Recently I’ve successfully created a wildcard “Let’s Encrypt” certificate on my Synology NAS 6.2.x. I would like to share the working steps below and hope that someone else can find it useful. I will list the steps as detailed as possible so that you can follow it through without facing too many difficulties.
- Enable SSH on your NAS
2. Now SSH to your NAS. You can use tools like putty.exe.
Type your IP address in the “Host Name (or IP address” area as shown in the picture below. Once you ready click Ok.
3. Enter your admin login to your NAS.
4. Now you will need to type the following commands to download the script which we will use to help generate CSR for our certificate. Please ensure that your NAS is configured that it can goes to internet.
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
chmod a+x acme.sh
5. Type the command shown below to create an account using email address with Let’s Encrypt. You will receive certificate expiry notice to this address. https://www.howtoforge.com/getting-started-with-acmesh-lets-encrypt-client/
./acme.sh --register-account -m [email protected]
6. Type the command below to issue the certificate. Please replace the respective values to your domain. If you want a wildcard certificate then type *.mydomain.com. You can use whatever name you like example myserver.mydomain.com. (Replace mydomain.com to yours). Also take note that the value in –dns literally is “–yes-I-know-dns-manual-mode-enough-go-ahead-please”.
./acme.sh --issue -d *.mydomain.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
7. You should receive an output as shown below: (Take note of the Domain and TXT value shown below)
Registering account
Registered
ACCOUNT_THUMBPRINT='XRDFTHUJGEasevhuyWRGTYBDFW'
Creating domain key
The domain key is here: /root/.acme.sh/*.mydomain.com/*.mydomain.com.key
Single domain='*.mydomain.com'
Getting domain auth token for each domain
Getting webroot for domain='*.mydomain.com'
You need to add the txt record manually.
Add the following TXT record:
Domain: '_acme-challenge.mydomain.com'
TXT value: 'NoteDownThisKey'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.mydomain.com
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
8. Now you need to login to your domain hosting and create a TXT record:
I’m using Namecheap Domain hosting. You will need to check how to create TXT record on yours.
a. Click create TXT record on your Domain Hosting
b. For the “Host”, type the info you taken note for domain. (Default should be ‘_acme-challenger’)
c. For the “Value” of the TXT record, type the info you taken note for TXT value
d. Wait for the TXT records to be updated to all DNS servers. It may take a few minutes to few hours
9. Once the TXT record had been created/updated, we will need to renew the certificate to complete the DNS validation. Go back to your NAS’s SSH and type the following:
Also take note that the value in –dns literally is “–yes-I-know-dns-manual-mode-enough-go-ahead-please”.
As for the -d *.mydomain.com, this is the value I created in Step 6.
/acme.sh --renew -d *.mydomain.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
10. You should receive the output similar to the ones below: (You should see 4 files)
Your cert is in /root/.acme.sh/*.mydomain.com/*.mydomain.com.cer
Your cert key is in /root/.acme.sh/*.mydomain.com/*.mydomain.com.key
The intermediate CA cert is in /root/.acme.sh/*.mydomain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/*.mydomain.com/fullchain.cer
11. Now you need to copy out the 4 files. In this case I use WINSCP since we enabled SSH.
For File protocol select SCP. Hostname will be the IP address of your NAS. Then supply your credentials.
12. Select the 4 files and copy over to your computer/desktop.
13. Login to your NAS web console. Navigate: Control Panel > Security > Certificate > Select “Add a new certificate”. Click Next
14. Type a description for the certificate and Select Import Certificate and click Next.
15. Browse and select the files accordingly.
a. Private Key > Select the .key file
b. Certificate > Select the *.mydomain.com.cer
c: Intermediate Certificate > Select the ca.cer (You can also select the fullchain.cer if you having issue)
16. Once done, the certificate should looks like this:
17. Once done, click Configure button to assign all the services to use the certificate. (Optional)
Click the small drop-down arrow to select the new certificate. Click Ok when you are done.
18. Final step is to test the connectivity. Launch your NAS’s URL (Eg. the URL is myserver.mydomain.com)
Click the pad lock icon beside the URL and should be able to look at the certificate.
Please take note that the certificate is valid for 3 months only and you will need to renew the certificate and reimport the new certificate.
Hope you find this post useful. Thank you!