Let's Encrypt (via getssl) for Synology DSM 6.2

getssl-dsm62.md

Compatibility

☑ DSM 6.2.4-25556 (Update 2)

Installation

ssh <USER>@diskstation (anyone from administrators group!)

sudo mkdir -p ~/.ssl/queue

sudo chown root:users ~/.ssl
sudo chmod 0750 ~/.ssl

sudo chown $USER:users ~/.ssl/queue
sudo chmod 0700 ~/.ssl/queue

sudo vi ~/.ssl/update.sh
sudo chmod 0700 ~/.ssl/update.sh
sudo chattr +i ~/.ssl/update.sh

# OPTIONAL: sudo without password
echo "$USER ALL=(ALL) NOPASSWD: /var/services/homes/$USER/.ssl/update.sh" | sudo tee /etc/sudoers.d/getssl

# OPTIONAL: setup ssh keyfile
# ...

getssl.cfg

#SANS="*.$DOMAIN"
DOMAIN_CERT_LOCATION="ssh:$DOMAIN:./.ssl/queue/cert.pem"
DOMAIN_KEY_LOCATION="ssh:$DOMAIN:./.ssl/queue/privkey.pem"
DOMAIN_CHAIN_LOCATION="ssh:$DOMAIN:./.ssl/queue/chain.pem"
DOMAIN_PEM_LOCATION="ssh:$DOMAIN:./.ssl/queue/fullchain.pem"
RELOAD_CMD="ssh $DOMAIN -- bash -c \'/bin/sudo -S \~/.ssl/update.sh\'"
#PREVENT_NON_INTERACTIVE_RENEWAL=true
SERVER_TYPE=5001

update.sh

#!/bin/bash
#########################################################################
# Source:      https://gist.github.com/df9a555f9812ac4c0966637923200ea7 #
# Inspired by: https://gist.github.com/69854624a21ac75194706ec20ca61327 #
#########################################################################
set -eu -o pipefail
shopt -s extglob

for file in /var/services/homes/$SUDO_USER/.ssl/queue/{cert,chain,fullchain,privkey}.pem
do
	if [ ! -f "$file" ]
	then
		echo "File not found: $file" 1>&2
		exit 1
	fi

	cp -afv "$file" "/tmp/"
	chown -v root:root "/tmp/$(basename "$file")"
	chmod -v 0400 "/tmp/$(basename "$file")"
done

for file in /usr/syno/etc/certificate/!(_archive)/*/cert.pem
do
	if [ -f "$file" ]
	then
		cp -afv /tmp/{cert,chain,fullchain,privkey}.pem "$(dirname "$file")/"
	fi
done

/usr/syno/sbin/synoservice --restart nginx
/usr/syno/sbin/synoservice --restart-by-type file_protocol