Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Updating certificates programmatically on SRM

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

4
1
NAS
DS218+
Router
  1. MR2200ac
  2. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Is there a way to import updated certificates on a Synology RT6600ax running SRM 1.3.1 other than via the web interface?

Background:

My domain's certs are maintained and automatically renewed elsewhere. The provider of those certs (porkbun if it matters) enables an API for me to download the certs as they renew. Those let me to update the certificates on devices behind my firewall.

One of those devices is a Synology NAS running DSM 7.2.1 and I am able to use synology-cert-deploy.git to successfully update the certificates on that. Other services I run also provide me ways to update their certificates.

I can find no way to do something similar on a Synology Router running SRM 1.3.1. Poking about with ssh access enabled has not offered any enlightenment.
 
I do something similar to what you're asking with Porkbun. The router isn't involved at all, aside from some port forwarding. The Synology NAS does the heavy lifting, using two docker containers and Container Manager.

To update the IP address at Porkbun GitHub - qdm12/ddns-updater: Container to update DNS records periodically with WebUI for many DNS providers. The config.json file looks like this:
JSON:
{
  "settings": [
    {
      "provider": "porkbun",
      "domain":"mydomain.net",
      "host":"myhostname",
      "api_key": "pk1_heylookarandomlygenerartedAPIkey",
      "secret_api_key": "pk1_heylookanotherrandomlygenerartedAPIkey",
      "ip_version": "ipv4"
    }
  ]
}

To handle SSL certs, I use the reverse-proxy tool Caddy. Here's the docker-compose file; it's basically stock except for changing ports to avoid conflicting with DSM's own stuff.

YAML:
version: "3.7"

services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    network_mode: host
    ports:
      - "1080:80"       # Because Synology DSM reserves 80 for itself
      - "10443:443"     # Because Synology DSM reserves 443 for itself
      - "10443:443/udp" # Because Synology DSM reserves 443 for itself
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/site:/srv
      - caddy_data:/data
      - caddy_config:/config
     
volumes:
  data:
    external: true
  config:
    external: true

For a full Caddy tutorial, see Reverse proxy with Caddy 2

Here's an excerpt from my Caddyfile, showing some useful defaults and how it takes incoming traffic from the SRM router and reverse-proxies to various apps. I run things like Paperless-ngx, Plex, etc.

Code:
### GLOBAL SETTINGS ########################################################
{
        admin :2019    #not accessible outside local network
        http_port 1080    #Synology SRM forwards all port 80 traffic here
        https_port 10443    #Synology SRM forwards all port 443 here here
        grace_period 10s
}


### INCLUDES ###############################################################

# Some basics to use everywhere
(webconf) {
        encode gzip
}

#Add forward headers to requests - https://jordiburgos.com/post/2020/reverse-proxy-with-caddy-2.html
(theheaders) {
        header_up X-Forwarded-Ssl on
        header_up Host {host}
        header_up X-Real-IP {remote}
        header_up X-Url-Scheme {scheme}
        header_up X-Remote-IP {remote}
}

### HOSTS ###############################################################

www.mypersonalsite.net {
        # This connects to the default Synology web service
        reverse_proxy 10.0.0.151:80 {
                import theheaders
        }
        import webconf
}

mypersonalsite.net {
        # redirect bare domain
        redir https://www.mypersonalsite.net{uri} 301
}

links.mypersonalsite.net {
        # This connects to a container for my personal bookmarking service`
        reverse_proxy 10.0.0.151:9090
        import webconf
}

paperless.mypersonalsite.net {
        # This connects to a container running paperless-ngx
        reverse_proxy 10.0.0.151:8010
        import webconf

#and so on…

Note Caddy is unforgiving of configuration errors, and simply won't start up if the configuration is invalid. But at least this means you only have two conditions: Everything works perfectly, or nothing works at all. :)
 
Upvote 0
Let me rephrase the question: I am trying to programatically import a certificate into my Synology router - which in my case means providing the updated private key and wildcard enabled certificate files extracted from the service that already maintains my certificates - so the router can update all the router's services.

Thanks for the suggestions but your solution does not address that. Your second sentence "The router isn't involved at all, .." dismisses my one and only requirement. While using DDNS, updating a domain's DNS records, running containers, and Caddy reverse proxies together can all be cobbled together to hide the fact that the routers' certs stop being valid; those don't address the issue I am trying to solve. For the same reasons I am not interested in using DDNS or the other mechanisms outlined in the SRM Knowledge Center that would require me to change 1) how my certificates are updated, 2) my local network's exposure to the internet, or 3) impact how I update my other devices.

As the lead sentance asked "Is there a way to import updated certificates on a Synology RT6600ax running SRM 1.3.1 other than via the web interface?" DSM provides this (or users have found ways to accomplish it); SRM does not have a way that I've found.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top