEBDAV_DIR"
	fi

	if [ -d "$ACTIVEBACK_DIR" ]; then
	echo "Found ActiveBackup dir, copying certs to: $ACTIVEBACK_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$ACTIVEBACK_DIR/"
	chown ActiveBackup:ActiveBackup "$ACTIVEBACK_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find ActiveBackup dir: $ACTIVEBACK_DIR"
	fi

	if [ -d "$SMBFTPD_DIR" ]; then
	echo "Found smbftpd dir, copying certs to: $SMBFTPD_DIR"
	cp -f /usr/syno/etc/certificate/system/default/{privkey,chain,fullchain,cert}.pem "$SMBFTPD_DIR/"
	chown root:root "$SMBFTPD_DIR/"{privkey,chain,fullchain,cert}.pem
	else
	echo "Did not find smbftpd dir: $SMBFTPD_DIR"
	fi

	# Reboot Synology services
	# comment out the ones not used...
	echo -n "Rebooting services that use certs..."
	/usr/syno/bin/synow3tool --gen-all && systemctl reload nginx
	# /usr/syno/bin/synosystemctl restart nmbd
	/usr/syno/bin/synosystemctl restart avahi
	# /usr/syno/bin/synosystemctl reload ldap-server

	# reboot packages
	/usr/syno/bin/synopkg restart ScsiTarget
	/usr/syno/bin/synopkg restart SynologyDrive
	/usr/syno/bin/synopkg restart WebDAVServer
	/usr/syno/bin/synopkg restart ActiveBackup

	echo " done"