You must be signed in to star a gist -
You must be signed in to fork a gist
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
# MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh |
I don't get the point : is the script working on DSM7 or not ? If not, is any update planned ?
@jiquem : When I upgrade to DSM7, I will rewrite this script to work on DSM7. The purpose of this script was just for my personal use case--shared in case it helps others.
As of this point in time, I don't have current plans to upgrade my DSM to v7.x--doing so will likely mean I will need to set aside a lot of time to rewrite several things like this, so that's a personal barrier for me :)
Update: Added support for application portal and reverse proxy certs
Hello, I made a script to automate pushing SSL certificates and setting-up htaccess that works on DSM7
DSM7 only need replace /usr/syno/sbin/synoservice --restart
to systemctl restart
In DSM7 to avoid docker and VMM to restart when restarting nginx use:
synow3tool --gen-all && systemctl reload nginx
Updated to work with DSM7
@carmatana thank you.
it works like a charm. With the following prompt.
root@acmedns:~# ssh root@nas2022 "/usr/syno/bin/synow3tool --gen-all && systemctl reload nginx "
Sync W3 certificate info successfully
Generate nginx tmp config successfully
I purposely switched to an old cert and switch it back. works as expected.
@catchdave, I've uploaded an improved version:
- instructions revised so this can work beyond a DSM update (which removes user edits to sudoers and more :( )
- includes alt port switches, all four *.pem files (original was missing chain.pem), copy rather than move to make setup diagnosis easier, and support for a number of popular Synology packages that make use of SSL certs
THANK YOU for doing this! A huge help.
Hello, I made a script to automate pushing SSL certificates and setting-up htaccess that works on DSM7 https://github.com/looran/synoadm enjoy
@looran that script is missing quite a bit on the SSL side. Among other things, synology services use more than just fullchain.pem and privkey.pem ;)
Right, I added mention that it has only been tested with the main web interface handled by nginx, since it's the only thing I tested.
Ran into some trouble today with /usr/syno/bin/synosystemctl
having seemingly vanished?
I eventually found a workaround in replacing
/usr/syno/bin/synosystemctl restart nginx
/usr/syno/sbin/synoservicectl --restart nginx
and likewise for the others. I don't really know what I'm doing though but it seems happy again?
@ekchew : synosystemctl
is for DSM7.x. I think /usr/syno/sbin/synoservicectl
is for DSM 6.x IIRC.
What version of Synology OS are you running?
I think there is a bug where line 22 always returns true. Should the line be if [ "$DEFAULT_DIR_NAME" != "" ]; then
Yes, synosystemctl is DMS7. Here's a link to my DSM7 version. NOTE that some packages do not use either synoservicectl OR synosystemctl... but synopkg instead! https://gist.github.com/MrPeteH/80b487a2f400e5c0d538b18ae2f5dd76
Refactored script to be cleaner and added some packages to restart as per @MrPeteH.
Refactored script to be cleaner and added some packages to restart as per @MrPeteH.*
WONDERFUL refactor job!
Unfortunately, I found some challenges...
First, what appears to be a bug:
- While it DOES work to copy the three files to the system/default and system/FQDN folders (privkey,fullchain,cert}.pem
- DSM does some work in those two folders automagically, to create/update four additional files: chain.pem, info (no extn), root.pem, and short-chain.pem
- But DSM doesn't do that in any of the other folders.
- SO, this script needs to copy all seven files from the source folder, not just three! (I do not know what process causes the extra updates, nor how quickly. seems very fast...)
- (Just do
find / -name cert.pem
to discover all of yours... )
Next, suggestions that relate to the up-front instructions:
- Many like to configure an alt ssh port. To specify the port in scp, use
-P nnnn
, in ssh-p nnnn
- DSM wipes out all customizations to
on update. So it's better to recommend adding a line tosudoers.d/sudo-USER
- Sadly, brace expansion doesn't work in /bin/sh which can easily be the default shell for embedded scripts (like in ACME actions!) -- best workaround is either spell it all out, or embed the script in a script file with #!/bin/csh or whatever... (I just now discovered this was killing some of my automation :( )
@MrPeteH : Thanks!
- Regarding the other files beyond the 3 certs not being copied - have you noticed any issues with them not moving? As I use this script every 90 days (via letsencrypt), I have no problems in SSL certs working in all applications that use SSL certs on my Nas. Perhaps these files don't matter? On my NAS, I have not noticed any issues.
- Sudo and ports. Yes true to both - I have only noticed a wipe on a major upgrade (from 6.x to 7.x), minor updates are fine. I can look into testing what works. FWIW, my main focus on this gist on moving certs, I have so far intentionally been vague about managing SSH access (I figure anyone doing this stuff has ssh/sudo figured out already)
- Brace expansion. I understand /bin/sh doesn't support it. However, this script is explicit about using bash and is designed to run on synology (which has bash) via a direct ssh call. If you're using parts of this script in somewhere else - that's fine, but not it's not my intention to support uses outside of being executed directly (which will always use
). How are you calling this script?
- Brace expansion. I understand /bin/sh doesn't support it. However, this script is explicit about using bash and is designed to run on synology (which has bash) via a direct ssh call. If you're using parts of this script in somewhere else - that's fine, but not it's not my intention to support uses outside of being executed directly (which will always use
). How are you calling this script?
I'm talking about the recommended calling usage in the comments at the top... which of course is assumed to be in some OTHER machine, using scp and ssh to get the data to the Synology NAS. :)
The other files: I did see an issue once, but not since. All I know is, DSM creates those other files, and copies them all when installing a package. No idea why they don't get updated when the main system certs update. Perhaps we could call that a DSM bug LOL
I'm talking about the recommended calling usage in the comments at the top... which of course is assumed to be in some OTHER machine, using scp and ssh to get the data to the Synology NAS. :)
Makes sense! Appreciate the explanation :) @MrPeteH
Thanks for the script! To make it a bit more dynamic, you can discover the target directories and the services/packages to restart:
# Output *all* parameters handed to the method (required to dump arrays)
error_exit() { echo "[ERROR] $*"; exit 1; }
warn() { echo "[WARN ] $*"; }
info() { echo "[INFO ] $*"; }
debug() { [[ "${DEBUG}" ]] && echo "[DEBUG ] $*"; }
# ...
service_cert_dirs="$(find /usr/syno/etc/certificate -name "cert.pem" -exec dirname {} \;)"
package_cert_dirs="$(find /usr/local/etc/certificate -name "cert.pem" -exec dirname {} \;)"
for service in $service_cert_dirs; do
service_name="$(echo "$service" | grep -Po '/usr/syno/etc/certificate/\K[^/]+')"
if [[ "$service_name" != "system" && "$service_name" != "_archive" && "$service_name" != "ReverseProxy" ]]; then
for package in $package_cert_dirs; do
package_name="$(echo "$package" | grep -Po '/usr/local/etc/certificate/\K[^/]+')"
debug "Services to restart: ${services_to_restart[*]}"
debug "Packages to restart: ${packages_to_restart[*]}"
First of all let me thank you for sharing this. I have win-acme (Let's Encrypt) renewing the certificates on a Windows machine, and need a way of replacing the certificates in Synology automatically.
I'm on DSM 7.1-42661 Update 4
I tried, to the best of my abilities, to adapt this script for my NAS (adding packages to restart, and target dirs).
I copied my adaptation to a new Task, running as root, and in the Task Log I can see that the script executes all steps successfully.
(Except Surveillance Station)
[EDIT] reloading nginx instead of restarting, the output is this:
Failed to restart package [SurveillanceStation], err=[272]
Sync W3 certificate info successfully
Generated nginx tmp config is not valid
Job for nginx.service failed. See "systemctl status nginx.service" and "journalctl -xe" for details.
But after completion, I'm always getting all the apps greyed out with an exclamation sign, even if I restart DSM altogether.
After restarting I can no longer access DSM via https, only via http.
And to rectify all that, I have to go into Control Panel -> Security, and re-add (import and replace) the default certificate.
After doing that, I have to restart once more, and one app still needs to be repaired - Surveillance Station.
Note: in the case of Surveillance Station, it has an App Portal configured (Control Panel -> Login Portal).
But I added another loop to replace certificates in AppPortal as well - for proxy in /usr/syno/etc/certificate/AppPortal/*/; do
I'm really at a loss here...
Can you share your experience?
@footswitch Have you tried running nginx -t
to see what's wrong with the nginx config? Do the certificate and key file have the right user/access rights?
@fhemberger, the files are copied and chowned, and if that wasn't the case, the script would output the warning Error copying or chowning(...)
Querying nginx -t before the script:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
After replacing the cert files and reloading nginx:
nginx: [emerg] SSL_CTX_use_PrivateKey("/usr/syno/etc/www/certificate/system_default/3e35dc1f-4740-487a-b658-90708050766e.pem") failed (SSL: error:0B080074:lib(11):func(128):reason(116))
nginx: configuration file /etc/nginx/nginx.conf test failed
I'm using the exact same files when importing/replacing the certificate via DSM portal.
My Log looks like this:
[INFO ] ok privkey.pem exists.
[INFO ] ok cert.pem exists.
[INFO ] ok fullchain.pem exists.
[INFO ] Certs chowned at source dir.
[INFO ] Copying certificates to '/usr/syno/etc/certificate/system/default'
[INFO ] Copying certificates to '/usr/syno/etc/certificate/smbftpd/ftpd'
[INFO ] Copying certificates to '/usr/local/etc/certificate/HyperBackupVault/HyperBackupVault'
[INFO ] Copying certificates to '/usr/local/etc/certificate/LogCenter/pkg-LogCenter'
[INFO ] Copying certificates to '/usr/local/etc/certificate/PrestoServer/PrestoServer'
[INFO ] Copying certificates to '/usr/local/etc/certificate/ReplicationService/snapshot_receiver'
[INFO ] Copying certificates to '/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server'
[INFO ] Copying certificates to '/usr/local/etc/certificate/SynologyDrive/SynologyDrive'
[INFO ] Copying certificates to '/usr/local/etc/certificate/VPNCenter/OpenVPN'
[INFO ] Copying certificates to '/usr/syno/etc/certificate/_archive/PrfwoX'
[INFO ] Copying certificates to '/usr/syno/etc/certificate/AppPortal/SurveillanceStation_AltPort/'
[INFO ] Rebooting all the things...
Fail to restart [nmbd]. # this was in the original script so I just left it there anyway.
[avahi] restarted.
Fail to restart [ldap-server]. # this was in the original script so I just left it there anyway.
[ftpd] restarted.
restart package [HyperBackup] successfully
restart package [HyperBackupVault] successfully
restart package [LogCenter] successfully
restart package [PrestoServer] successfully
restart package [ReplicationService] successfully
restart package [ScsiTarget] successfully
restart package [SynologyDrive] successfully
restart package [VPNCenter] successfully
Failed to restart package [SurveillanceStation], err=[272]
Sync W3 certificate info successfully
Generated nginx tmp config is not valid
Job for nginx.service failed. See "systemctl status nginx.service" and "journalctl -xe" for details.
[INFO ] Completed
systemctl status nginx.service
ExecReload=/usr/syno/bin/synow3tool --nginx=reload (code=exited, status=1/FAILURE)
Start Nginx Server in Abnormal Mode ......
nginx.service: control process exited, code=exited status=1
Reload failed for Nginx.
I'm talking about the recommended calling usage in the comments at the top... which of course is assumed to be in some OTHER machine, using scp and ssh to get the data to the Synology NAS. :)
Makes sense! Appreciate the explanation :) @MrPeteH
FWIW, I just did a deeper dive on why platforms like pfSense don't have bash-type shells at all. It's because the security "attack surface" is too large for such capable shells. So they don't have it and discourage installing it! I can understand that... and in this case, the cost is simply to pre-expand those file lists. :)
So I updated to the latest DSM 7.1.1-42962 Update 4, and I'm still facing the same issues.
After running the script, basically everything stops working, and I have to manually import the certificate files in Control Panel --> Security, to restore functionality.
I even changed the script back, to copy the files first to the default directory - thought it could make a difference.
I really don't get what I'm doing wrong, compared to your positive experiences.
Running Task as root
DEBUG= # Set to any non-empty value to turn on debug mode
error_exit() { echo "[ERROR] $1"; exit 1; }
warn() { echo "[WARN ] $1"; }
info() { echo "[INFO ] $1"; }
debug() { [[ "${DEBUG}" ]] && echo "[DEBUG ] $1"; }
# 1. Initialization
# =================
[[ "$EUID" -ne 0 ]] && error_exit "Please run as root" # Script only works as root
certs_src_dir="/volume1/exch-cert" # where the new certificate files are located
services_to_restart=("nmbd" "avahi" "ldap-server" "ftpd")
# "ActiveBackup" # ActiveBackup uses a self signed certificate.
# "/usr/local/etc/certificate/ActiveBackup/ActiveBackup" # ActiveBackup uses a Long Term self signed certificate.
# Check files exist at source dir
if [ -e "${certs_src_dir}/privkey.pem" ]
info "ok privkey.pem exists in source dir."
error_exit "privkey.pem not found in source dir. Exiting with no changes."
if [ -e "${certs_src_dir}/cert.pem" ]
info "ok cert.pem exists in source dir."
error_exit "cert.pem not found in source dir. Exiting with no changes."
if [ -e "${certs_src_dir}/fullchain.pem" ]
info "ok fullchain.pem exists in source dir."
error_exit "fullchain.pem not found in source dir. Exiting with no changes."
# Find the default certificate directory
if [[ -n "$default_dir_name" ]]; then
debug "Default cert directory found: '/usr/syno/etc/certificate/_archive/${default_dir_name}'"
warn "No default directory found. Probably unusual? Check: 'cat /usr/syno/etc/certificate/_archive/DEFAULT'"
# Add Reverse Proxy App directories
for proxy in /usr/syno/etc/certificate/ReverseProxy/*/; do
debug "Found ReverseProxy dir: ${proxy}"
# Add AppPortal directories
for proxy in /usr/syno/etc/certificate/AppPortal/*/; do
debug "Found AppPortal dir: ${proxy}"
[[ "${DEBUG}" ]] && set -x
# 2. root own certificates in source dir
# =============================================================
cp "${certs_src_dir}/"{privkey,fullchain,cert}.pem "${certs_default_dir}/" || error_exit "Halting because of error moving files"
chown root:root "${certs_default_dir}/"{privkey,fullchain,cert}.pem || error_exit "Halting because of error chowning files"
info "Certs copied and chowned at system default dir."
# 3. Copy certificates to target directories if they exist
# ========================================================
for target_dir in "${target_cert_dirs[@]}"; do
if [[ ! -d "$target_dir" ]]; then
debug "Target cert directory '$target_dir' not found, skipping..."
info "Copying and chowning certificates to '$target_dir'"
if ! cp "${certs_default_dir}/"{privkey,fullchain,cert}.pem "$target_dir/" && \
chown root:root "$target_dir/"{privkey,fullchain,cert}.pem; then
warn "Error copying or chowning certs to ${target_dir}"
# Remove cert files from source folder
rm "${certs_src_dir}/privkey.pem"
rm "${certs_src_dir}/fullchain.pem"
rm "${certs_src_dir}/last-cert.pem"
# Rename cert.pem to last-cert.pem
mv "${certs_src_dir}/cert.pem" "${certs_src_dir}/last-cert.pem"
# 4. Restart services & packages
# ==============================
info "Rebooting all the things..."
for service in "${services_to_restart[@]}"; do
/usr/syno/bin/synosystemctl restart "$service"
for package in "${packages_to_restart[@]}"; do # Restart packages that are installed & turned on
/usr/syno/bin/synopkg is_onoff "$package" 1>/dev/null && /usr/syno/bin/synopkg restart "$package"
# Restart nginx !!! WARNING !!! this may behave unexpectedly (for instance restarts running VMs / Docker images)
# /usr/syno/bin/synosystemctl restart nginx
# In DSM7 to avoid docker and VMM to restart when restarting nginx use:
# synow3tool --gen-all && systemctl reload nginx
# source: https://www.reddit.com/r/synology/comments/olve56/comment/h5hsogq/
# Faster ngnix restart (if certs don't appear to be refreshing, change to synosystemctl
if ! /usr/syno/bin/synow3tool --gen-all && sudo systemctl reload nginx; then
warn "nginx failed to reload"
info "Completed"
Been playing with this quite a bit, and note I'm using DSM 7.2 beta right now. Was working "ok" but refreshing the certs remained a problem for me, unless I did the full restart which restarted docker and everything - less than optimal.
Here's my modified section 4 which seems to work and I can consistently reproduce (test is to manually update cert with an old one thru UI, then once I've validated the date of the cert, fully close browser, run the script in command line, wait 20 seconds for all restarts to 'take', and then re-open DSM in the browser and re-check the certificate date. So far working well.
# 4. Restart services & packages
# ==============================
info "Rebooting all the things..."
for service in "${services_to_restart[@]}"; do
/usr/syno/bin/synosystemctl restart "$service"
for package in "${packages_to_restart[@]}"; do # Restart packages that are installed & turned on
/usr/syno/bin/synopkg is_onoff "$package" 1>/dev/null && /usr/syno/bin/synopkg restart "$package"
# Faster ngnix restart (if certs don't appear to be refreshing, change to synosystemctl
if ! /usr/syno/bin/synow3tool --gen-all ; then
warn "synow3tool --gen-all failed"
if ! /usr/syno/bin/synow3tool --nginx=reload ; then
warn "/usr/syno/bin/synow3tool --nginx=reload failed"
if ! /usr/syno/bin/synow3tool --restart-dsm-service; then
warn "/usr/syno/bin/synow3tool --restart-dsm-service failed"
info "Completed"
If anyone is still watching this thread / script... I did some research on what exactly happens when you run synow3tool --gen-all
Basically this command will take the certs from the /usr/syno/etc/certificate/_archive
folder and sync all of the other appropriate folders with that certificate. It:
- Reads the cert files in
- Re-creates all of the folders in
with completely new folders with the certs, and removes the old ones. - Creates a new version of the
folder (naming it something likeFQDN.temp
) - Updates the certs in
with the ones fromarchive
- Deletes
- Renames
- Creates
- Copy all of the certs from
- Renames
...So... basically it looks like the much simpler option is to drop your new certs in the /usr/syno/etc/certificate/_archive/{randomchars}
folder and then run synow3tool --gen-all
as root
. There's no need to do the ReverseProxy folders or the FQDN folders for example.
Because I have no services installed like HyperBackupVault
etc., I can't tell if those are taken care of by the synow3tool
as well or not, I'll do more research there.
In my case, the only additional folders I have that don't seem to be taken care of by the synow3tool
sync are:
(Key Manager)/usr/syno/etc/certificate/smbftpd/ftpd
@telnetdoogie this is still not working for me. But at least now I got more descriptive errors...
[WARN ] synow3tool --gen-all failed
nginx: [emerg] SSL_CTX_use_PrivateKey("/usr/syno/etc/www/certificate/system_default/b4d6e608-ec11-4368-8219-db76840ed58f.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
/usr/syno/bin/synow3tool: unrecognized option '--restart-dsm-service'
/usr/syno/sbin/synosystemctl restart nginx
For my case, With DSM7, restart Nginx also restart the VM under the VMware manager, Docker, which is quite unexpected. It's kinda a downgrade of the DSM.
/usr/syno/sbin/synosystemctl resload nginx
is more appropriate, using reload instead of restartIn addition, I also need to default certificate in 'Control Panel / Security/ Certificate "