Wildcard certificates on SynologyDSM with DuckDNS and Let's Encrypt

I finally took the time to setup wildcard certifications and wanted to share the setup process with the awesome HA-Community :heart:

Background

I’m using Reverse proxy on Synology and my wife was having problems accesing the Blue Iris webpage and other services that was behind the reverse proxy. Mainly because of the browser complaining about the cert not beeing trusted and you have to manually overide that. To much of a struggle.

Solution is to issue wildcard certs but unfortunatly Synology only support that for it own DDNS from web GUI. So instead we will be issuing certs using acme.sh and then deploy the certs to Synology. aceme.sh should also let us to be able to not have to expose port 80 for cert renewal but I haven’t tested this. Please, share your findings in the coments.

For this guide I’m basically using the official guide on:

Installation of acme.sh

$ sudo su
$ cd ~
$ wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"
$ source ~/.profile

Creating the certificate

Get your token by logging into DuckDNS

$ cd /usr/local/share/acme.sh``
export DuckDNS_Token="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

Please note that since DuckDNS uses StartSSL as their cert provider, thus --insecure may need to be used when issuing certs:
acme.sh --insecure --issue --dns dns_duckdns -d mydomain.duckdns.org

I had a little bit of problem with this step and got error:
No EAB credentials found for ZeroSSL.
After changing default ca server to letsencrypt it worked fine:
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt

Deploy the default certificate

We will use the Synology DSM deployhook to deploy our certificate. This will override the default certificate, in the next section you can see how to create new certificates to be used for other services.

$ cd /usr/local/share/acme.sh
# Single quotes prevents some escaping issues if your password or username contains certain special characters
$ export SYNO_Username='Admin_Username'
$ export SYNO_Password='Admin_Password!123'
# You must specify SYNO_Certificate, for the default certificate, we use an empty string
# Please be aware that the empty string only works if you haven't added/changed the description for
# the default certificate. If you have, you'll need to specify the description here.
$ export SYNO_Certificate=""
$ ./acme.sh --deploy --home . -d mydomain.duckdns.org --deploy-hook synology_dsm

Check the certificate in Synology DSM

Now we should be able to see our new wildcard cert in SynologyDSM

Configuring Certificate Renewal

To auto renew the certificates in the future, you need to configure a task in the task scheduler. It is not advised to set this up as a custom cronjob (as was previously described in this wiki page) as the DSM security advisor will tell you that you have a critical warning regarding unknown cronjob(s).

In DSM control panel, open the ‘Task Scheduler’ and create a new scheduled task for a user-defined script.

  • General Setting: Task - Update default Cert. User - root
  • Schedule: Setup a weekly renewal. For example, 11:00 am every saturday.
  • Task setting: User-defined-script:
# renew certificates 
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/

Thats it!
You should now be able to enjoy wildcard certs with DuckDNS! :tada: :star: :champagne: