A little update on Synology DSM 6.2.3 build 25423 where Synology added wildcard support!
- Added support for Let’s Encrypt wildcard certificates.
This does work, however only on Synology domains. If you are running a custom domain, you still need to go the route as described below.
I love the Let’s Encrypt functionality on the Synology but the built-in solution will not allow you to create a wildcard certificate. From a security standpoint a good way to do certificates with SAN’s but if you are like me and run a home lab… The pain of doing it the SAN way with domain DNS validation and having a /29 ipv4 public subnet is a bitch…
I always need to change a few of my public DNS IP’s to point to the Synology or the auto-renewal will fail. Also, there is a stupid 255 character limit in the SAN text box on the Synology.. so having a few SAN’s is fine but there is a limit… Hence here comes the wildcard and for a lab, it makes life easy. Below is my guide to do this manually every 3 months. I will be working out on how to automate this renewal.
How to create a wildcard on a Synology
We are going to use the acme.sh script to accomplish this. For authentication of the domain name, we will use the DNS option. First login to your Synology with ssh as the admin user and then sudo -i to get root access. When you login into the Synology with ssh you will end up in the /root path. I assume for the rest of the guide we run everything from that path. Now we need to get the script and change the permissions so it is executable.
chmod a+x acme.sh
Note: replace *.vdr.one with your own domain. To add top-level domain or multi-domain add “-d yourdomain“
./acme.sh --issue -d *.vdr.one --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
You will get an output like below:
Creating domain key
The domain key is here: /root/.acme.sh/*.vdr.one/*.vdr.one.key
Getting domain auth token for each domain
Getting webroot for domain='*.vdr.one'
You need to add the txt record manually.
Add the following TXT record:
TXT value: 'ThIsISNoTtHeReAlKeY'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.vdr.one
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
As you can see you will have to create a DNS text record with your domain name provider according to the output I marked. Needless to say that you need to use your own values.After you created it we will have to run the acme.sh script again with –renew.
Note: It can take some time for DNS records to get updated. Depends on your provider for my provider it is less than a minute. For renewal, after 3 months you can just run the renew command.
./acme.sh --renew -d *.vdr.one --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
When all goes well you get an output like below:
Your cert is in /root/.acme.sh/*.vdr.one/*.vdr.one.cer
Your cert key is in /root/.acme.sh/*.vdr.one/*.vdr.one.key
The intermediate CA cert is in /root/.acme.sh/*.vdr.one/ca.cer
And the full chain certs is there: /root/.acme.sh/*.vdr.one/fullchain.cer
Now copy the files to an accessible share on your NAS. In my case a made a share called Certs with the subfolder of vdr.one in it.:
cp "/root/.acme.sh/*.vdr.one/*.vdr.one.cer" "/volume1/Certs/vdr.one/vdr.one.cer"
cp "/root/.acme.sh/*.vdr.one/*.vdr.one.key" "/volume1/Certs/vdr.one/vdr.one.key"
cp "/root/.acme.sh/*.vdr.one/ca.cer" "/volume1/Certs/vdr.one/ca.cer"
cp "/root/.acme.sh/*.vdr.one/fullchain.cer" "/volume1/Certs/vdr.one/fullchain.cer"
You will see that the files will be in that folder after running the cp actions.
You can close the SSH session now and for security reasons, you can also disable SSH.
All you need to do now is to import your certificate on the Synology if you want or just start using it where you need it!
To import it on your Synology
If you use your Synology as a reverse proxy and ssl ofloader like me this is pretty darn handy!
Go to the Control Panel, then Security and Certificate. Choose Add.
And put in the files requested.
Now you’re done and you have a Let’s Encrypt wildcard certificate.