The goal is to configure Synology NAS to use letsencrypt certificate without exposing it to the internet.
To achieve this we use certbot with DNS-01 challenge to Cloudflare.
-
Run install.sh to install pip and certbot. You may need to run this again after DSM upgrades.
-
Setup cloudflare secret.
mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini
Add the Cloudflare API key in this file: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials
- Generate certificate.
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
-d nas.mydomain.com --preferred-challenges dns-01
-
Save import_certs.sh and run it.
It's a good idea to backup /usr/syno/etc/certificate first. -
Setup tasks in DSM Task Scheduler to run renew.sh daily and install.sh on boot, you can also use cron if you prefer.