Skip to content

Instantly share code, notes, and snippets.

Last active May 26, 2023 06:08
What would you like to do?
Letsencrypt on Synology DSM 7

The goal is to configure Synology NAS to use letsencrypt certificate without exposing it to the internet.
To achieve this we use certbot with DNS-01 challenge to Cloudflare.

  1. Run to install pip and certbot. You may need to run this again after DSM upgrades.

  2. Setup cloudflare secret.

# mkdir /volume1/system/.secrets
# touch /volume1/system/.secrets/cloudflare.ini
# chmod 700 /volume1/system/.secrets
# chmod 600 /volume1/system/.secrets/cloudflare.ini

Add the Cloudflare API key in this file:

  1. Generate certificate.
# certbot certonly --dns-cloudflare \
   --dns-cloudflare-credentials /volume1/system/.secrets/cloudflare.ini \
   -d --preferred-challenges dns-01
  1. Save and run it.
    It's a good idea to backup /usr/syno/etc/certificate first.

  2. Setup a scheduled task within DSM to run, you could also use cron.

DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
if [ "DEFAULT_DIR_NAME" != "" ]; then
# Copy certs from letsencrypt to install directory
cp /etc/letsencrypt/live/$CERT/{privkey,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
# Ensure correct permissions
chown root:root /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem
# Replace certs for default Application Portal (if found)
if [ -d "$DEFAULT_DIR" ]; then
cp /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$DEFAULT_DIR/"
chown root:root "$DEFAULT_DIR/"{privkey,fullchain,cert}.pem
echo "Did not find Application Portal dir: $DEFAULT_DIR_NAME"
# Replace certs for all reverse proxy servers (if exists)
if [ -d "$REVERSE_PROXY" ]; then
for proxy in $(ls "$REVERSE_PROXY"); do
cp /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$REVERSE_PROXY/$proxy"
chown root:root "$REVERSE_PROXY/$proxy/"{privkey,fullchain,cert}.pem
echo "No reverse proxy directory found"
echo "Certs moved."
# Restart synology services
echo -n "Restarting..."
/usr/syno/bin/synosystemctl restart nginx
/usr/syno/bin/synosystemctl restart avahi
echo " done"
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip install certbot-dns-cloudflare
/bin/certbot renew --post-hook "/volume1/system/script/letsencrypt/"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment