Skip to content

Instantly share code, notes, and snippets.

@telf3

telf3/README.md

Last active February 23, 2025 00:55
Show Gist options
  • Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.
Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.
Download ZIP
certbot-dns-cloudflare on asustor NAS
Raw
README.md

This will configure an Asustor NAS to use letsencrypt certificate without exposing it to the internet.
To achieve this we use certbot with DNS-01 challenge to Cloudflare.

  1. Setup cloudflare secret.
mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add the Cloudflare API key in this file: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

  1. Place install.sh and adm.deploy.sh in /volume1/system/letsencrypt

  2. Run install.sh to setup pip and certbot-dns-cloudflare.

  3. Link script to letsencrypt deploy hook.

ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy/
  1. Generate certificate.
certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com
  1. Add renew to crontab /var/spool/cron/crontabs/root
@reboot /volume1/system/letsencrypt/install.sh && /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew
0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew
Raw
adm-deploy.sh
#!/usr/bin/env bash
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate
TARGET=/volume0/usr/etc/lighttpd # ADM lighttpd web server ssl cert target directory
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/lighttpd.pem
cp -Lfv $SOURCE/lighttpd.pem $TARGET/lighttpd.pem
/etc/init.d/S41lighttpd restart
Raw
install.sh
#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot
Raw
reverseproxy-deploy.sh
#!/usr/bin/env bash
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate
TARGET=/volume0/usr/builtin/etc/certificate
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/ssl.pem
cp -Lfv $SOURCE/cert.pem $TARGET/ssl.crt
cp -Lfv $SOURCE/privkey.pem $TARGET/ssl.key
cp -Lfv $SOURCE/ssl.pem $TARGET/ssl.pem
pkill nginx
sleep 1
/volume0/usr/builtin/sbin/nginx -c /volume0/usr/builtin/etc/nginx_reverse_proxy/nginx.conf
@JigSawFr
Copy link

Working as expected thanks ! :)

To note; the path /volume1/system is not existing on my asustor.
Dropped files to /volume0/usr/builtin/etc/letsencrypt for the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment