CLI script to programmatically replace SSL certs on Synology NAS

replace_synology_ssl_certs.sh

# MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh

of course. can i enable somew kind of debugging with your script?

@mamema - yes set a manual DEBUG flag in the script (change DEBUG= line to DEBUG=1). This will both print out manual debug statements and turn on set -x which will echo each command before execution.

As the comment threads for this once upon a time simple script ( 😄 ), I have moved this to a public repo instead. That way conversations about potential bugs can take place as issues.

See here: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh

I added a second domain to my Synology today and realized that with multiple certificates for different uses/destinations this got a bit more complex. I rewrote from scratch and it handles multiple certificates and their specific locations pretty well (work for a single cert as well)
https://github.com/telnetdoogie/synology-scripts/blob/main/check_certs.md

Well thats interesting, it looks like in my case restarting of webstation didn’t update certificates, but maybe i was just too hurry and didn’t let enough time for sync to happen. I will try to investigate it more but not sure if i will find time to play around with it in next few weeks. But i will try to find some time at evenings. Definetly i will let you know with results.

So finaly i found some time for testing. I found out that webstation doesn’t use new certificates if i don’t restart NAS. I will try to find some way how to do it without restart.

@tfilo Cau Tomáš, did you ever figure this out? I'm quite new to the whole SSH thing but managed to get the certificates nicely copied to my NAS etc, but... it doesn't use them. I don't like restarting nginx as it also force closes my virtual machines. But I cannot figure out how to reload some services that will actually replace the old certificate with the new one and start using it. Neither can ChatGPT :-D

@sdenengelsman

/usr/syno/bin/synow3tool --nginx=reload will reload nginx configs and certificates.
/usr/syno/bin/synopkg restart "package_name" restarts packages
/usr/syno/bin/synow3tool --gen-all will regen certs if needed in 'other' packages.

For almost every case I've found, DSM does not need to be restarted.

``Thanks for that quick reply! In that case, I'm doing something wrong I think... linux is really not my thing (and I must admit, I love ChatGPT, it's been really helpful so far!) so I'm a bit lost here...

For the moment I created the following script:

#!/bin/bash

#Define paths to certificate and key files on the Debian VM
CERT_PATH="/etc/letsencrypt/live/mydomain.com/fullchain.pem"
KEY_PATH="/etc/letsencrypt/live/mydomain.com/privkey.pem"
SSH_KEY="/home/myusername/.ssh/certbot_key"

# Define the target directory on the NAS (mounted SMB share)
NAS_SHARE="/mnt/debian/certificates/mydomain.com"

# Define the target directory in Synology’s system certificates
NAS_USER="certification_bot"
NAS_IP="192.168.1.1"
NAS_CERT_DIR="/usr/syno/etc/certificate/system/default"

# Ensure the target directory exists (on the SMB share)
mkdir -p "$NAS_SHARE"

# Copy certificates to NAS share
cp "$CERT_PATH" "$NAS_SHARE/fullchain.pem"
cp "$KEY_PATH" "$NAS_SHARE/privkey.pem"

# Now, move the certificates from the SMB share to the Synology system director>
ssh -i "$SSH_KEY" $NAS_USER@$NAS_IP << 'EOF'
sudo cp "/volume1/vm-share/certificates/mydomain.com/ful>
sudo cp "/volume1/vm-share/certificates/mydomain.com/pri>
sudo synow3tool --restart-dsm-service
EOF

Domain names, directories and usernames are fictional.

I have tried with --restart-dsm-service as well as --nginx=reload, and some other ways, but I'm not getting the result I expect.

When I run the following on my NAS:
ls -l /usr/syno/etc/certificate/system/default/

I get the folder with the 2 files that I just copied over, but also two other files with a different timestamp. If I import the files through DSM, all 4 files have the same timestamp but that is not the case here.

ls -l /usr/syno/etc/certificate/system/default/

total 16
-r-------- 1 root root 2851 Feb 19 01:48 cert.pem
-r-------- 1 root root 2851 Feb 19 01:54 fullchain.pem
-rw------- 1 root root 240 Feb 19 01:48 info
-r-------- 1 root root 241 Feb 19 01:54 privkey.pem

In this case, at 1:48 I replaced my certificate through DSM, which worked.
At 1:54 I ran my script which copied the fullchain.pem and privkey.pem files correctly, but then nothing. Reloading nginx didn't do the trick. Or is it just not necessary???

I have the feeling there is an intermediate step missing, one that reads the certificates and installs them or so, before restarting/reloading the server. Or maybe I am looking at this completely wrong... thanks again for looking at it :-)

I've struggled with similar stuff. It's possible you originally uploaded the wrong files? (and I think synology changed this slightly too)

For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload cert.pem
Do not upload the intermediate certificate

See if that helps.

It also works (differently) with:

For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload fullchain.pem
For "Intermediate Certificate" upload chain.pem

However I've run into issues with this second setup so I avoid it; perhaps this is the route you took originally... Synology does strange things. I only move privkey and cert.pem in my setup, ignoring fullchain. But it changes based on what you originally uploaded into DSM.

I'm having a hard time renewing openvpn certificates from cli.
I copy new {cert|fullchain|privkey}.pem to usr/local/etc/certificate/VPNCenter/OpenVPN
From the CLI, using the openssl command, I confirmed that these are valid
restart VPNCenter:
/usr/syno/bin/synopkg restart VPNCenter
and restart openvpn:
/var/packages/VPNCenter/target/scripts/openvpn.sh restart

The textfile /usr/local/etc/certificate/VPNCenter/OpenVPN/info seems to confirm that the location of the certs is indeed the one I just copied over:

{"certs":[{"cert":"/usr/local/etc/certificate/VPNCenter/OpenVPN/cert.pem","chain":"/usr/local/etc/certificate/VPNCenter/OpenVPN/fullchain.pem","key":"/usr/local/etc/certificate/VPNCenter/OpenVPN/privkey.pem"}],"service":"OpenVPN","subscriber":"VPNCenter"}

Yet my openvpn client states that the server certificate is expired.
It seems that synology openvpn-server is still using the old (expired) certificate.

What am I missing?
Thank you.

@mdlaat

sudo /var/packages/VPNCenter/target/hook/CertReload.sh copy_cert_only

@telnetdoogie
Thank you so much; it's working now!