Synology DSM / Let's encrypt automation

ckiras · August 15, 2025, 3:31pm

Need to automate ssl certificate renewals for Synology DSM. If we use Let's Encrypt we have to use HTTP-01 challenge which requires the NAS to be open on port 80. Ot to use DDNS and make it externally avaiable. We cannot do that for security purposes. Please advise.

jvanasco · August 15, 2025, 3:36pm

I've moved this to Help, as it's not about developing a client.

You can either:

Drop the firewall during the authz challenge
Use DNS-01/TLS-ALPN-01
Obtain the certificate on another system, and upload it onto the Synology device

ckiras · August 15, 2025, 3:41pm

Yes, however, we are trying to automate, no contunue with manual processes. DNS-01 only works if the device has external laccess to the internet

danb35 · August 15, 2025, 3:43pm

Any of the challenge types require that your device be able to access the Internet.

ckiras · August 15, 2025, 5:23pm

Yes, The Synologies pose a challenge for that. Was hoping for work arounds or alternatives fro automation. Thanks

MikeMcQ · August 15, 2025, 6:02pm

You have to be able to make outbound HTTPS requests to talk to the Let's Encrypt server. You can't get an LE cert without that.

You need to handle HTTP(port 80) inbound for an HTTP Challenge or port 443 inbound for TLS-ALPN Challenge.

A DNS Challenge does NOT require inbound HTTP/TLS requests to your device but for automation requires your system to update the DNS records dynamically.

See: Challenge Types - Let's Encrypt

I believe Synology domain names (like example.synology.me and similar) can use a DNS Challenge with DSM. You could visit a Synology forum for instructions on that.

xlionjuan · August 18, 2025, 9:39pm

acme.sh do provide the way to renew the certificate with DNS-01 challenge, and it also has the variables to set the hostname of the target machine, so you can use other machine with internet to renew the certificate for your offline Synology.

Hint: The auto admin account creation will not work if you're not running inside the DSM, so you need to create the admin account with DSM access for acme.sh to work.

B2y, I have asked Synology for the CLI option to reload the certificate without restarting Nginx when the certificate files are replaced externally(If I do systemctl restart nginx it restarted Docker and various Synology packages, WTF, why they bundle massive hooks for Nginx service? It will end up cause 10+ minunes downtimes on my low end machine), they refused, so, the only way to replace the certificate is use the API way like acme.sh does.

system · September 17, 2025, 9:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Action required: Let's Encrypt certificate renewals Help	22	6242	February 20, 2019
Let's Encrypt certificate renewal - offline Help	15	3638	August 1, 2020
Manually renew on Synology Help	12	1328	February 6, 2023
Certificate suddenly not auto-renewing on Synology NAS Help	9	7041	October 1, 2018
How to Renew Certificate 101 (Synology DSM) Help	11	41095	August 31, 2017

Synology DSM / Let's encrypt automation

Related topics