Using Cloudflare for DDNS and TLS Certificates on Synology DSM6+

  1. I need a DDNS provider that I can use with my domain name (itsonpremises.dev)
  2. I need to use letsEncrypt to issue and roll my TLS certificates before/when they expire.
  1. My current DDNS provider (Google domains) for my domain doesn’t support API access (though GCP does)
  2. The Synology implementation of Let’s Encrypt currently (1-Jan-2017) only supports the HTTP-01 method which requires exposing port 80 to the Internet.

Configure Cloudflare for Synology DDNS

  1. Download DDNS script — I recommend saving as cloudflare_domainname.sh if you have multiple domains.
$ sudo wget https://raw.githubusercontent.com/joshuaavalon/SynologyCloudflareDDNS/master/cloudflareddns.sh -O /sbin/cloudflaredns_domainname.sh
$ sudo chmod +x /sbin/cloudflaredns_domainname.sh
$ sudo echo "[Cloudflare Domain Name]">>/etc.defaults/ddns_provider.conf
$ sudo echo " modulepath=/sbin/cloudflaredns_domainname.sh">>/etc.defaults/ddns_provider.conf
$ sudo echo " queryurl=https://www.cloudflare.com/">>/etc.defaults/ddns_provider.conf
  1. Get Zone ID for your domain
  2. Generate scoped API Token with the following permissions:
  • Zone — Zone — Read
  • Zone — DNS — Edit
  1. Open Control Panel -> External Access -> DDNS
  2. Create “Cloudflare Domain Name”” DDNS entry in DSM Console:
  • hostname: the a record of your domainname (mine syno.itsonpremises.dev)
  • Username/Email: the ZoneID of your zone
  • Password/Key: the scoped API token created in Cloudflare dashboard

Configure Synology for LetsEncrypt Certificates

  1. Create a new certificate administrator to run acme.sh and own the cron job for refreshing certificates.
  • This user must be a member of the administrators group
  • Ensure you set DENY permissions on all applications other than DSM (and restrict DSM access to your NAS IP address, if possible (localhost/127.0.0.1 is unfortunately not supported)
  • Ensure the user has r/w permissions to /home(s) if you have this enabled
  • You will need to Disable HTTP2, if you have this configured: Control Panel -> Network -> DSM Settings -> Disable HTTP2
$ sudo wget -O /usr/local/bin/reload-certs.sh https://github.com/bartowl/synology-stuff/raw/master/reload-certs.sh
$ sudo chmod +x /usr/local/bin/reload-certs.sh
$ sudo -i
$ wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "email@gmailcom"
$ sudo chown -R mycertadmin /usr/local/share/acme.sh/
$ sudo chmod 755 /usr/local/share/acme.sh
$ export CF_Key="MY_SECRET_KEY_SUCH_SECRET"
$ export CF_Email="myemail@example.com"
$ export CF_Token="MY_SECRET_TOKEN_SUCH_SECRET"
$ export CF_Email="myemail@example.com"
$ export CF_Account_ID="xxxxxxxxxxxxx"
$ export CF_Zone_ID="xxxxxxxxxxxxx"
cd /usr/local/share/acme.sh$ ./acme.sh --issue -d "star.example.com" \
--dns dns_cf --home \
$PWD
$ export SYNO_Username="Certadmin"
$ export SYNO_Password='MyPassw0rd!'
$ export SYNO_Certificate="mydesc" # description shown in Control Panel ➡ Security ➡ Certificate
$ export SYNO_Create=1
$ export SYNO_Scheme="http"  # Can be set to HTTPS, defaults to HTTP
$ export SYNO_Host="localhost" # Specify if not using localhost
$ export SYNO_Port="5000" # Port of DSM WebUI (5000 for HTTP and 5001 for HTTPS)
./acme.sh -d "star.example.com" --deploy \
--deploy-hook synology_dsm \
--reloadcmd "/usr/local/bin/reload-certs.sh" \
--dnssleep 20 \
--home $PWD

Setup recurring task for renewal and replace

  1. Control Panel -> Task Scheduler
  2. Create -> Scheduled Task -> User-defined script
  3. Fill out the necessary information:
  • General: Give the task a name and choose your newly created Certificate Admin user
  • Schedule: e.g. weekly at 4:00 am on Saturday
  • Task Settings: maybe set up an email notification and use one of the following scripts for Renewal.
# Renew single certificate
/usr/local/share/acme.sh/acme.sh --renew -d "star.example.com" --home /usr/local/share/acme.sh
# Renew all certificates issued via acme.sh
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh
export SYNO_Username="Certadmin"
export SYNO_Password='MyPassw0rd!'
export SYNO_Certificate="star.example.com"
export SYNO_Create=1
export SYNO_Scheme="http"
export SYNO_Host="localhost"
export SYNO_Port="5000"
cd /usr/local/share/acme.sh
/usr/local/share/acme.sh/acme.sh --renew -d "star.example.com" --home /usr/local/share/acme.sh &&
/usr/local/share/acme.sh/acme.sh -d $SYNO_Certificate --deploy \
--deploy-hook synology_dsm \
--reloadcmd "/usr/local/bin/reload-certs.sh" \
--dnssleep 20 \
--home $PWD
exit2
$ cd /usr/local/share/acme.sh
$ ./acme.sh --force --upgrade --nocron --home /usr/local/share/acme.sh
. "/usr/local/share/acme.sh/acme.sh.env"

--

--

--

Is this bio too short? Or is it just the right length?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ethical Hacking Definitions

Fake Windows 11 upgrade

How to configure DLP and not to overlook a leak

You Need a Real-Time Firewall, Not An Application Firewall

Cybercriminals Tampering with QR Codes

Everybody Has a Role in Cloud Security

Forensic Challenge 1

https://t.co/orFUbW1m6a

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
corcoran

corcoran

Is this bio too short? Or is it just the right length?

More from Medium

Exghost — PG Walkthrough

How should you charge for a software project?

“Over Easy” Brief Synopsis

Should Genetic Cloning Be Illegal?