certbot-dns-cloudflare on asustor NAS

README.md

This will configure an Asustor NAS to use a Let's Encrypt certificate without exposing it to the internet.
To achieve this, we use Certbot with the DNS-01 challenge via Cloudflare.

I'm placing my configuration in /volume1/system. Feel free to change this to whatever location you prefer.

1. Set up Cloudflare credentials.

mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add your Cloudflare API key to cloudflare.ini as described here:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

2. Place install.sh and adm-deploy.sh in /volume1/system/letsencrypt

3. Run install.sh to setup pip and certbot-dns-cloudflare.

4. Link adm-deploy.sh to letsencrypt deploy hook.

ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy/

4. Generate the certificate.
   Make sure to change nas.mydomain.com in adm-deploy.sh and in the below command to your FQDN

certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com

5. Add renew to crontab, run crontab -e as root.

@reboot /volume1/system/letsencrypt/install.sh && /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew
0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew

adm-deploy.sh

#!/usr/bin/env bash 
 
# Asustor NAS Let's Encrypt certificate renewal deploy shell script. 
# Place in this directory to run on successful renwal: 
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy 
# Certbot docs: https://certbot.eff.org/docs/using.html 
 
SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate 
TARGET=/volume0/usr/etc/lighttpd # ADM lighttpd web server ssl cert target directory 
 
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/lighttpd.pem 
cp -Lfv $SOURCE/lighttpd.pem $TARGET/lighttpd.pem 
 
/etc/init.d/S41lighttpd restart

install.sh

#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot

reverseproxy-deploy.sh

#!/usr/bin/env bash

# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html

SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate
TARGET=/volume0/usr/builtin/etc/certificate

cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/ssl.pem
cp -Lfv $SOURCE/cert.pem  $TARGET/ssl.crt
cp -Lfv $SOURCE/privkey.pem $TARGET/ssl.key
cp -Lfv $SOURCE/ssl.pem $TARGET/ssl.pem

pkill nginx
sleep 1
/volume0/usr/builtin/sbin/nginx -c /volume0/usr/builtin/etc/nginx_reverse_proxy/nginx.conf

Working as expected thanks ! :)

To note; the path /volume1/system is not existing on my asustor.
Dropped files to /volume0/usr/builtin/etc/letsencrypt for the moment.

For ADM 5.0, replace /volume0/usr/builtin/etc/letsencrypt/ with /volume0/usr/builtin/etc/certificate/letsencrypt/.

Also, you'll need to create the renewal hooks folder, I just used this commmand:

mkdir -p /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/ && ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/