We are going to use the acme.sh script to accomplish this. For authentication of the domain name, we will use the DNS option. First login to your Synology with ssh as the admin user and then sudo -i to get root access. When you login into the Synology with ssh you will end up in the /root path. I assume for the rest of the guide we run everything from that path. Now we need to get the script and change the permissions so it is executable.
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
chmod a+x acme.sh
Next we issue the certificate:
./acme.sh --issue -d *.website.come --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
You will get an output like below:
Registering account
Registered
ACCOUNT_THUMBPRINT='abjJHFIUTDGIBDYDDJBDJKkhHk'
Creating domain key
The domain key is here: /root/.acme.sh/*.website.come/*.website.come.key
Single domain='*.website.com'
Getting domain auth token for each domain
Getting webroot for domain='*.website.come'
You need to add the txt record manually.
Add the following TXT record:
Domain: '_acme-challenge.vdr.one'
TXT value: 'ThIsISNoTtHeReAlKeY'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.website.come
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
As you can see you will have to create a DNS text record with your domain name provider according to the output I marked. Needless to say that you need to use your own values.After you created it we will have to run the acme.sh script again with –renew. Note: It can take some time for DNS records to get updated. Depends on your provider for my provider it is less than a minute. For renewal, after 3 months you can just run the renew command.
./acme.sh --renew -d *.website.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
When all goes well you get an output like below:
Your cert is in /root/.acme.sh/*.website.com/*.website.com.cer
Your cert key is in /root/.acme.sh/*.website.com/*.website.com.key
The intermediate CA cert is in /root/.acme.sh/*.website.com/ca.cer
And the full chain certs is there: /root/.acme.sh/*.website.com/fullchain.cer
Now copy the files to an accessible share on your NAS. In my case a made a share called Certs with the subfolder of vdr.one in it.:
cp "/root/.acme.sh/*.website.com/*.website.com.cer" "/volume1/Certs/website.com/website.com.cer"
cp "/root/.acme.sh/*.website.com/*.website.com.key" "/volume1/Certs/website.com/website.com.key"
cp "/root/.acme.sh/*.website.com/ca.cer" "/volume1/Certs/website.com/ca.cer"
cp "/root/.acme.sh/*.website.com/fullchain.cer" "/volume1/Certs/website.com/fullchain.cer"
You will see that the files will be in that folder after running the cp actions. You can close the SSH session now and for security reasons, you can also disable SSH. All you need to do now is to import your certificate on the Synology if you want or just start using it where you need it!
If you use your Synology as a reverse proxy and ssl ofloader like me this is pretty darn handy!
- Go to the Control Panel, then Security and Certificate. Choose Add.
- Then import
- And put in the files requested.
- Now you’re done and you have a Let’s Encrypt wildcard certificate.