LE certificate for subdomain

[akahan]

You may have noticed that when you use Synology's native certificate update process, it restarts the web server when it's complete. This is a symptom of restarting nginx, and is necessary in order for the new certs to become active. The dead-easiest way to do this would be to reboot the server, but restarting nginx will do it more gracefully.

 

[Rusty]

Is there a service I need to restart?

This should do the trick (as root): synoservice –restart nginx

 

[Mnl-]

This should do the trick (as root): synoservice –restart nginx

I ran synoservice --restart nginx but it didn't do the trick. In the Security center, it's still the previous date displayed and the certificate in the reverse proxy folders are still the old ones as well...

 

[Rusty]

Security center

?

 

[Mnl-]

Control Center > Security > Certificates

 

[Rusty]

Hmm I’ll have to look into that and get back to you

 

[Rusty]

Control Center > Security > Certificates

If you cat the output of /usr/syno/etc/certificate/_archive/DEFAULT you get what directory? (if that LE cert is configured as default)

 

[Mnl-]

It says "Ed79Bk" but I don't know what to do about it?

 

[Rusty]

It says "Ed79Bk" but I don't know what to do about it?

That means that the default certificate on DMS is your LE cert, then this output is the name of the folder inside _archive. There are files that need to be changed. Try and place the new certs using the same name of the files and reset nginx.

 

[Mnl-]

Not sure to understand your point. Where should I put my 3 files? With which name?

 

[Rusty]

Not sure to understand your point. Where should I put my 3 files? With which name?

In the folder with the name you posted. So the name of the folder that is inside the default file

 

[Mnl-]

Thanks for your help @Rusty
Here we go and it seems to work

#!/bin/bash

{
    sudo docker run -it --rm --name certbot \
            -v "/volume1/docker/certbot:/etc/letsencrypt" \
            certbot/dns-cloudflare certonly \
            --dns-cloudflare \
            --dns-cloudflare-credentials /etc/letsencrypt/.secrets/cloudflare.ini \
            --server https://acme-v02.api.letsencrypt.org/directory \
            --force-renewal \
            -d *.mydomain.xyz;

    cp /volume1/docker/certbot/live/mydomain.xyz/fullchain.pem /volume1/docker/certbot/tmp/fullchain.pem
    cp /volume1/docker/certbot/live/mydomain.xyz/privkey.pem /volume1/docker/certbot/tmp/privkey.pem
    cp /volume1/docker/certbot/live/mydomain.xyz/cert.pem /volume1/docker/certbot/tmp/cert.pem

    sudo rm /usr/syno/etc/certificate/system/default/fullchain.pem
    sudo rm /usr/syno/etc/certificate/system/default/privkey.pem
    sudo rm /usr/syno/etc/certificate/system/default/cert.pem

    sudo cp /volume1/docker/certbot/tmp/fullchain.pem /usr/syno/etc/certificate/system/default/fullchain.pem
    sudo cp /volume1/docker/certbot/tmp/privkey.pem /usr/syno/etc/certificate/system/default/privkey.pem
    sudo cp /volume1/docker/certbot/tmp/cert.pem /usr/syno/etc/certificate/system/default/cert.pem
    sudo cp /volume1/docker/certbot/tmp/fullchain.pem /usr/syno/etc/certificate/_archive/Ed79Bk/fullchain.pem
    sudo cp /volume1/docker/certbot/tmp/privkey.pem /usr/syno/etc/certificate/_archive/Ed79Bk/privkey.pem
    sudo cp /volume1/docker/certbot/tmp/cert.pem /usr/syno/etc/certificate/_archive/Ed79Bk/cert.pem

    cd /usr/syno/etc/certificate/system/default
    ls -al

    sudo synoservice --restart nginx
}

 

[Rusty]

Thanks for your help @Rusty
Here we go and it seems to work

#!/bin/bash

{
    sudo docker run -it --rm --name certbot \
            -v "/volume1/docker/certbot:/etc/letsencrypt" \
            certbot/dns-cloudflare certonly \
            --dns-cloudflare \
            --dns-cloudflare-credentials /etc/letsencrypt/.secrets/cloudflare.ini \
            --server https://acme-v02.api.letsencrypt.org/directory \
            --force-renewal \
            -d *.mydomain.xyz;

    cp /volume1/docker/certbot/live/mydomain.xyz/fullchain.pem /volume1/docker/certbot/tmp/fullchain.pem
    cp /volume1/docker/certbot/live/mydomain.xyz/privkey.pem /volume1/docker/certbot/tmp/privkey.pem
    cp /volume1/docker/certbot/live/mydomain.xyz/cert.pem /volume1/docker/certbot/tmp/cert.pem

    sudo rm /usr/syno/etc/certificate/system/default/fullchain.pem
    sudo rm /usr/syno/etc/certificate/system/default/privkey.pem
    sudo rm /usr/syno/etc/certificate/system/default/cert.pem

    sudo cp /volume1/docker/certbot/tmp/fullchain.pem /usr/syno/etc/certificate/system/default/fullchain.pem
    sudo cp /volume1/docker/certbot/tmp/privkey.pem /usr/syno/etc/certificate/system/default/privkey.pem
    sudo cp /volume1/docker/certbot/tmp/cert.pem /usr/syno/etc/certificate/system/default/cert.pem
    sudo cp /volume1/docker/certbot/tmp/fullchain.pem /usr/syno/etc/certificate/_archive/Ed79Bk/fullchain.pem
    sudo cp /volume1/docker/certbot/tmp/privkey.pem /usr/syno/etc/certificate/_archive/Ed79Bk/privkey.pem
    sudo cp /volume1/docker/certbot/tmp/cert.pem /usr/syno/etc/certificate/_archive/Ed79Bk/cert.pem

    cd /usr/syno/etc/certificate/system/default
    ls -al

    sudo synoservice --restart nginx
}

Well done indeed