Let's Encrypt Certificate Renewal

Currently reading
Let's Encrypt Certificate Renewal

50
21
NAS
DS218+
I have just had an email wrt Let's Encrypt certificate renewal. Now I understood that this is an automatic process and it is the term 'automatic' that I find misleading/ confusing.

Perhaps I have misunderstood something, but to renew the certificate, I assumed, being automatic, that come the renewal date or thereabouts I would get a notification to say that it has been renewed, with the new expiry date, or not if there has been a problem.

Instead, I need to log into the NAS as an Administrator, locate the certificate (Control Panel/ Connectivity/ Security/ Certificate tab) and right click on the certificate and select renew. Then, once the browser displays a message about restarting the Web Server, and thanks to posts here, close down the browser. Restart the browser, log in again and look at the certificate in order to verify that a new expiry date is shown, which is displayed next to the certificate name.

Perhaps I am being pedantic or am doing something incorrect, but this seems anything but automatic, or even semi-automatic?
 

Rusty

Moderator
NAS Support
2,380
705
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If your traffic is open it should renew at some point after it t reaches 30days or less. Did it expire and you had to log in an manually do it or what?
 
323
123
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I think the email goes to everyone with a certificate, whether you have the capability to auto-renew or not (because how would Let's Encrypt know whether you do?) If, instead of responding to the email by manually renewing your certificate, you give it a little time (and assuming you have ports 80 and 443 open and forwarded to the NAS with the cert), it should autorenew all on its own before it expires.

Now, what I'm waiting to see is whether it'll auto-renew a wildcard-non-synology domain....
 
50
21
NAS
DS218+
Thanks for your comments Rusty and Akaban.

>>Did it expire and you had to log in an manually do it or what?
The email indicated that I have 20 days left, so I renewed as I described.

>>you give it a little time ... it should autorenew all on its own before it expires
Perhaps I was too hasty and rather than wait until I forget and it expires, I renewed straight away.

Next time I should maybe wait and see what happens.
 

fredbert

Moderator
NAS Support
Subscriber
1,619
674
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
There was that recent issue with LE certificates that would not auto-renew ... caused by LE. There was a short window where certificates renewed in it would have issues. Can't recall the exact issue nor if the impact window has already closed. There were around 3 million certificates that would have future renew issue and required to be created afresh.
 
1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
There was that recent issue with LE certificates that would not auto-renew ... caused by LE. There was a short window where certificates renewed in it would have issues. Can't recall the exact issue nor if the impact window has already closed. There were around 3 million certificates that would have future renew issue and required to be created afresh.
I think you’re referring to my issue (maybe). It was with a particular version.
 

fredbert

Moderator
NAS Support
Subscriber
1,619
674
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
No I think this is not what I’ve (and many others) experienced.
So this is another problem in less than six months :(
 
2
1
NAS
DS718+
Operating system
  1. Linux
I have been wondering and trying to find more tech info how this auto-renew works. I cannot see anything in the Synology crontab or task scheduler calling LE to check if the cert is valid. So, how does it work and where is the trigger. I am asking since when this happens and auto renewal is finished I want to convert the LE cert to PKSC#12 and publish to my Plex. I am currently doing this and my script runs every 12hrs in Task Scheduler.
I would be more efficient if I could plug it into the existing LE renewal workflow script.
 
Last edited:
The idea of a post creation/renewal hook is kind of charming... I love the idea.

edit:
If no post hook exists, you can at least control it yourself... you can create a scheduled task, run once a month with following user-defined script as root:
Code:
DOMAIN=sub.domain.tld
TARGET=/volume1/docker/plex/plex.p12
PLEX_CONTAINER=plex
P12_PASSWORD=some-password

SYNO_CERT_DIR="/usr/syno/etc/certificate/_archive"
/usr/syno/sbin/syno-letsencrypt renew-all
for current_domain_cert in ${SYNO_CERT_DIR}/*; do
  if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ]; then
    openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${DOMAIN} > /dev/null 2>&1
    domain_found=$?
    if [ "${domain_found}" = "0" ]; then
      openssl pkcs12 -export -in ${current_domain_cert}/fullchain.pem -inkey ${current_domain_cert}/privkey.pem -out ${TARGET} -password pass:${P12_PASSWORD}
      /usr/syno/bin/synowebapi --exec api=SYNO.Docker.Container version=1 method=stop name="$PLEX_CONTAINER"
      /usr/syno/bin/synowebapi --exec api=SYNO.Docker.Container version=1 method=start name="$PLEX_CONTAINER"
    fi
  fi
done
You will need to modify at least the first four lines (It is assumed that plex is running in docker). It will search the right set of certificate s and convert the cert (fullchain.pem is used to include the intermediate certificates as well) and key to a p12 file. Then it will restart the container configured in PLEX_CONTAINER. If you don't run plex in a container just remove the PLEX_CONTAINER line and both synowebapi lines OR even better replace them with the command to restart the package.

If only syno-letsencrypt would allow renew a specific certificate. It seems to be either all or nothing.

Warning: the code snippet is untested, the openssl line to convert pem to p12 might require some adjustment.
 
2
1
NAS
DS718+
Operating system
  1. Linux
I went with acme.sh since it has build in support for duckdns and also includes pkcs12 exporting api.
I removed DSM certificate and generated a new with acme. Acme also includes api to deploy the cert to Synology DSM so this was a bonus. Then I used acme api to convert cert to pkcs and used it with Plex.
 
50
21
NAS
DS218+
Revisiting an old topic. I waited around 90 days; ports 80 and 443 are open on both router and NAS and today was the final day of the current Let's Encrypt certificate... Checked after lunch, as the certificate ended late this morning. Expired!

I had had emails telling me that the certificate would expire in 30 days, etc. but wanted to see if it would be accomplished automatically, which it was not. I have now renewed manually.

Any further thoughts as to why it would not renew automatically? I have a dynamic IP address, which changes every 14 days or so, but then the certificate it linked to xxxx.synology.me, so this should not be a problem. The NAS is not running anything out of the ordinary, e.g. docker

Should I just wait for DSM7 and hope that it is simply a glitch in DSM6? Perhaps DSM7 will be out in the next 90 days....
 

Rusty

Moderator
NAS Support
2,380
705
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Perhaps DSM7 will be out in the next 90 days....
Probably not in the next 180days

had had emails telling me that the certificate would expire in 30 days
Can you check the /var/log/messages for some more info why the renewal process failed. As soon as the time drops below 30days LE will attempt to renew them.
 
50
21
NAS
DS218+
Thanks Rusty: I will look for logs. Should be interesting I haven't used telnet for a long while.

Thanks WST16: yes to firewall enabled, with ports 80 and 443 enabled.
 
1,071
356
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
Now, what I'm waiting to see is whether it'll auto-renew a wildcard-non-synology domain....
My experience differs from Rusty's ... with a qualification ... IF you are renewing an LE cert for Synology DDNS only, opening port 80 is not required. Otherwise, opening that port is necessary. BUT... if you are going to open port 80, just go ahead and force the renewal manually, rather than keep that port open until LE triggers renewal. Then remove the port 80 forward.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top