Let's Encrypt Certificate Renewal

Currently reading
Let's Encrypt Certificate Renewal

I have just had an email wrt Let's Encrypt certificate renewal. Now I understood that this is an automatic process and it is the term 'automatic' that I find misleading/ confusing.

Perhaps I have misunderstood something, but to renew the certificate, I assumed, being automatic, that come the renewal date or thereabouts I would get a notification to say that it has been renewed, with the new expiry date, or not if there has been a problem.

Instead, I need to log into the NAS as an Administrator, locate the certificate (Control Panel/ Connectivity/ Security/ Certificate tab) and right click on the certificate and select renew. Then, once the browser displays a message about restarting the Web Server, and thanks to posts here, close down the browser. Restart the browser, log in again and look at the certificate in order to verify that a new expiry date is shown, which is displayed next to the certificate name.

Perhaps I am being pedantic or am doing something incorrect, but this seems anything but automatic, or even semi-automatic?
 
I think the email goes to everyone with a certificate, whether you have the capability to auto-renew or not (because how would Let's Encrypt know whether you do?) If, instead of responding to the email by manually renewing your certificate, you give it a little time (and assuming you have ports 80 and 443 open and forwarded to the NAS with the cert), it should autorenew all on its own before it expires.

Now, what I'm waiting to see is whether it'll auto-renew a wildcard-non-synology domain....
 
Thanks for your comments Rusty and Akaban.

>>Did it expire and you had to log in an manually do it or what?
The email indicated that I have 20 days left, so I renewed as I described.

>>you give it a little time ... it should autorenew all on its own before it expires
Perhaps I was too hasty and rather than wait until I forget and it expires, I renewed straight away.

Next time I should maybe wait and see what happens.
 
There was that recent issue with LE certificates that would not auto-renew ... caused by LE. There was a short window where certificates renewed in it would have issues. Can't recall the exact issue nor if the impact window has already closed. There were around 3 million certificates that would have future renew issue and required to be created afresh.
 
There was that recent issue with LE certificates that would not auto-renew ... caused by LE. There was a short window where certificates renewed in it would have issues. Can't recall the exact issue nor if the impact window has already closed. There were around 3 million certificates that would have future renew issue and required to be created afresh.
I think you’re referring to my issue (maybe). It was with a particular version.
 
I have been wondering and trying to find more tech info how this auto-renew works. I cannot see anything in the Synology crontab or task scheduler calling LE to check if the cert is valid. So, how does it work and where is the trigger. I am asking since when this happens and auto renewal is finished I want to convert the LE cert to PKSC#12 and publish to my Plex. I am currently doing this and my script runs every 12hrs in Task Scheduler.
I would be more efficient if I could plug it into the existing LE renewal workflow script.
 
Last edited:
The idea of a post creation/renewal hook is kind of charming... I love the idea.

edit:
If no post hook exists, you can at least control it yourself... you can create a scheduled task, run once a month with following user-defined script as root:
Code:
DOMAIN=sub.domain.tld
TARGET=/volume1/docker/plex/plex.p12
PLEX_CONTAINER=plex
P12_PASSWORD=some-password

SYNO_CERT_DIR="/usr/syno/etc/certificate/_archive"
/usr/syno/sbin/syno-letsencrypt renew-all
for current_domain_cert in ${SYNO_CERT_DIR}/*; do
  if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ]; then
    openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${DOMAIN} > /dev/null 2>&1
    domain_found=$?
    if [ "${domain_found}" = "0" ]; then
      openssl pkcs12 -export -in ${current_domain_cert}/fullchain.pem -inkey ${current_domain_cert}/privkey.pem -out ${TARGET} -password pass:${P12_PASSWORD}
      /usr/syno/bin/synowebapi --exec api=SYNO.Docker.Container version=1 method=stop name="$PLEX_CONTAINER"
      /usr/syno/bin/synowebapi --exec api=SYNO.Docker.Container version=1 method=start name="$PLEX_CONTAINER"
    fi
  fi
done
You will need to modify at least the first four lines (It is assumed that plex is running in docker). It will search the right set of certificate s and convert the cert (fullchain.pem is used to include the intermediate certificates as well) and key to a p12 file. Then it will restart the container configured in PLEX_CONTAINER. If you don't run plex in a container just remove the PLEX_CONTAINER line and both synowebapi lines OR even better replace them with the command to restart the package.

If only syno-letsencrypt would allow renew a specific certificate. It seems to be either all or nothing.

Warning: the code snippet is untested, the openssl line to convert pem to p12 might require some adjustment.
 
I went with acme.sh since it has build in support for duckdns and also includes pkcs12 exporting api.
I removed DSM certificate and generated a new with acme. Acme also includes api to deploy the cert to Synology DSM so this was a bonus. Then I used acme api to convert cert to pkcs and used it with Plex.
 
Revisiting an old topic. I waited around 90 days; ports 80 and 443 are open on both router and NAS and today was the final day of the current Let's Encrypt certificate... Checked after lunch, as the certificate ended late this morning. Expired!

I had had emails telling me that the certificate would expire in 30 days, etc. but wanted to see if it would be accomplished automatically, which it was not. I have now renewed manually.

Any further thoughts as to why it would not renew automatically? I have a dynamic IP address, which changes every 14 days or so, but then the certificate it linked to xxxx.synology.me, so this should not be a problem. The NAS is not running anything out of the ordinary, e.g. docker

Should I just wait for DSM7 and hope that it is simply a glitch in DSM6? Perhaps DSM7 will be out in the next 90 days....
 
Perhaps DSM7 will be out in the next 90 days....
Probably not in the next 180days

had had emails telling me that the certificate would expire in 30 days
Can you check the /var/log/messages for some more info why the renewal process failed. As soon as the time drops below 30days LE will attempt to renew them.
 
Thanks Rusty: I will look for logs. Should be interesting I haven't used telnet for a long while.

Thanks WST16: yes to firewall enabled, with ports 80 and 443 enabled.
 
Now, what I'm waiting to see is whether it'll auto-renew a wildcard-non-synology domain....
My experience differs from Rusty's ... with a qualification ... IF you are renewing an LE cert for Synology DDNS only, opening port 80 is not required. Otherwise, opening that port is necessary. BUT... if you are going to open port 80, just go ahead and force the renewal manually, rather than keep that port open until LE triggers renewal. Then remove the port 80 forward.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

QuickConnect is always exposed to Synology. Disabling it removes that exposure.
Replies
5
Views
1,690
Ah ha right I'm with you, now, in that case I'll not worry as it's a very small private forum and we're...
Replies
4
Views
3,173
As I said above, in the log under /var/log messages it says: Timeout during connect (likely firewall...
Replies
10
Views
5,710
  • Solved
If it is of interest, when I got caught by the 143 character limit, I used an app 'Path Length Checker' on...
Replies
7
Views
2,644
  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
545
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
934

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top