Great script! Unfortunately didn't work for me without some changes.
Ok so, I found out if you use the jacobalberty unifi docker, it will automatically import cert files from unifi/cert
It has that feature built in, and as well it will recognize the let's encrypt variation and adjust for that. That makes it way handier because all that has to be done is export the let's encrypt cert files from synology over to the docker and let it process it. Which you probably know, but I wanted to summarize.
So normally one would have a share somewhere that was set as a volume to the docker of /unifi
No need to adjust the volumes on the docker, just check that the /unifi folder has a /cert subfolder though the script should make one if it doesn't have it.
Some additional info is under the "Certificate Support" section of his docker info page
Then I found I had to tweak the script given above by one-eyed-king. I first started with the tweaks he mentioned then ended up taking it further. Here's my working script below.
1) Note that this script assumes you've run the acme.sh stuff to get a let's encrypt cert already and it's showing properly in the synology certificates list. I've not tested it with the synology lets encrypt GUI process because I wanted a wildcard, so I manually used the acme.sh process.
2) Make sure to edit the GITLAB_CERT_DIR value to match yours (CASE matters here! If you get it wrong it won't work properly)
3) Edit the HOSTNAME value to match yours. I put in comments to call attention to those variables.
4) Also verify your GITLAB_NAME is correct to match the name of that docker instance for jacobalbery unifi though if everything was setup as default it probably does.
5) Throw the script somewhere accessible on the NAS and then make a synology task in task scheduler (in synology control panel) to run it. The task info under the run command user defined script will look something like:
bash /volume1/synostuff/scripts/import-syno-cert-script.sh
Of course match that to your synology folder location and script name.
I've set mine to run daily (it won't do anything until it picks up a new cert when the lets encrypt renews), and I added some bits to make sure it generates more outputs if I need to go look at the script outputs. I don't think you can run this task without root (which synology sets by default as the user for tasks), because I think only root can get access into that cert archive folder, though I'm not an expert.
Oh and if using windows DON'T USE NOTEPAD to edit the script. It will screw up the line feeds and the synology will have issues running it. I used notepad++ and that app worked fine once I verified it was set to EOL conversion of unix LF.
One of the driving factors behind me doing this was because unifi docker with it's insistence upon HTTPS only traffic (it can't even be configured to use HTTP) and it having a self signed default cert, was breaking the chrome "lock" on my properly secured synology HTTPS access. Apparently when chrome see two certs on the same site name with one not valid, it freaks out and turns all the locks to "not secure" for that site. And now maybe that I've worked out how to programmatically export the letsencrypt cert files in a scheduled task, maybe I can get my other stuff like plex going on an HTTPS access with proper certs.
Bash:
#!/bin/sh
# . "$(dirname $0)"/common
# . "$ETC_PATH"/config
########################################################################################################################
# VARIABLES
########################################################################################################################
FORCE_RENEW=0
SYNO_CERT_DIR="/usr/syno/etc/certificate/_archive"
GITLAB_CERT_DIR="/volume1/dockerstuff/Unifi/cert"
# edit above line to match your volume share to the unifi docker CASE MATTERS and have /cert at the end.
GITLAB_CERT="cert.pem"
GITLAB_CHAIN="chain.pem"
GITLAB_KEY="privkey.pem"
GITLAB_NAME="jacobalberty-unifi1"
HOSTNAME="example.com"
# edit the above line to match your domain name that lets encrypt is using such as example.com don't use wildcards
SYNO_WEBAPI="/usr/syno/bin/synowebapi"
########################################################################################################################
# PARAMETER HANDLING
########################################################################################################################
for i in "$@"
do
case $i in
--force-renew)
FORCE_RENEW=1
;;
*)
# unknown option
;;
esac
shift
done
if ! [ -d "$GITLAB_CERT_DIR" ]; then
mkdir -p "$GITLAB_CERT_DIR"
fi
for current_domain_cert in ${SYNO_CERT_DIR}/*; do
if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ]; then
openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${HOSTNAME} > /dev/null 2>&1
domain_found=$?
if [ "${domain_found}" = "0" ]; then
# time of last file change, seconds since Epoch
last_change_cert_key=$(stat -c %Y ${current_domain_cert}/privkey.pem)
echo ${last_change_cert_key} >&2
if [ -f ${GITLAB_CERT_DIR}/${GITLAB_KEY} ];then
last_change_gitlab_cert_key=$(stat -c %Y ${GITLAB_CERT_DIR}/${GITLAB_KEY})
echo ${last_change_gitlab_cert_key} >&2
else
last_change_gitlab_cert_key=0
fi
if [ ${last_change_gitlab_cert_key} -le ${last_change_cert_key} ] || [ $FORCE_RENEW = 1 ]; then
echo "gitlab ssl certificate is outdated... updating from domain certificate" >&2
cp ${current_domain_cert}/privkey.pem ${GITLAB_CERT_DIR}/${GITLAB_KEY}
cp ${current_domain_cert}/chain.pem ${GITLAB_CERT_DIR}/${GITLAB_CHAIN}
cp ${current_domain_cert}/cert.pem ${GITLAB_CERT_DIR}/${GITLAB_CERT}
# if ! [ -f "$GITLAB_CERT_DIR/dhparam.pem" ] && [ -f "/usr/syno/etc/ssl/dh2048.pem" ]; then
# cp "/usr/syno/etc/ssl/dh2048.pem" "$GITLAB_CERT_DIR/dhparam.pem"
# fi
echo "changing ownership of gitlab certificates" >&2
chmod 400 ${GITLAB_CERT_DIR}/*
echo "restarting gitlab container to activate new certificate" >&2
$SYNO_WEBAPI --exec api=SYNO.Docker.Container version=1 method=stop name="$GITLAB_NAME" >&2
$SYNO_WEBAPI --exec api=SYNO.Docker.Container version=1 method=start name="$GITLAB_NAME" >&2
else
echo "nothing to do, gitlab ssl certifiacte is same or newer than the domain ssl certificate" >&2
fi
fi
fi
done
If I'm looking at your script well, just change the paths for the UniFi Controller share here. And also certificate files. Am I right?
