Create and maintain a Let's Encrypt certificate on a Synology NAS.

Uses lego and the ACME DNS-01 challenge for any of the supported DNS Providers.

To install or update synology-letsencrypt, run the install script. To do that, either download and run the script manually, or use the following cURL command:

curl -sSL https://raw.githubusercontent.com/JessThrysoee/synology-letsencrypt/master/install.sh | bash

The script has to be run as root. To run it as root, you can SSH into your NAS with an admin user and then issue sudo -i to become root (the password is the same as the admin user's).

Update /usr/local/etc/synology-letsencrypt/env with domain(s), email, and DNS API-key:

DOMAINS=(--domains "example.com" --domains "*.example.com")
EMAIL="[email protected]"

# Specify DNS Provider (this example is from https://go-acme.github.io/lego/dns/simply/)
DNS_PROVIDER="simply"
export SIMPLY_ACCOUNT_NAME=XXXXXXX
export SIMPLY_API_KEY=XXXXXXXXXX
export SIMPLY_PROPAGATION_TIMEOUT=1800
export SIMPLY_POLLING_INTERVAL=30

# Should you need it; additional options can be passed directly to lego
#LEGO_OPTIONS=(--key-type "rsa4096")

Note: If you are generating a wildcard certificate, you must include the base domain next to the wildcard domain. For example, if you want to create a certificate for *.example.com, you must also include example.com in the DOMAINS value.

Now you should be able to run /usr/local/bin/synology-letsencrypt.sh.

To schedule a daily task, log into the Synology DSM and add a user-defined script:

Synology DSM -> Control Panel -> Task Scheduler
   Create -> Scheduled Task -> User-defined script
      General -> User = root
      Task Settings -> User-defined script = /bin/bash /usr/local/bin/synology-letsencrypt.sh

If you need to generate more than one certificate, you can parameterize synology-letsencrypt.sh with the path of a certificate configuration:

$ /usr/local/bin/synology-letsencrypt.sh -p /usr/local/bin/synology-letsencrypt/example.com
$ /usr/local/bin/synology-letsencrypt.sh -p /usr/local/bin/synology-letsencrypt/other-example.com

This creates an entire configuration in /usr/local/etc/synology-letsencrypt/example.com/env and /usr/local/etc/synology-letsencrypt/other-example.com/env respectively, which you can tune according to your needs. That extends to modifying the hook in each one to match your needs.

You might want this if you require more than one certificate on the Synology, or if you want to generate a certificate for another host on your Synology.

By default, synology-letsencrypt.sh will overwrite any changes you make to the hook script to preserve the core functionality of this client. If you have customized your script, you can preserve its changes by adding the -c parameter to your invocation:

$ /usr/local/bin/synology-letsencrypt.sh -c

To uninstall synology-letsencrypt, run the uninstall script. To do that, either download and run the script manually, or use the following cURL command:

curl -sSL https://raw.githubusercontent.com/JessThrysoee/synology-letsencrypt/master/uninstall.sh | bash