Skip to content

Instantly share code, notes, and snippets.

@telf3

telf3/README.md

Last active July 24, 2025 14:59
Show Gist options
  • Save telf3/5d6484a713a4661683aa8f0c0a6b4d4d to your computer and use it in GitHub Desktop.
Save telf3/5d6484a713a4661683aa8f0c0a6b4d4d to your computer and use it in GitHub Desktop.
Download ZIP
certbot-dns-cloudflare on DSM 7
Raw
README.md

The goal is to configure Synology NAS to use letsencrypt certificate without exposing it to the internet.
To achieve this we use certbot with DNS-01 challenge to Cloudflare.

  1. Run install.sh to install pip and certbot. You may need to run this again after DSM upgrades.

  2. Setup cloudflare secret.

mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add the Cloudflare API key in this file: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

  1. Generate certificate.
certbot certonly --dns-cloudflare \
   --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
   -d nas.mydomain.com --preferred-challenges dns-01

  1. Save import_certs.sh and run it.
    It's a good idea to backup /usr/syno/etc/certificate first.

  2. Setup tasks in DSM Task Scheduler to run renew.sh daily and install.sh on boot, you can also use cron if you prefer.

Raw
import_certs.sh
#!/bin/sh
CERT=nas.mydomain.com
REVERSE_PROXY=/usr/syno/etc/certificate/ReverseProxy
DEFAULT_DIR=
DEFAULT_DIR_NAME=$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
if [ "DEFAULT_DIR_NAME" != "" ]; then
DEFAULT_DIR="/usr/syno/etc/certificate/_archive/${DEFAULT_DIR_NAME}"
fi
# Copy certs from letsencrypt to install directory
cp /etc/letsencrypt/live/$CERT/{privkey,fullchain,cert}.pem /usr/syno/etc/certificate/system/default/
# Ensure correct permissions
chown root:root /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem
# Replace certs for default Application Portal (if found)
if [ -d "$DEFAULT_DIR" ]; then
cp /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$DEFAULT_DIR/"
chown root:root "$DEFAULT_DIR/"{privkey,fullchain,cert}.pem
else
echo "Did not find Application Portal dir: $DEFAULT_DIR_NAME"
fi
# Replace certs for all reverse proxy servers (if exists)
if [ -d "$REVERSE_PROXY" ]; then
for proxy in $(ls "$REVERSE_PROXY"); do
cp /usr/syno/etc/certificate/system/default/{privkey,fullchain,cert}.pem "$REVERSE_PROXY/$proxy"
chown root:root "$REVERSE_PROXY/$proxy/"{privkey,fullchain,cert}.pem
done
else
echo "No reverse proxy directory found"
fi
echo "Certs moved."
# Restart synology services
echo -n "Restarting..."
/usr/syno/bin/synosystemctl restart nginx
/usr/syno/bin/synosystemctl restart avahi
echo " done"
Raw
install.sh
#!/bin/bash
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip install certbot-dns-cloudflare
Raw
renew.sh
#!/bin/sh
/bin/certbot renew --post-hook "/volume1/system/letsencrypt/import_certs.sh"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment