Sign in Subscribe

Synology DSM 7 with Let's Encrypt and DNS Challenge Using Vultr DNS

Synology DSM 7 with Let's Encrypt and DNS Challenge Using Vultr DNS

This guide walks you through setting up a Let's Encrypt SSL certificate on a Synology NAS running DSM 7 using the DNS challenge method with Vultr DNS. It includes automating renewals correctly using the acme.sh script.

Why Use the DNS Challenge?

Synology provides a built-in way to obtain SSL certificates, but it requires:

  • Ports 80 and 443 to be open to the public internet, or
  • Using Synology’s DDNS service.

If you want to use your custom domain and avoid exposing your NAS to the internet, the DNS challenge is an excellent alternative. It works by adding a DNS TXT record to prove domain ownership.

Prerequisites

  1. A Synology NAS running DSM 7 with SSH enabled.
  2. A domain name managed by Vultr DNS.
  3. A Vultr API key to automate DNS record updates.
  4. The acme.sh script for issuing and managing certificates.

Step 1: Create a Synology User for Certificate Management

  1. Log into Synology DSM and go to Control Panel > User & Group > Create.
    • Create a new user (e.g., certadmin).
    • Add the user to the administrators and http groups.
    • Grant Read/Write access to the homes folder.
    • Deny access to all applications.
  2. Enable SSH Access:
    • Go to Control Panel > Terminal & SNMP > Terminal.
    • Check Enable SSH service and apply the changes.

Step 2: Access the NAS via SSH

  1. Open a terminal (on macOS/Linux) or PuTTY (on Windows).
  2. Enter the password for the certadmin user.

Connect to your NAS using SSH:

ssh certadmin@<NAS_IP_ADDRESS>

Replace <NAS_IP_ADDRESS> with your NAS's IP address or hostname.

Step 3: Install acme.sh

Download and install the acme.sh script:

wget -O /tmp/acme.sh.zip https://github.com/acmesh-official/acme.sh/archive/master.zip
sudo 7z x -o/usr/local/share /tmp/acme.sh.zip
sudo mv /usr/local/share/acme.sh-master/ /usr/local/share/acme.sh
sudo chown -R certadmin /usr/local/share/acme.sh/
cd /usr/local/share/acme.sh

Step 4: Configure Environment Variables

Set the necessary variables for Vultr DNS and Synology:

export VULTR_API_KEY="YOUR_VULTR_API_KEY"
export SYNO_Username="certadmin"
export SYNO_Password="YOUR_CERTADMIN_PASSWORD"
export SYNO_Certificate="Let's Encrypt"
export SYNO_Create=1
  • Replace YOUR_VULTR_API_KEY with your Vultr API key.
  • Replace YOUR_CERTADMIN_PASSWORD with the password for the certadmin user.

Step 5: Issue a Let's Encrypt Certificate

Run the following command to issue a certificate for your domain:

./acme.sh --server letsencrypt --issue --dns dns_vultr -d "example.yourdomain.com" --home $PWD
  • Replace example.yourdomain.com with your actual domain.
  • This command:
    1. Uses the Vultr DNS API to create a DNS TXT record.
    2. Validates domain ownership.
    3. Issues and saves the certificate on the NAS.

Step 6: Deploy the Certificate

Deploy the certificate to the Synology DSM:

./acme.sh -d "example.yourdomain.com" --deploy --deploy-hook synology_dsm --home $PWD
  • This command:
    1. Logs into the Synology DSM interface.
    2. Uploads the certificate.
    3. Applies it to the web interface and restarts necessary services.

Step 7: Automate Certificate Renewal

  1. Open Control Panel > Task Scheduler on your Synology NAS.
  2. Click Create and select Scheduled Task > User-defined Script.
  3. Configure the task:
    • General Tab:
      • Name: Renew Let's Encrypt Certificate
      • User: certadmin
    • Schedule Tab:
      • Set the task to run daily.
    • Task Settings Tab:
  4. Save and enable the task.

Add the following script:

/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh

Step 8: Verify the SSL Certificate

  1. Log into the DSM web interface via HTTPS.
  2. Go to Control Panel > Security > Certificate to confirm the new certificate is active.
  3. Optional: Enable HTTP to HTTPS redirection under Control Panel > Login Portal > DSM Settings.

Notes

  • Let’s Encrypt certificates are valid for 90 days. The --cron task ensures they are renewed automatically.
  • If 2FA is enabled for the certadmin account, follow the instructions on TOTP setup.
  • Always disable SSH access after configuration for better security.

Summary

This guide shows how to set up a Let's Encrypt SSL certificate for a Synology NAS using Vultr DNS. The DNS challenge avoids the need to expose ports or use Synology's DDNS, giving you more control and security. By automating renewals, your NAS will always have a valid certificate without manual intervention.

Enjoy your secure Synology NAS!