Synology certificate - how?


#1

I have a Synology DS410j with DSM 5.2-5967 Update 2 (Latest for this unit).
I do not have any website on it, it is mostly used with PhotoStation to show images public.
It has worked for years until now with https and 5001, but now It seems that I have to renew/install a new certificate.

(Message: Your connection is not private) With Android app DS photo it still works fine, but not on Windows PCs with several browsers.

I have exported server.csr and server.key, but I can’t figure out how to send the file to Let’s Encrypt, which I have been recommended.
In newer DSMs the option for Let’s Encrypt is implemented, but it seems that i can’t upgrade to DSM 6 on my 6-7 years old Synology.
So what can I do to get my Synology back in business?


Letsencrypt on Synology
#2

Hello,

You should be able to use the “getssl” LetsEncrypt client (https://github.com/srvrco/getssl) with your Synology.

You will need to first enable the SSH service in the Synology Control Panel and you will need a linux host (or virtual machine) on which to run the tool.

Log in to your Synology appliance via SSH and find the filesystem paths where the keys and certificates should be loaded. Update your getssl config with those values and then run it.

You may also be able to use the “Get HTTPS for free” tool (https://gethttpsforfree.com/). I haven’t personally used this tool, but it looks fairly straightforward.

I also have a Synology. But mine is already running DSM 6.x so I can’t say exactly what steps you need to take.

Hope this helps


#3

@urandom’s explanation looks solid, I will add that if you use Let’s Encrypt you will need to repeat any manual steps needed at least every 90 days because Let’s Encrypt certificates last only ninety days. If everything is automated (as in DSM 6.x) then it’s unimportant, but you may find it annoying if you’re doing it manually.


#4

Thanks for your answers!
I will try this. But if the certificates last only 90 days I must check with Synology if it can be possible to upgrade DSM further to automate these processes.
Or maybe Let’s Encrypt or other companies have other/longer intervals?


#5

LetsEncrypt has good reasons for limiting certificates to 90 days:

You may be able to run the getssl client directly on your Synology appliance. I’m not sure about that tool’s dependencies (version of bash, etc) vs what Synology DMS 5.2 provides. It’s worth trying and, if it works, you can just schedule a daily cron job on your appliance to take care of renewals.


#6

Commercial providers offer certificates lasting up to about 39 months, there are often cheap deals on ones lasting a year and you might be able to find one offered at no cost for non-commercial use or similar, definitely shop around if that’s the direction you choose to go in. Obviously this isn’t really the site for advice about other Certificate Authorities.


#7

@urandom I am trying to follow your directions but I am definitely weak in linux so I would appreciate some further advice from you or anyone else. Am I supposed to be running the getssl client on the synology?

If I SSH into my box and run curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl I get the following created but when I then try to run ./getssl -c yourdomain.com it says no such file or directory. Am I doing something wrong?


#8

I believe seeing the whole error message (and whatever text might be produced when you attempt to run it) would help. For example, if it is saying something like “-bash: ./getssl: /usr/bin/env: bad interpreter: No such file or directory”, that would mean that env on synology is missing or not in its expected place.


#9

@leader thanks very much for the response… hers is the actual message:

DiskStation> ./getssl -c 4me.com
env: bash: No such file or directory

DiskStation> /usr/syno/etc/ssl/ssl.crt/getssl -c 4me.com
env: bash: No such file or directory


#10

What OS are you running this on ? and does it have BASH ? … synology I guess ( should have read the title :wink: ) let me see if that supports the bash environment


#11

This is a synology DS212j running DSM 5.2-5592

EDIT: I just found this so maybe it doesn’t
https://forum.synology.com/enu/viewtopic.php?t=102323


#12

Can you try the following commands …

/usr/bin/env bash

Which will probably give you the same error as above ( env: bash: No such file or directory)

echo $SHELL

should tell you what your current shell environment is

/bin/bash

and let me know if that gives an error or prompt.

I think you will either need to install bash, or use one of the alternate clients that runs on sh or ash ( I’m guessing that’s what the synology is running )


#13

your exactly correct about the error being the same

and the shell is /bin/ash


#14

OK, Then I think you have 2 choices. either install bash, or try one of the other alternate clients I think acme.sh may run on ash ( it run’s on dash and sh which are 2 similar shells )


#15

Can’t thank you enough!!! I will try one of those solutions right now

Guess I have to lookup crontab :slight_smile:

DiskStation> curl https://get.acme.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 671 100 671 0 0 712 0 --:–:-- --:–:-- --:–:-- 713
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 112k 100 112k 0 0 222k 0 --:–:-- --:–:-- --:–:-- 223k
[Sun Dec 25 06:46:23 EST 2016] Installing from online archive.
[Sun Dec 25 06:46:23 EST 2016] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sun Dec 25 06:46:24 EST 2016] Extracting master.tar.gz
[Sun Dec 25 06:46:25 EST 2016] It is recommended to install crontab first. try to install ‘cron, crontab, crontabs or vixie-cron’.
[Sun Dec 25 06:46:25 EST 2016] We need to set cron job to renew the certs automatically.
[Sun Dec 25 06:46:25 EST 2016] Otherwise, your certs will not be able to be renewed automatically.
[Sun Dec 25 06:46:25 EST 2016] Please add ‘–force’ and try install again to go without crontab.
[Sun Dec 25 06:46:25 EST 2016] ./acme.sh --install --force
[Sun Dec 25 06:46:25 EST 2016] Pre-check failed, can not install.


#16

You should be able to use it without the cron ( cron would be useful for the future though, as that will automatically run the code, and renew certs for you )


#17

I ran curl https://get.acme.sh | sh --force and still get that same error… won’t seem to install and it seems I am not the only one https://forum.synology.com/enu/viewtopic.php?f=7&t=123007 i’m not sure what to do next :frowning:

I opened a ticket https://github.com/Neilpang/acme.sh/issues

Found this wondering if I can try the this manual method:

https://forum.synology.com/enu/viewtopic.php?t=123003


#18

You can always run GetSSL on a different computer ( linux, mac, windows) and it can automatically add the tokens and certificate to your synology device via ssh.


#19

I feel like I may be close… followed the manual method in the link above and I am at the point of modifying the config file but I am a little confused, maybe you possibly help with that?

I am confused with exactly what to do on this step: set your email, cloudflare account and API (https://www.cloudflare.com/a/account/my-account)

my config file shows the following but where do I put the cloudflare account & API, also do I need to change the paths?

DiskStation> cd ~/.acme.sh/
DiskStation> vi account.conf
#ACCOUNT_CONF_PATH=xxxx

#ACCOUNT_EMAIL=info@networks.com # the account email used to register accoun
#ACCOUNT_KEY_PATH="/path/to/account.key"
#CERT_HOME="/path/to/cert/home"
I am confused with exactly what to do on this step: set your email, cloudflare account and API (https://www.cloudflare.com/a/account/my-account)

my config file shows the following but where do I put the cloudflare account & API, also do I need to change the paths?

#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1

#AUTO_UPGRADE=“1”

#NO_TIMESTAMP=1
#OPENSSL_BIN=openssl

#USER_AGENT=“acme.sh/2.6.5 (https://github.com/Neilpang/acme.sh)”

#USER_PATH=

~
~
I account.conf [Modified] 4/21 19%
#ACCOUNT_CONF_PATH=xxxx

#ACCOUNT_EMAIL=info@networks.com # the account email used to register account.
#ACCOUNT_KEY_PATH="/path/to/account.key"
#CERT_HOME="/path/to/cert/home"

#LOG_FILE="/root/.acme.sh/acme.sh.log"
#LOG_LEVEL=1

#AUTO_UPGRADE=“1”

#NO_TIMESTAMP=1
#OPENSSL_BIN=openssl


#20

I think you need to add 2 variables

CF_Key="“
CF_Email=”"

which are your cloudflare API key and email

The default paths are probably fine.