Douwe de Vries

Install SSL Certificates for Tailscale network on Synology

by

douwe
in

At the Domain Registrar

Register your domain at a registrar and make sure you an able to change the domain name servers. We will change this to the Cloudflare servers.

Cloudflare

Create an account at Cloudflare and add a new website. We will then enter our domain name. We get two different domain name servers from Cloudflare. Enter these in your control panel at the domain registrar. After submitting it can take up to 48 hours for this to propagate. For me it took about 1 hour. After that Cloudflare will send you an email that you can use your domain name in their control panel.

Once that is set up we need to write down our Account ID and create a new API key. This API key does not neet to have that much permission. You can choose “Edit zone DNS” and select your domain name in Zone Resources. Write down your API key. That is it!

On the Synology NAS

Log into your NAS using SSH and become root. Turn SSH on temporarily if you have it enabled. It can be disabled afterwards.

ssh you@yournas.local
sudo -i

Run the ACME installer script. This will install the software client that requests our certificates and communicates with our domain name server. Synology does not offer support for cronjobs. So the script will trow an error. We will instead ignore this error (—force) and install the scheduled task manually using Synology Task Scheduler. 

curl https://get.acme.sh | sh -s email=you@example.com --force

With ACME installed, the next step is to provide our Cloudflare Token and Account ID. Using this information and the domain name we created there, we can issue the certificate using a DNS-01 challenge.

export CF_Token="xxxxxxxx"

export CF_Account_ID="xxxxxxxx"

/root/.acme.sh/acme.sh --issue --dns dns_cf -d sub.yourdomain.com

This can take some time. But after it is completed we have the certificate on our NAS!

The next step is to install it into Synology’s Certificate System. We will use a trick for this. First we create a dummy certificate and key and import them into DSM manual. You can run the following commands on your local machine.

openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt rsa_keygen_bits:2048

openssl req -new -x509 -key privkey.pem -out cert.pem -days 30 -subj "/CN=sub.yourdomain.com/O=temporary/C=NL"

After the private key and certificate have been created, import them into your NAS using Control Panel. Once uploaded we’re going to find out what ID has been attached to this certificate.

cat /usr/syno/etc/certificate/_archive/INFO

Now we will replace the dummy certificates with the real certificates. The following command will do just that. Notice how my id was Nsdym0. After installing the certificated nginx is reloaded.

/root/.acme.sh/acme.sh --install-cert -d sub.yourdomain.com \
--cert-file      /usr/syno/etc/certificate/_archive/Nsdym0/cert.pem \
--key-file       /usr/syno/etc/certificate/_archive/Nsdym0/privkey.pem \
--fullchain-file /usr/syno/etc/certificate/_archive/Nsdym0/fullchain.pem \
--reloadcmd     "synosystemctl reload nginx"

Now you can use the certificate right from the Control Panel. The only thing left to do is make sure they will be updated by adding a command to Synology Task Scheduler.

  1. Create new Scheduled Task
  2. Select User-defined Script
  3. Give the task a name (acme.sh renew)
  4. Choose root as the user
  5. Repeat the task daily
  6. Enter the following line in the user-defined script section: /root/.acme.sh/acme.sh --cron --home /root/.acme.sh --log /var/log/acme.sh.log