Forked from catchdave/replace_synology_ssl_certs.sh
Last active
August 14, 2022 16:36
-
-
Save djraw/42c4ec0fcb923bc18baa0badbfbb2c86 to your computer and use it in GitHub Desktop.
CLI script to programmatically replace SSL certs on Synology NAS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# *** For DSM v6.x *** | |
# | |
# How to use this script: | |
# 1. Get your 3 PEM files ready to copy over from your local machine/update server (privkey.pem, fullchain.pem, cert.pem) | |
# and put into a directory (this will be $CERT_DIRECTORY). | |
# 2. Ensure you have a user setup on synology that has ssh access (and ssh access is setup). | |
# This user will need to be able to sudo as root (i.e. add this line to sudoers, <USER> is the user you create): | |
# <USER> ALL=(ALL) NOPASSWD: /var/services/homes/<USER>/replace_certs.sh | |
# 3. Call this script as follows: | |
# sudo scp ${CERT_DIRECTORY}/{privkey,fullchain,cert}.pem $USER@$SYNOLOGY_SERVER:/tmp/ \ | |
# && sudo scp replace_synology_ssl_certs.sh $USER@$SYNOLOGY_SERVER:~/ \ | |
# && ssh $USER@$SYNOLOGY_SERVER 'sudo ./replace_synology_ssl_certs.sh' | |
# Script start. | |
### R.A.W. xtra | |
CERTDIR=/volume1/<pathToLetsEncryptCertsOrBackupFolder> | |
WEBDAVSDIR=/usr/local/etc/certificate/WebDAVServer/webdav/ | |
### | |
REVERSE_PROXY=/usr/syno/etc/certificate/ReverseProxy | |
FQDN_DIR=/usr/syno/etc/certificate/system/FQDN | |
DEFAULT_DIR= | |
DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT) | |
if [ "DEFAULT_DIR_NAME" != "" ]; then | |
DEFAULT_DIR="/usr/syno/etc/certificate/_archive/${DEFAULT_DIR_NAME}" | |
fi | |
##### BACKUP current files | |
# copy certs from /tmp to install directory | |
cp -f $CERTDIR/{privkey,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/ | |
if [ "$?" != 0 ]; then | |
echo "Halting because of error copying files" | |
exit 1 | |
fi | |
# Ensure correct permissions | |
chown root:root /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem | |
if [ "$?" != 0 ]; then | |
echo "Halting because of error chowning files" | |
exit 1 | |
fi | |
echo "Certs copied from $CERTDIR & chowned." | |
# If you're using a custom domain name, replace the FQDN certs too | |
if [ -d "${FQDN_DIR}/" ]; then | |
echo "Found FQDN directory, copying certificates to 'certificate/system/FQDN' as well..." | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "${FQDN_DIR}/" | |
chown root:root "${FQDN_DIR}/"{privkey,fullchain,cert}.pem | |
fi | |
# Replace certs for default Application Portal (if found) | |
if [ -d "$DEFAULT_DIR" ]; then | |
echo "Found upload dir (used for Application Portal): $DEFAULT_DIR_NAME, copying certs to: $DEFAULT_DIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$DEFAULT_DIR/" | |
chown root:root "$DEFAULT_DIR/"{privkey,fullchain,cert}.pem | |
else | |
echo "Did not find upload dir (Application Portal): $DEFAULT_DIR_NAME" | |
fi | |
# Replace certs for all reverse proxy servers (if exists) | |
if [ -d "$REVERSE_PROXY" ]; then | |
echo "Found reverse proxy certs, replacing those:" | |
for proxy in $(ls "$REVERSE_PROXY"); do | |
echo "Replacing $REVERSE_PROXY/$proxy" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$REVERSE_PROXY/$proxy" | |
chown root:root "$REVERSE_PROXY/$proxy/"{privkey,fullchain,cert}.pem | |
done | |
else | |
echo "No reverse proxy directory found" | |
fi | |
# Replace certs for WebDAVs (if found) | |
if [ -d "$WEBDAVSDIR" ]; then | |
echo "Found WebDAVs dir, copying certs to: $WEBDAVSDIR" | |
cp -f /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$WEBDAVSDIR/" | |
chown root:root "$WEBDAVSDIR/"{privkey,fullchain,cert}.pem | |
else | |
echo "Did not find WebDAVs dir: $WEBDAVSDIR" | |
fi | |
# Reboot synology services | |
echo -n "Rebooting all the things..." | |
/usr/syno/sbin/synoservice --restart nginx | |
/usr/syno/sbin/synoservice --restart nmbd | |
/usr/syno/sbin/synoservice --restart avahi | |
/usr/syno/sbin/synoservice --reload ldap-server | |
/usr/syno/sbin/synoservice --restart ftpd-ssl | |
#### WEBDAV restart old | |
## /usr/syno/sbin/synoservice --restart pkgctl-WebDAVServer | |
/var/packages/WebDAVServer/scripts/start-stop-status stop && /var/packages/WebDAVServer/scripts/start-stop-status start | |
echo " done" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment