Skip to content

Instantly share code, notes, and snippets.

@catchdave
Last active October 31, 2024 19:50
Show Gist options
  • Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
CLI script to programmatically replace SSL certs on Synology NAS
#!/bin/bash
#
# *** For DSM v7.x ***
#
# How to use this script:
# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, fullchain.pem, cert.pem)
# and put into a directory (this will be $CERT_DIRECTORY).
# Personally, I use this script (https://gist.github.com/catchdave/3f6f412bbf0f0cec32469fb0c9747295) to automate steps 1 & 4.
# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup).
# This user will need to be able to sudo as root (i.e. add this line to sudoers, <USER> is the user you create):
# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_certs.sh
# 3. Copy this script to Synology: sudo scp replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/
# 4. Call this script as follows:
# sudo bash -c scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \
# && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh'
# Script start.
DEBUG= # Set to any non-empty value to turn on debug mode
error_exit() { echo "[ERROR] $1"; exit 1; }
warn() { echo "[WARN ] $1"; }
info() { echo "[INFO ] $1"; }
debug() { [[ "${DEBUG}" ]] && echo "[DEBUG ] $1"; }
# 1. Initialization
# =================
[[ "$EUID" -ne 0 ]] && error_exit "Please run as root" # Script only works as root
certs_src_dir="/usr/syno/etc/certificate/system/default"
services_to_restart=("nmbd" "avahi" "ldap-server")
packages_to_restart=("ScsiTarget" "SynologyDrive" "WebDAVServer" "ActiveBackup")
target_cert_dirs=(
"/usr/syno/etc/certificate/system/FQDN"
"/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/"
"/usr/local/etc/certificate/SynologyDrive/SynologyDrive/"
"/usr/local/etc/certificate/WebDAVServer/webdav/"
"/usr/local/etc/certificate/ActiveBackup/ActiveBackup/"
"/usr/syno/etc/certificate/smbftpd/ftpd/")
# Add the default directory
default_dir_name=$(</usr/syno/etc/certificate/_archive/DEFAULT)
if [[ -n "$default_dir_name" ]]; then
target_cert_dirs+=("/usr/syno/etc/certificate/_archive/${default_dir_name}")
debug "Default cert directory found: '/usr/syno/etc/certificate/_archive/${default_dir_name}'"
else
warn "No default directory found. Probably unusual? Check: 'cat /usr/syno/etc/certificate/_archive/DEFAULT'"
fi
# Add reverse proxy app directories
for proxy in /usr/syno/etc/certificate/ReverseProxy/*/; do
debug "Found proxy dir: ${proxy}"
target_cert_dirs+=("${proxy}")
done
[[ "${DEBUG}" ]] && set -x
# 2. Move and chown certificates from /tmp to default directory
# =============================================================
mv /tmp/{privkey,fullchain,cert}.pem "${certs_src_dir}/" || error_exit "Halting because of error moving files"
chown root:root "${certs_src_dir}/"{privkey,fullchain,cert}.pem || error_exit "Halting because of error chowning files"
info "Certs moved from /tmp & chowned."
# 3. Copy certificates to target directories if they exist
# ========================================================
for target_dir in "${target_cert_dirs[@]}"; do
if [[ ! -d "$target_dir" ]]; then
debug "Target cert directory '$target_dir' not found, skipping..."
continue
fi
info "Copying certificates to '$target_dir'"
if ! (cp "${certs_src_dir}/"{privkey,fullchain,cert}.pem "$target_dir/" && \
chown root:root "$target_dir/"{privkey,fullchain,cert}.pem); then
warn "Error copying or chowning certs to ${target_dir}"
fi
done
# 4. Restart services & packages
# ==============================
info "Rebooting all the things..."
for service in "${services_to_restart[@]}"; do
/usr/syno/bin/synosystemctl restart "$service"
done
for package in "${packages_to_restart[@]}"; do # Restart packages that are installed & turned on
/usr/syno/bin/synopkg is_onoff "$package" 1>/dev/null && /usr/syno/bin/synopkg restart "$package"
done
# Restart nginx
if ! /usr/syno/bin/synow3tool --gen-all && sudo /usr/syno/bin/synosystemctl restart nginx; then
warn "nginx failed to restart"
fi
info "Completed"
@footswitch
Copy link

@carmatana thank you for your input.
In my case we have the certs in Windows because we need them there to begin with.
In this discussion we all have the same starting point: our certificates aren't managed by DSM.
The only thing I didn't test, is if it's enough to copy just to a single default folder, and run:
synow3tool --gen-all && systemctl reload nginx
Or if we do need to copy to every folder and restart every service.

@telnetdoogie
Copy link

@footswitch dropping the certs, named appropriately, in the …/_archive/{randomletters referred to in DEFAULT} and then running the three commands:

/usr/syno/bin/synow3tool --gen-all
/usr/syno/bin/synow3tool --nginx=reload
/usr/syno/bin/synow3tool --restart-dsm-service

should take care of most needs. But as the script above shows, there are some additional folders where certificates are also stored that the above three commands won’t sync to. My latest thoughts are that it might be a good idea to just replace these folders with symlinks to the default folder so it’s easier to keep everything synced, versus copying the certs into more locations. But I haven’t tried that, nor am I sure that those other locations are actually needed or referenced anywhere.

@telnetdoogie
Copy link

I’ve been keeping my own tweaked version of this awesome script Here which, similar to @carmatana - I generate certs with certbot in docker on the synology on a schedule. I don’t use the scp portion to copy, and I just schedule this script to run every week so I added logic to check to see whether the latest certs differ from those already installed for DSM and only do the updates and sync if they are different.

@MrPeteH
Copy link

MrPeteH commented Apr 21, 2023

@telnetdoogie essentially, your "external" source of certs is the docker.

It's still external; the difference is you have kinda direct access to the Synology filesystem.
Some people have SMB access to the filesystem.
Some have scp access to the filesystem.
It's all good. :-D

@MrPeteH
Copy link

MrPeteH commented Apr 21, 2023

The big picture for this:

  • We all generate the certs somewhere, potentially for use in a number of places on our network.
  • We need to get the certs regularly and automagically installed and running in a Synology

So we

  1. copy updated certs into the Syno
  2. run this script which puts them in all the necessary places
  3. AND it restarts necessary packages/services

@edvalley
Copy link

Sorry, but I think acmesh perfectly fits this use case. That said, of course, this is not the same case where your Synology device has Internet access and you can use Let's Encrypt directly from DSM web interface.

@MrPeteH
Copy link

MrPeteH commented Apr 27, 2023

Sorry, but I think acmesh perfectly fits this use case. That said, of course, this is not the same case where your Synology device has Internet access and you can use Let's Encrypt directly from DSM web interface.

Many of us use exactly that somewhere else. The whole purpose of this script is properly injecting the resulting certs into DSM :)

@edvalley
Copy link

Sorry, but I think acmesh perfectly fits this use case. That said, of course, this is not the same case where your Synology device has Internet access and you can use Let's Encrypt directly from DSM web interface.

Many of us use exactly that somewhere else. The whole purpose of this script is properly injecting the resulting certs into DSM :)

What I meant was that acmesh has a deploy hook for Synology DSM. Read some info here.

@ridv
Copy link

ridv commented May 9, 2023

Highly suggest checking out https://github.com/reddec/syno-cli/tree/master

It uses the same API as acmesh but it's in an easy to consume cli for folks to leverage.

@MrPeteH
Copy link

MrPeteH commented May 15, 2023

@edvalley and @ridv

What I meant was that acmesh has a deploy hook for Synology DSM. Read some info here.

According to those documents, this deploy hook does install the cert into DSM, but does NOT install it into the various packages and services ("Certificate should now show up in "Control Panel" -> "Security" -> "Certificates" and can be assigned to Services..."). This script does it all rather nicely.

I love the exploring being done by everyone! It's true:

  • Those who can use acme.sh deploy hooks can take care of the transfer to DSM more easily that way
  • If synow3tool --gen-all takes care of deploying into all packages and services, then the rest of the work can be avoided

I'll do some exploring on both for my use case, when I get a few more round 'tuits. ;)
(My use case: certs generated in pfSense on another host+VM.)

@telnetdoogie
Copy link

telnetdoogie commented May 15, 2023

  • If synow3tool --gen-all takes care of deploying into all packages and services, then the rest of the work can be avoided

it doesn’t do ALL of them, but does seem to take care of the majority. I added a check script that shows all the locations that still have differing certs and eventually incorporated that into my modified version.

I had a hard time understanding if the ones it “leaves out” are even really used / needed but my use cases aren’t that complex (I don’t use ftp etc)

@telnetdoogie
Copy link

telnetdoogie commented May 15, 2023

BTW @catchdave thank you SO much for this script! It’s made ssl renewals and applications incredibly simple and reliable. I’m all about “no human interaction” automation and this and the derivatives have been key to that for me!

@scarab714
Copy link

scarab714 commented May 30, 2023

Thanks you very much for this scripts which is a great help!!
I managed to make it work on my NAS from an NGINX linux server that is used as reverse proxy for all my services. The wildcard let's encrypt certificate for my domain is generated from that server too which explain why this script is perfect for me.

I have a question (hope not too stupid); how did you managed to avoid having to write the password of the user created on synology each time the commands are sent?

When using this command from my nginx server, the password for the synology user is requested twice (for the 2 actions it does)

sudo bash -c scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \
     && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh'

I would like to find a way to do it passwordless so that I can put it into a crontab on the nginx server.
How did you guys managed to fully automate it (if some of you did)?

I also noticed on the command that the single quote is missing before scp and after /tmp/ like this. Before finding this, the command was not working for me.

sudo bash -c 'scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/' \
     && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh'

@scarab714
Copy link

scarab714 commented May 30, 2023

It was too beautiful to be real... When I execute the script, it reset (hard reboot) all my VMs running on VMM which is a big problem for me :(
I see that footswitch is mentioning using "reload" for nginx but this is already implemented on the script provided by catchdave.
I any case, I tried commenting this on the script but it still resetting all VMs.
I found out that this is the restart of the package ScsiTarget that do it...
Do you think this is important restart that package once the certificate is changed?

If you have any idea , I would be very grateful since this issue is blocking me to use this amazing script.

@telnetdoogie
Copy link

telnetdoogie commented Jun 2, 2023

Do you think this is important restart that package once the certificate is changed?

I'm not convinced that those apps need to be restarted; As a check, I'd recommend you try the scripts with service_to_restart and packages_to_restart empty, as well as emptying target_cert_dirs and then run this script once everything is done. It will identify the folders you need to add back to target_cert_dirs that weren't handled by the synology OS and then you'll be able to populate the target folders and the packages / services to restart based only on those that it finds. Then you can test those apps you depend on to ensure they're working properly.

regarding your SSH login, you should be able to use import your public SSH key from the host you're copying FROM into the ~/.ssh/authorized_keys file on your synology (whichever user you're logging in as) and use key authentication which won't require a password prompt.

For example, if you're copying the files from linuxhost as user bob:
login to linuxhost as bob and copy the contents of the file ~/.ssh/id_rsa.pub
If you're logging INTO the admin user of the synology:
login to synology as admin and edit the file ~/.ssh/authorized_keys
paste the contents from bob's public key into the bottom of the authorized_keys file (should be a single line, don't add any additional line breaks etc)

then when you attempt to ssh into the synology from linuxhost it should use the key instead of a password prompt. Do it manually the first time for a prompt to add the machine to known_hosts and then once it's done, you won't have to use a password any more.

@catchdave
Copy link
Author

catchdave commented Jun 3, 2023

I added the script I use to renew my ssl and copy the cert everywhere here: https://gist.github.com/catchdave/3f6f412bbf0f0cec32469fb0c9747295

Could be a useful starting place for folks to create their own (won't be usable out of the box, since you will have different combinations services & servers). This specific one is controlled by a cronjob on the server that plex runs on.

@scarab714
Copy link

Do you think this is important restart that package once the certificate is changed?

I'm not convinced that those apps need to be restarted; As a check, I'd recommend you try the scripts with service_to_restart and packages_to_restart empty, as well as emptying target_cert_dirs and then run this script once everything is done. It will identify the folders you need to add back to target_cert_dirs that weren't handled by the synology OS and then you'll be able to populate the target folders and the packages / services to restart based only on those that it finds. Then you can test those apps you depend on to ensure they're working properly.

regarding your SSH login, you should be able to use import your public SSH key from the host you're copying FROM into the ~/.ssh/authorized_keys file on your synology (whichever user you're logging in as) and use key authentication which won't require a password prompt.

For example, if you're copying the files from linuxhost as user bob: login to linuxhost as bob and copy the contents of the file ~/.ssh/id_rsa.pub If you're logging INTO the admin user of the synology: login to synology as admin and edit the file ~/.ssh/authorized_keys paste the contents from bob's public key into the bottom of the authorized_keys file (should be a single line, don't add any additional line breaks etc)

then when you attempt to ssh into the synology from linuxhost it should use the key instead of a password prompt. Do it manually the first time for a prompt to add the machine to known_hosts and then once it's done, you won't have to use a password any more.

Thank you very much for the quality of your answer telnetdoogie!

I managed to make passwordless work very well and I finally did my own script to replace the certificate on the synology because my need was not to replace the default certificate for everything, but just to replace the one I use only for synology drive because the port 6690 used by drive cannot be proxied by nginx since it is not a https protocol. So for this port, I do a port forwarding while all the rest is going through my nginx server which has the certbot certificate automatically renewed. This explain why I needed a script to send the certificate to the NAS each time it is renewed on the nginx.
So my need was just to use this certificate for drive and let the default one for all the rest.
I do the same with my firewall which is also used for the SSL vpn. I used a script that use the API of the firewall to send and update the certificate to it each time it is renewed on the nginx.

Thank you for the great job that has been made here. It helped me a lot!

Here is my script if it can help anyone.

So first I have manually uploaded a certificate in to the synology so that it creates the cert folder name which is using random characters. I also configure "Synology Drive Server" to use this certificate so that the link is made on the system.
Then, I just update the script to use that folder name and the script just update the cert and restart the "Synology Drive" service.

I made another script on the nginx that do the action of copying and executing that script into the synology NAS.

@matthenning
Copy link

matthenning commented Jun 12, 2023

In my case too it was enough to run the synow3tool and do an nginx restart, thanks for the hints.
My script to find the correct folder and an opportunity to check nginx config before restarting the server:

cp ~/certs/* /usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)

/usr/syno/bin/synow3tool --gen-all
nginx -t

read -p "nginx config ok?"

systemctl restart nginx

@DJGauthier
Copy link

Hi Catchdave,

I'm looking for a solution for my DS1010+ with DSM 5.2-5967 Update 9.
I found many article on the net but nothing help me until yet.

Maybe you have already an idee.

Best Regards
DJG.

@catchdave
Copy link
Author

catchdave commented Jun 19, 2023

Hi Catchdave,

I'm looking for a solution for my DS1010+ with DSM 5.2-5967 Update 9. I found many article on the net but nothing help me until yet.

@DJGauthier : I have never had a system with 5.x OS so I simply don't know what it looks like. Fundamentally, you simply need to find where the SSL certs are stored and then find out the right way to restart associated services to use the new certs when you upload them. Perhaps the locations are similar to the 6.x version of this (look at the gist's history). You can probably easily find certs using a find command once you SSH in.

@DJGauthier
Copy link

DJGauthier commented Jun 19, 2023 via email

@catchdave
Copy link
Author

I don't know where you are getting that error from, or what the context is. So I can't really work off just that error (is it on the browser, on the synology box, elsewhere). You could also consider upgrading your OS. version 5.x is a 8 years old.

@DJGauthier
Copy link

DJGauthier commented Jun 21, 2023 via email

@DJGauthier
Copy link

DJGauthier commented Jun 21, 2023 via email

@telnetdoogie
Copy link

@DJGauthier It appears you're running into a port forwarding issue. Have you been able to renew certs successfully using the Synology UI? The address you're using - [mysyno].synology.me will point to your public WAN IP, so you're unlikely to be able to test that locally unless you're doing some hairpin NAT rules on your router. I'd start with validating that LetsEncrypt certificates can be generated via the UI on the Synology NAS before you try to use scripts to do the same.

Alternatively you could switch to certbot using DNS-01 challenge instead of HTTP-01 to avoid the need to have ports open and forwarded. More info here:

https://letsencrypt.org/docs/challenge-types/

@DJGauthier
Copy link

DJGauthier commented Jun 21, 2023 via email

@bogdanrotariu
Copy link

Hi,

Is it necessary to reboot all the services? As the script restarts all the services, docker and virtual machines that are running on the synology are affected.

I guess, some of Step 4. "Rebooting all the things..." can be disabled by default ?

@catchdave
Copy link
Author

I am not sure—this was the easiest method to make sure everything works. Feel free to experiment :)

You definitely need to restart any web servers serving the cert (so nginx at least).

@telnetdoogie
Copy link

telnetdoogie commented Jul 24, 2023

Is it necessary to reboot all the services?

It's not, unless you have a service specifically that seems to need it.

For me, simply running:
/usr/syno/bin/synow3tool --gen-all
/usr/syno/bin/synow3tool --nginx=reload
and /usr/syno/bin/synow3tool --restart-dsm-service

...refreshes certs for DSM and Reverse Proxy setups with no need to bounce apps (like docker, which takes a long time and is disruptive if runnning network services in containers)

@timelordx
Copy link

I use Caddy Web Server as my reverse proxy running inside Container Manager (Docker) on my Synology DSM. Caddy is also great as a certificate manager.

Inspired by you and your code (all of you here), I wrote my own script synology-cert-deploy.sh which takes only the private key and full certificate chain files as input, since those are the only two TLS files coming from Caddy, and deploys them to Synology DSM. As long as it has the new private key and full chain, it can extract all the remaining files from these two files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment