-
Star
(110)
You must be signed in to star a gist -
Fork
(21)
You must be signed in to fork a gist
-
-
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
| # MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh |
I've struggled with similar stuff. It's possible you originally uploaded the wrong files? (and I think synology changed this slightly too)
For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload cert.pem
Do not upload the intermediate certificate
See if that helps.
It also works (differently) with:
For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload fullchain.pem
For "Intermediate Certificate" upload chain.pem
However I've run into issues with this second setup so I avoid it; perhaps this is the route you took originally... Synology does strange things. I only move privkey and cert.pem in my setup, ignoring fullchain. But it changes based on what you originally uploaded into DSM.
I'm having a hard time renewing openvpn certificates from cli.
I copy new {cert|fullchain|privkey}.pem to usr/local/etc/certificate/VPNCenter/OpenVPN
From the CLI, using the openssl command, I confirmed that these are valid
restart VPNCenter:
/usr/syno/bin/synopkg restart VPNCenter
and restart openvpn:
/var/packages/VPNCenter/target/scripts/openvpn.sh restart
The textfile /usr/local/etc/certificate/VPNCenter/OpenVPN/info seems to confirm that the location of the certs is indeed the one I just copied over:
{"certs":[{"cert":"/usr/local/etc/certificate/VPNCenter/OpenVPN/cert.pem","chain":"/usr/local/etc/certificate/VPNCenter/OpenVPN/fullchain.pem","key":"/usr/local/etc/certificate/VPNCenter/OpenVPN/privkey.pem"}],"service":"OpenVPN","subscriber":"VPNCenter"}
Yet my openvpn client states that the server certificate is expired.
It seems that synology openvpn-server is still using the old (expired) certificate.
What am I missing?
Thank you.
sudo /var/packages/VPNCenter/target/hook/CertReload.sh copy_cert_only
@telnetdoogie
Thank you so much; it's working now!
``Thanks for that quick reply! In that case, I'm doing something wrong I think... linux is really not my thing (and I must admit, I love ChatGPT, it's been really helpful so far!) so I'm a bit lost here...
For the moment I created the following script:
Domain names, directories and usernames are fictional.
I have tried with --restart-dsm-service as well as --nginx=reload, and some other ways, but I'm not getting the result I expect.
When I run the following on my NAS:
ls -l /usr/syno/etc/certificate/system/default/I get the folder with the 2 files that I just copied over, but also two other files with a different timestamp. If I import the files through DSM, all 4 files have the same timestamp but that is not the case here.
ls -l /usr/syno/etc/certificate/system/default/In this case, at 1:48 I replaced my certificate through DSM, which worked.
At 1:54 I ran my script which copied the fullchain.pem and privkey.pem files correctly, but then nothing. Reloading nginx didn't do the trick. Or is it just not necessary???
I have the feeling there is an intermediate step missing, one that reads the certificates and installs them or so, before restarting/reloading the server. Or maybe I am looking at this completely wrong... thanks again for looking at it :-)