-
-
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# | |
# *** For DSM v7.x *** | |
# | |
# How to use this script: | |
# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, fullchain.pem, cert.pem) | |
# and put into a directory (this will be $CERT_DIRECTORY). | |
# Personally, I use this script (https://gist.github.com/catchdave/3f6f412bbf0f0cec32469fb0c9747295) to automate steps 1 & 4. | |
# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup). | |
# This user will need to be able to sudo as root (i.e. add this line to sudoers, <USER> is the user you create): | |
# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_certs.sh | |
# 3. Copy this script to Synology: sudo scp replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ | |
# 4. Call this script as follows: | |
# sudo bash -c scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \ | |
# && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh' | |
# Script start. | |
DEBUG= # Set to any non-empty value to turn on debug mode | |
error_exit() { echo "[ERROR] $1"; exit 1; } | |
warn() { echo "[WARN ] $1"; } | |
info() { echo "[INFO ] $1"; } | |
debug() { [[ "${DEBUG}" ]] && echo "[DEBUG ] $1"; } | |
# 1. Initialization | |
# ================= | |
[[ "$EUID" -ne 0 ]] && error_exit "Please run as root" # Script only works as root | |
certs_src_dir="/usr/syno/etc/certificate/system/default" | |
services_to_restart=("nmbd" "avahi" "ldap-server") | |
packages_to_restart=("ScsiTarget" "SynologyDrive" "WebDAVServer" "ActiveBackup") | |
target_cert_dirs=( | |
"/usr/syno/etc/certificate/system/FQDN" | |
"/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server/" | |
"/usr/local/etc/certificate/SynologyDrive/SynologyDrive/" | |
"/usr/local/etc/certificate/WebDAVServer/webdav/" | |
"/usr/local/etc/certificate/ActiveBackup/ActiveBackup/" | |
"/usr/syno/etc/certificate/smbftpd/ftpd/") | |
# Add the default directory | |
default_dir_name=$(</usr/syno/etc/certificate/_archive/DEFAULT) | |
if [[ -n "$default_dir_name" ]]; then | |
target_cert_dirs+=("/usr/syno/etc/certificate/_archive/${default_dir_name}") | |
debug "Default cert directory found: '/usr/syno/etc/certificate/_archive/${default_dir_name}'" | |
else | |
warn "No default directory found. Probably unusual? Check: 'cat /usr/syno/etc/certificate/_archive/DEFAULT'" | |
fi | |
# Add reverse proxy app directories | |
for proxy in /usr/syno/etc/certificate/ReverseProxy/*/; do | |
debug "Found proxy dir: ${proxy}" | |
target_cert_dirs+=("${proxy}") | |
done | |
[[ "${DEBUG}" ]] && set -x | |
# 2. Move and chown certificates from /tmp to default directory | |
# ============================================================= | |
mv /tmp/{privkey,fullchain,cert}.pem "${certs_src_dir}/" || error_exit "Halting because of error moving files" | |
chown root:root "${certs_src_dir}/"{privkey,fullchain,cert}.pem || error_exit "Halting because of error chowning files" | |
info "Certs moved from /tmp & chowned." | |
# 3. Copy certificates to target directories if they exist | |
# ======================================================== | |
for target_dir in "${target_cert_dirs[@]}"; do | |
if [[ ! -d "$target_dir" ]]; then | |
debug "Target cert directory '$target_dir' not found, skipping..." | |
continue | |
fi | |
info "Copying certificates to '$target_dir'" | |
if ! (cp "${certs_src_dir}/"{privkey,fullchain,cert}.pem "$target_dir/" && \ | |
chown root:root "$target_dir/"{privkey,fullchain,cert}.pem); then | |
warn "Error copying or chowning certs to ${target_dir}" | |
fi | |
done | |
# 4. Restart services & packages | |
# ============================== | |
info "Rebooting all the things..." | |
for service in "${services_to_restart[@]}"; do | |
/usr/syno/bin/synosystemctl restart "$service" | |
done | |
for package in "${packages_to_restart[@]}"; do # Restart packages that are installed & turned on | |
/usr/syno/bin/synopkg is_onoff "$package" 1>/dev/null && /usr/syno/bin/synopkg restart "$package" | |
done | |
# Faster ngnix restart (if certs don't appear to be refreshing, change to synosystemctl | |
if ! (/usr/syno/bin/synow3tool --gen-all && sudo systemctl reload nginx); then | |
warn "nginx failed to restart" | |
fi | |
info "Completed" |
@telnetdoogie I'm coming from a win-acme automation, and a while back (a year ago) I was trying to automate with the wrong intermediate file (chain-only from win-acme) and getting all sorts of errors: https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327?permalink_comment_id=4530953#gistcomment-4530953
-- Then I realised what the right file was: https://gist.github.com/catchdave/69854624a21ac75194706ec20ca61327?permalink_comment_id=4541242#gistcomment-4541242
However, NOW if I try to upload the (full)chain file into the Synology UI, it gives me an error; I can only replace the certificate without error if I choose the chain-only file. So this has suddenly changed and I don't know why or how.
I'm not even talking about the automation itself, I just lost OpenVPN connectivity a couple of months ago and I had to sort this out manually via the UI, and this is what I found.
I'm at a loss here.
I just realized my OpenVPN was broken after cert updates too. OpenVPN copies certs on install to a totally different location, and makes some modifications. Rather than try to fix it I just uninstall and reinstall and the OpenVPN does its thing from the ssl certs and works again.
Switch to wireguard and wg-easy and save yourself the hassle :)
Hi everyone, somewhat related, but has anyone figured out how to do the same for Synology Routers (SRM 1.3)?