certbot-dns-cloudflare on Asustor NAS running ADM 5

README.md

This will configure an Asustor NAS running ADM 5 to use a letsencrypt issued certificate without exposing the NAS to the internet (by using DNS Challenge instead of using port forwarding). To accomplish this, we need to use certbot with DNS-01 challenge to Cloudflare. To perform this task, you must SSH into the NAS.

1. Elevate the terminal to root

sudo su

2. Setup the required directories

mkdir -p /volume1/system/letsencrypt
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
mkdir -p /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy
chown root:root /volume0/usr/builtin/etc/certificate/letsencrypt -R
chmod 700 /volume0/usr/builtin/etc/certificate/letsencrypt/ -R

3. Set up the Cloudflare credentials

touch /volume1/system/letsencrypt/cloudflare.ini
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add the Cloudflare API key based on the instructions found at the link below: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

4. Copy the other scripts in this gist (install.sh and adm-deploy.sh) to the /volume1/system/letsencrypt directory, you can use the vi text editor.

5. Run install.sh to setup pip and certbot-dns-cloudflare.

cd /volume1/system/letsencrypt
sh install.sh

6. Link the adm-deploy script to function as a letsencrypt deploy hook so that once a renewal occurs, the system will automatically replace the existing certificate and restart the lighttpd web server.

ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/

7. Generate the host certificate, ensure that you replace the nas.mydomain.com with the actual hostname for your NAS!

certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com

8. Add renewal tasks to crontab (you can find them here: /var/spool/cron/crontabs/root or execute the command crontab -e)

@reboot /volume1/system/letsencrypt/install.sh && /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/certificate/letsencrypt renew
0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/certificate/letsencrypt renew

adm-deploy.sh

#!/usr/bin/env bash

MY_NAS_HOSTNAME="nas.domain.com"
 
# Asustor NAS Let's Encrypt certificate renewal deploy shell script. 
# Place in this directory to run on successful renwal: 
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy 
# Certbot docs: https://certbot.eff.org/docs/using.html 
 
SOURCE=/volume0/usr/builtin/etc/certificate/letsencrypt/live/${MY_NAS_HOSTNAME} # letsencrypt certificate 
TARGET=/volume0/usr/etc/lighttpd # ADM lighttpd web server ssl cert target directory 
 
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/lighttpd.pem 
cp -Lfv $SOURCE/lighttpd.pem $TARGET/lighttpd.pem 
 
/etc/init.d/S41lighttpd restart 

install.sh

#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot

reverseproxy-deploy.sh

#!/usr/bin/env bash
# Optional script for renewing the certificate for Nginx

MY_NAS_HOSTNAME="nas.domain.com"

# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html

SOURCE=/volume0/usr/builtin/etc/certificate/letsencrypt/live/${MY_NAS_HOSTNAME} # letsencrypt certificate
TARGET=/volume0/usr/builtin/etc/certificate

cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/ssl.pem
cp -Lfv $SOURCE/cert.pem  $TARGET/ssl.crt
cp -Lfv $SOURCE/privkey.pem $TARGET/ssl.key
cp -Lfv $SOURCE/ssl.pem $TARGET/ssl.pem

pkill nginx
sleep 1
/volume0/usr/builtin/sbin/nginx -c /volume0/usr/builtin/etc/nginx_reverse_proxy/nginx.conf