NAS#

Getting SSL Certificate (Method 1)#

(Check out this website)[https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide]

# Download acme.sh
sudo -i
wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf master.tar.gz
cd acme.sh-master/

# Install acme.sh
./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmail.com"

# To get a new cert
./acme.sh --issue -d "*.domain.com" -d "*.subdomain1.domain.com" -d "*.subdomain2.domain.com" --dns "dns_namecheap" \
      --cert-file <folder>/cert.pem \
      --key-file <folder>/privkey.pem \
      --fullchain-file <folder>/fullchain.pem \
      --reloadcmd "/usr/syno/sbin/synoservicectl --reload nginx" \
      --dnssleep 20
# To renew a cert
# change --issue to --renew

Debug#

Renew certificate#

  • When you add a custom SSL certificate obtained using acme.sh, Synology stores it in a random folder in /usr/syno/etc/certificate/_archive.
    • To change the SSL certificate without creating a new folder, go to control panel > security > certificate > add > renew.
    • To verify that the change was successful, check if updated cert.pem in the folder has the same value as the value in the source cert.pem.
    • If _archive is empty on reset, Synology will populate it with DEFAULT, [random folder] and INFO. The random folder will contain a synology signed certificate.
root@localhost:~# ls /usr/syno/etc/certificate/_archive
DEFAULT  fD2x6g  INFO

root@localhost:~# cat /usr/syno/etc/certificate/_archive/INFO
{
   "fD2x6g" : {
      "desc" : "synteojy",
      "services" : []
   }
}

root@localhost:~# cat /usr/syno/etc/certificate/_archive/DEFAULT
fD2x6g

root@localhost:~# ls /usr/syno/etc/certificate/_archive/fD2x6g
cert.pem  chain.pem  fullchain.pem  privkey.pem
  • /usr/syno/etc/certificate also contains a system folder, which contains the SSL certificate that the NAS will use by default, such as when accessing nextcloud, piwigo etc. https://[domain name]/[subdirectory].
    • Typically, you should be able to update the SSL certificate used by system default and any services by going to control panel > security > certificate > configure.
    • If for some reason System Default doesn't appear under configure, ssh into NAS and replace the certificate in /usr/syno/etc/certificate/system/default with the new one.
root@localhost:~#ls /usr/syno/etc/certificate
_archive  ReverseProxy  system

Getting SSL Certificate (Method 2)#

Link

Solving Reverse Proxy 'Operation Failed'#

Normally, when adding a reverse proxy, the following files and folders are updated.

#Summary
#File
/usr/syno/etc/certificate/_archive/INFO
/usr/syno/etc/security-profile/tls-profile/datastore.json
/usr/syno/etc/www/ReverseProxy.json
#Folder
/usr/syno/etc/certificate/ReverseProxy
/usr/syno/etc/security-profile/tls-profile/services

Below are the contents of the files and folders.

root@localhost:~# cat /usr/syno/etc/certificate/_archive/INFO
{
   "fD2x6g" : {
      "desc" : "synteojy",
      "services" : [
         {
            "display_name" : "dsm.syn.teojy.com",
            "isPkg" : false,
            "owner" : "root",
            "service" : "0b22bf8d-ea13-4746-84c8-68cafb624557",
            "subscriber" : "ReverseProxy"
         }
      ]
   }
}

root@localhost:~# ls /usr/syno/etc/certificate/ReverseProxy
0b22bf8d-ea13-4746-84c8-68cafb624557

root@localhost:~# jq '.' /usr/syno/etc/security-profile/tls-profile/datastore.json
{
  "default-level": 1,
  "services": {
    "ReverseProxy_0b22bf8d-ea13-4746-84c8-68cafb624557": {
      "current-level": 0,
      "display-name": "dsm.syn.teojy.com"
    },
    "dsm": {
      "current-level": 0,
      "display-name": "DSM Desktop Service",
      "display-name-i18n": "common:web_desktop"
    },
    "smbftpd": {
      "current-level": 0,
      "display-name": "FTPS",
      "display-name-i18n": "tree:leaf_ftpes"
    }
  }
}

root@localhost:~#ls /usr/syno/etc/security-profile/tls-profile/services
dsm.conf  ReverseProxy_0b22bf8d-ea13-4746-84c8-68cafb624557.conf  smbftpd.conf

root@localhost:~# jq '.' /usr/syno/etc/www/ReverseProxy.json
{
  "0b22bf8d-ea13-4746-84c8-68cafb624557": {
    "backend": {
      "fqdn": "192.168.1.146",
      "port": 5000,
      "protocol": 0
    },
    "customize_headers": [],
    "description": "DSM",
    "frontend": {
      "acl": null,
      "fqdn": "dsm.syn.teojy.com",
      "https": {
        "hsts": false,
        "http2": false
      },
      "port": 443,
      "protocol": 1
    },
    "proxy_connect_timeout": 60,
    "proxy_http_version": 1,
    "proxy_intercept_errors": false,
    "proxy_read_timeout": 60,
    "proxy_send_timeout": 60
  },
  "version": 2
}

If you encounter the 'operation failed' error when adding a reverse proxy, chances are that the folder and file are not in sync. The best way to solve the issue is to delete /usr/syno/etc/certificate and reset NAS to produce a new folder. Replace the newly generated synology certificate with instructions from the previous section. Make sure to change certs in system default as well.

For/usr/syno/etc/security-profile/tls-profile, instead of deleting the folder, remove ReverseProxy*.conf and ReverseProxy* entry in /usr/syno/etc/security-profile/tls-profile/datastore.json You need the dsm.conf and smbftpd.conf files, and corresponding entried in json for reverse proxy to work.

Lastly, remove /usr/syno/etc/www/ReverseProxy.json and reset the NAS to build a new one.