-
-
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
# MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh |
i'm happy to provide more info.
It's just what i'm see after running your script.
Adhere to the infos (copy pem's to /tmp/ run the script. At that momernt only the orginal synology.com cert is there and afterwards the pem's get imported and the synolgy cert is gone.
You can test it by yourself with this solution: https://github.com/vdsm/virtual-dsm
I don't see that on my two synology machines, and this is the first I am hearing of this issue. If you can provide specific details on your actual machine(s) that can help understand what is happening, I'm happy to modify the script. Details about DSM version, other scripts that are running, state of your machine and directory listing before and after would be helpful.
which directories do you want, it's a fresh install ds1819+ with latest DSM only script is yours?
The directory before and after executing the script that contains the missing/changed certs you say get removed (ls -la
).
As much info you can provide - which specific files in which directory go missing, how does this look in the directory on the CLI, how does it look in the UI, etc.
Where is your default cert that goes missing located?
@mamema . This might be helpful to find all certs on your box: https://gist.github.com/catchdave/ff9c7d7a396a3201cfb14f912d3e5cda
�[1;97m�[1;100m| Filename | Valid From | Valid To | Domain | Issuer |�[0m
| �[0;95m/usr/syno/etc/certificate/smbftpd/ftpd �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
| �[0;95m/usr/syno/etc/certificate/system/default �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
| �[0;95m/usr/syno/etc/certificate/_archive/cSoecp �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
| �[0;95m/usr/syno/etc/certificate/_archive �[0m |
| cert.pem | �[0;31mJan 4 08:27:06 2024 GMT �[0m | �[0;31mApr 3 08:27:05 2024 GMT �[0m | *.example.com | Let's Encrypt |
�[0;31m�[1m[WARN] No Valid Certs in: �[0m�[0;31m/usr/syno/etc/certificate/_archive/�[0m
| �[0;95m/usr/syno/etc/certificate/kmip/kmip �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
| �[0;95m/usr/syno/etc/www/certificate/system_default �[0m |
| 152f89f2-20d5-4d1d-867c-d2b582b2313d.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| �[0;95m/usr/local/etc/certificate/LogCenter/pkg-LogCenter �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
| �[0;95m/usr/local/etc/certificate/ScsiTarget/pkg-scsi-plugin-server �[0m |
| fullchain.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| cert.pem | �[1;32mOct 30 10:20:17 2024 GMT �[0m | �[1;32mOct 31 10:20:17 2025 GMT �[0m | synology | Synology Inc. |
| syno-ca-cert.pem | �[1;32mOct 30 10:20:16 2024 GMT �[0m | �[1;32mOct 31 10:20:16 2025 GMT �[0m | Synology Inc. CA | Synology Inc. |
�[1m=== Summary ===�[0m
�[1;97m�[1;100mTotal Directories �[0m | �[1m8 �[0m
�[1;97m�[1;100mTotal Certificates �[0m | �[1m20 �[0m
�[1;97m�[1;100mTotal Dirs w/ no valid cert �[0m | �[1m1 �[0m
�[1;97m�[1;100mTotal Valid Certs �[0m | �[1m19 �[0m
�[1;97m�[1;100mTotal InValid Certs �[0m | �[1m1 �[0m
all in all only Synology certs. And the remains of my trying import my own certs. They are lying around, but i've had already to reset the certs, as i said, the cert from synology wasn't shown in the security/cert gui area and the package manager wasn't working.
Perhaps this was a missundestanding, the certs are physically there on disk, but after runing your script, the synology one, wasn't shown in the security gui area of DSM
If the certs are physically there, I'm not sure besides maybe how services were restarted would affect the GUI.
I assume you tried restarting the machine?
of course. can i enable somew kind of debugging with your script?
@mamema - yes set a manual DEBUG flag in the script (change DEBUG=
line to DEBUG=1
). This will both print out manual debug statements and turn on set -x which will echo each command before execution.
As the comment threads for this once upon a time simple script ( 😄 ), I have moved this to a public repo instead. That way conversations about potential bugs can take place as issues.
See here: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh
I added a second domain to my Synology today and realized that with multiple certificates for different uses/destinations this got a bit more complex. I rewrote from scratch and it handles multiple certificates and their specific locations pretty well (work for a single cert as well)
https://github.com/telnetdoogie/synology-scripts/blob/main/check_certs.md
@mamema —which line of my script removes existing certs? It is simply a move, chown and restart.
If you’re having issues, please provide more details.