Let's Encrypt Certificate Renewal

[NSquirrel]

On the subject of Let's Encrypt certificate renewal, is there any way of notifying that the certificate as been renewed at the time of renewal?
Recently I noticed, at last, that my certificate had been auto-renewed (I am still using DSM 6.2.4). Accessing the NAS via iPad or iPhone I had a message that the certificate had changed and did I trust it. I then checked the certificate and found that it had an extra 90 days. It would help to know that the certificate has changed. (Perhaps DSM 7 does that, but going on comments her, I am in no hurry to install that yet.)

 

[Gerard]

Is there anyway to for the LE renewals over port 443?

 

[one-eyed-king]

It used to work years ago, before LE deprecated the tls-challange due to security flaws.
I am afraid you'll have to make port 80 available for a LE renewal.

N.B.: there is also the dns-challenge, that requires the injection of txt-records in the dns hosted zone.

 

[Gerard]

there is also the dns-challenge, that requires the injection of txt-records in the dns hosted zone.

If my domain provider supports these txt records, can I do dns challenge renewals?

 

[one-eyed-king]

I am not aware if the Syno Cert Manager implents dns-challenge.

Though, other LE clients like acme.sh do support it well - if there is build-in support for your dns provider than it's even nicer. Acme.sh even has a hook to upload renewed certificates back to the cert manager. On top you will be able to issue wildcard certificates.

 

[Rusty]

I am not aware if the Syno Cert Manager implents dns-challenge

Atm, still no support.

 

[Gerard]

Atm, still no support.

Rusty, I know you have a guide for wildcard certs using cloud flare.

Here’s my dilemma, I have a free website hosted by google using my domain name. Everything else that I use for RP is for subdomains. Is there a way to do that wildcard cert and cloudflare without hitting the main domain, only the subdomains?

 

[Telos]

Is there a way to do that wildcard cert and cloudflare without hitting the main domain, only the subdomains?

This is not possible, but you can get individual certs for each subdomain. But why not a full wildcard cert based on the primary domain?

 

[Rusty]

Rusty, I know you have a guide for wildcard certs using cloud flare.

Here’s my dilemma, I have a free website hosted by google using my domain name. Everything else that I use for RP is for subdomains. Is there a way to do that wildcard cert and cloudflare without hitting the main domain, only the subdomains?

CF will require a root domain registration.

 

[one-eyed-king]

I recently moved three domains to Cloudflare: for each domain the dns entries (subdomains, mx records, ...) where detected and suggested to "move" as well.

 

[Gerard]

No doubt there wouldn’t be an issue moving it to cloudflare, my issue is the website of my root domain which is hosted by google domains breaks. It’s as if the root domain needs to remain with googles name servers for the website.

 

[one-eyed-king]

You don't have to use CF necessarily. see: dnsapi · acmesh-official/acme.sh Wiki
If your dns service provider is not in the list, then dns-challenge won't be possible for you.

 

[Gerard]

You don't have to use CF necessarily. see: dnsapi · acmesh-official/acme.sh Wiki
If your dns service provider is not in the list, then dns-challenge won't be possible for you.

How do I implement something like this? Is this thru dnspod.com?

 

[one-eyed-king]

I have no idea if you use google cloud dns or not, or if your dns provider is in the list at all.
I don't want to be rude, but have you tried googling it?

 

[Gerard]

I have no idea if you use google cloud dns or not, or if your dns provider is in the list at all.
I don't want to be rude, but have you tried googling it?

I use google domains, but unsure of this is also considered google cloud.
Yes there’s not much information about acme.sh support