分類: 网络技术

openmediavault(6.0) acme get Let’s encrypt SSL certificate for dynu ddns

1 Introduction

Acme.sh is a free project that can get free ssl certificate from Let’s encrypt. When we use openmediavault(6.0) as our nas, we often need to apply a certificate to enable ssl web interface and ensure we can get more data security.

2 Preparation

First, remove all things related to acme, including files and subdirectories in the root path.

3. Install dependencies

#apt-get install socat

4 Install and issue a certificate

#curl https://get.acme.sh | sh
#cd ./.acme.sh

append to the file account.conf the following content:

Dynu_ClientId='xxxxxxxxxxxxxxxxxxxxxxx'
Dynu_Secret='xxxxxxxxxxxxxxxxxxxxxxxxxxx'

test staging:
#~/.acme.sh/acme.sh  --staging --issue --dns dns_dynu -d example.org \
 --accountemail "ex@ex.com" 

after success:

#~/.acme.sh/acme.sh  --force --issue --dns dns_dynu -d example.org \
 --accountemail "ex@ex.com" 

The certificates generated by default are placed in ~/.acme.sh/, you can use the --install-cert command to copy the certificate to the specified location.
Only by copying the certificate in this way can it be automatically updated later, and the manually copied certificate cannot be automatically updated.

#mkdir /ssl
#export DOMAIN=example.org

#~/.acme.sh/acme.sh --install-cert -d "${DOMAIN}" \
    --cert-file      /ssl/"${DOMAIN}".crt  \
    --key-file       /ssl/"${DOMAIN}".key  \
    --fullchain-file /ssl/"${DOMAIN}"-fullchain.pem
Automatic updates can be turned on (optional)
#~/.acme.sh/acme.sh --upgrade --auto-upgrade
When acme.sh is installed, a cron task is automatically configured, which will check the certificate status every day. Of course, you can take a look at crontab.
#crontab -e

5 Import Certificate in openmediavault

Navigate to System->certificates->SSL, + to Import SSL certificates,
above: example.org.key
Below: example.org-fullchain.pem

6 Enable SSL in the web interface

Browse to System->Workbench, select the SSL certificate former generated,

enable the switch, then you can use port mapping from local to wan and access openmediavault

by the domain name using HTTPS protocol.

Using Let’s Encrypt Certification for Synology Nas Systems With dynu as DDNS Provider and auto-renew it (updated 5-26-23)

When we use the Synology Nas system it is convenient to access it from the webpage interface.

The common solution is using a ddns provider to get a domain name and access it.

But taking for security consideration, we often do not prefer the HTTP web interface,so we need to get an SSL certification from Let’s encrypt and use the HTTPS technique.

This tutorial shows you how to get Let’s encrypt certification by using dynu ddns provider and auto renew it.

​We use the following steps: 

1. SSH client login the Synology nas.

2. Issue the certificate through DNS-01 challenge.

3. Deploy the certificate.

4. Check if the certificate is active.

5. Create the automatically renew certificate task.

1. SSH client login  the Synology nas.

Be sure that you enable the ssh service in dsm control panel.

then login to dsm with ssh client.

$ sudo -i
$ wget https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
$ sh ./acme.sh --install --nocron --home /volume1/pool/admin/acme

$ #Install the client’s API for dynu:
$ mkdir /volume1/pool/admin/acme/dnsapi && \
cd /volume1/pool/admin/acme/dnsapi && \
wget https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_dynu.sh && \
cd /root

2. Issue the certificate by DNS-01 challenge

vi /volume1/pool/admin/acme/account.conf
add this fragment to the bottom of the file and save :

Dynu_ClientId='***************************'
Dynu_Secret='*******************************'

$/volume1/pool/admin/acme/acme.sh  --issue --dns dns_dynu -d example.com  \
 --accountemail "*@example.com" \
 --home /volume1/pool/admin/acme

3. Deploy the certificate.

First, we must install the deploy hook:

$ mkdir /volume1/pool/admin/acme/deploy && \
cd /volume1/pool/admin/acme/deploy && \
wget https://raw.githubusercontent.com/acmesh-official/acme.sh/master/deploy/synology_dsm.sh && \
cd /root

The structure of the installation directory should like this:

$export SYNO_Username="**"
$export SYNO_Password="******"
$export SYNO_Certificate="mycert01" 
$export SYNO_Create=1 
$/volume1/pool/admin/acme/acme.sh --deploy -d example.com --home /volume1/pool/admin/acme --deploy-hook synology_dsm

4. Check if the certificate is active.

go to the dsm control panel->security->certificate to see if the certificate works, if it is, 

set it to default.

5. Create the automatically renew certificate task.

Go to the dsm control panel->Task Scheduler->Create->User defined script:

export SYNO_Username="**"
export SYNO_Password="************"

/volume1/pool/admin/acme/acme.sh --renew -d "*.example.com" --home /volume1/pool/admin/acme

The task user should be root.

That is all done.