-
Star
(109)
You must be signed in to star a gist -
Fork
(21)
You must be signed in to fork a gist
-
-
Save catchdave/69854624a21ac75194706ec20ca61327 to your computer and use it in GitHub Desktop.
| # MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh |
I'm having a hard time renewing openvpn certificates from cli.
I copy new {cert|fullchain|privkey}.pem to usr/local/etc/certificate/VPNCenter/OpenVPN
From the CLI, using the openssl command, I confirmed that these are valid
restart VPNCenter:
/usr/syno/bin/synopkg restart VPNCenter
and restart openvpn:
/var/packages/VPNCenter/target/scripts/openvpn.sh restart
The textfile /usr/local/etc/certificate/VPNCenter/OpenVPN/info seems to confirm that the location of the certs is indeed the one I just copied over:
{"certs":[{"cert":"/usr/local/etc/certificate/VPNCenter/OpenVPN/cert.pem","chain":"/usr/local/etc/certificate/VPNCenter/OpenVPN/fullchain.pem","key":"/usr/local/etc/certificate/VPNCenter/OpenVPN/privkey.pem"}],"service":"OpenVPN","subscriber":"VPNCenter"}
Yet my openvpn client states that the server certificate is expired.
It seems that synology openvpn-server is still using the old (expired) certificate.
What am I missing?
Thank you.
sudo /var/packages/VPNCenter/target/hook/CertReload.sh copy_cert_only
@telnetdoogie
Thank you so much; it's working now!
It is such a pain to restart Nginx on my NAS, because it also restarted so many packages including Container manager, I have massive containers, so it will took 10+ minutes to perform all the things, hope there is a way to only let Nginx reload the certs just like you manually updated a certificate and the procedure that it said "Restarting web server".
It is such a pain to restart Nginx on my NAS, because it also restarted so many packages including Container manager, I have massive containers, so it will took 10+ minutes to perform all the things, hope there is a way to only let Nginx reload the certs just like you manually updated a certificate and the procedure that it said "Restarting web server".
/usr/syno/bin/synow3tool --nginx=reload will reload NGINX and take care of most things, and it's very fast.
However, depending on packages you have installed, it won't always regenerate new certs where they're needed. YMMV.
/usr/syno/bin/synow3tool --nginx=reloadwill reload NGINX and take care of most things, and it's very fast.
It do nothing for me unfortunately, I went to Lego ACME + custom script just for better ACME supports like ARI or profiles
Now I have to went back to use acme.sh again, because its deploy hook is using Syno's API to replace the certificates, which will make system reload the certificate without any problem or downtimes.
I've struggled with similar stuff. It's possible you originally uploaded the wrong files? (and I think synology changed this slightly too)
For "Private Key" in DSM, upload
privkey.pemFor "Certificate" upload
cert.pemDo not upload the intermediate certificate
See if that helps.
It also works (differently) with:
For "Private Key" in DSM, upload
privkey.pemFor "Certificate" upload
fullchain.pemFor "Intermediate Certificate" upload
chain.pemHowever I've run into issues with this second setup so I avoid it; perhaps this is the route you took originally... Synology does strange things. I only move privkey and cert.pem in my setup, ignoring fullchain. But it changes based on what you originally uploaded into DSM.