Last active
June 26, 2024 06:01
-
-
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
CLI script to programmatically replace SSL certs on Synology NAS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# *** For DSM v7.x *** | |
# | |
# How to use this script: | |
# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, fullchain.pem, cert.pem) | |
# and put into a directory (this will be $CERT_DIRECTORY). | |
# Personally, I use this script (https://gist.github.com/catchdave/3f6f412bbf0f0cec32469fb0c9747295) to automate steps 1 & 4. | |
# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup). | |
# This user will need to be able to sudo as root (i.e. add this line to sudoers, <USER> is the user you create): | |
# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_certs.sh | |
# 3. Copy this script to Synology: sudo scp replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ | |
# 4. Call this script as follows: | |
# sudo bash -c scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \ | |
# && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh' | |
# Script start. | |
DEBUG= # Set to any non-empty value to turn on debug mode | |
error_exit() { echo "[ERROR] $1"; exit 1; } | |
warn() { echo "[WARN ] $1"; } | |
info() { echo "[INFO ] $1"; } | |
debug() { [[ "${DEBUG}" ]] && echo "[DEBUG ] $1"; } | |
# 1. Initialization | |
# ================= | |
[[ "$EUID" -ne 0 ]] && error_exit "Please run as root" # Script only works as root | |
certs_src_dir="/usr/syno/etc/certificate/system/default" | |
services_to_restart=("nmbd" "avahi" "ldap-server") | |
packages_to_restart=("ScsiTarget" "SynologyDrive" "WebDAVServer" "ActiveBackup") | |
target_cert_dirs=( | |
"/usr/syno/etc/certificate/system/FQDN" | |
"/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/" | |
"/usr/local/etc/certificate/SynologyDrive/SynologyDrive/" | |
"/usr/local/etc/certificate/WebDAVServer/webdav/" | |
"/usr/local/etc/certificate/ActiveBackup/ActiveBackup/" | |
"/usr/syno/etc/certificate/smbftpd/ftpd/") | |
# Add the default directory | |
default_dir_name=$(</usr/syno/etc/certificate/_archive/DEFAULT) | |
if [[ -n "$default_dir_name" ]]; then | |
target_cert_dirs+=("/usr/syno/etc/certificate/_archive/${default_dir_name}") | |
debug "Default cert directory found: '/usr/syno/etc/certificate/_archive/${default_dir_name}'" | |
else | |
warn "No default directory found. Probably unusual? Check: 'cat /usr/syno/etc/certificate/_archive/DEFAULT'" | |
fi | |
# Add reverse proxy app directories | |
for proxy in /usr/syno/etc/certificate/ReverseProxy/*/; do | |
debug "Found proxy dir: ${proxy}" | |
target_cert_dirs+=("${proxy}") | |
done | |
[[ "${DEBUG}" ]] && set -x | |
# 2. Move and chown certificates from /tmp to default directory | |
# ============================================================= | |
mv /tmp/{privkey,fullchain,cert}.pem "${certs_src_dir}/" || error_exit "Halting because of error moving files" | |
chown root:root "${certs_src_dir}/"{privkey,fullchain,cert}.pem || error_exit "Halting because of error chowning files" | |
info "Certs moved from /tmp & chowned." | |
# 3. Copy certificates to target directories if they exist | |
# ======================================================== | |
for target_dir in "${target_cert_dirs[@]}"; do | |
if [[ ! -d "$target_dir" ]]; then | |
debug "Target cert directory '$target_dir' not found, skipping..." | |
continue | |
fi | |
info "Copying certificates to '$target_dir'" | |
if ! (cp "${certs_src_dir}/"{privkey,fullchain,cert}.pem "$target_dir/" && \ | |
chown root:root "$target_dir/"{privkey,fullchain,cert}.pem); then | |
warn "Error copying or chowning certs to ${target_dir}" | |
fi | |
done | |
# 4. Restart services & packages | |
# ============================== | |
info "Rebooting all the things..." | |
for service in "${services_to_restart[@]}"; do | |
/usr/syno/bin/synosystemctl restart "$service" | |
done | |
for package in "${packages_to_restart[@]}"; do # Restart packages that are installed & turned on | |
/usr/syno/bin/synopkg is_onoff "$package" 1>/dev/null && /usr/syno/bin/synopkg restart "$package" | |
done | |
# Faster ngnix restart (if certs don't appear to be refreshing, change to synosystemctl | |
if ! (/usr/syno/bin/synow3tool --gen-all && sudo systemctl reload nginx); then | |
warn "nginx failed to restart" | |
fi | |
info "Completed" |
...I only remember this because I ran into the same issue.
#!/bin/bash
# modified version of https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327
# from https://github.com/catchdave
#
# - Important:
# Before this script can run reliably, you must first manually import your LE certificates into DSM.
# Private Key ---------------> privkey.pem
# Certificate ---------------> cert.pem
# Intermediate Certificate --> fullchain.pem
#
# It's possible to initially import certs WITHOUT adding an Intermediate Cert, and while this works in most cases,
# it will cause OpenVPN on Synology to fail, as it requires the intermediate certs present in fullchain.pem
# You can also add fullchain.pem as the "Certificate" file, which works, but it's important to upload the correct files
# as above, so that the synology certificate sync tool will write the correct contents into the "info" files and associate
# the correct files with the "cert", "chain", and "key".
#
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@footswitch VPN requires the intermediate certificate to be updated, you may have the wrong file names selected, see my comment a few back regarding starting out with manual setup before automation https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327?permalink_comment_id=4787628#gistcomment-4787628
Synology WILL accept using the
fullchain.pem
file as the "Certificate" file, however this causes VPN to fail. You need to usefullchain.pem
only for the Intermediate Certificate, andcert.pem
for "Certificate"