Press ESC to close

Synology & Cloudflare: How to configure a Wildcard SSL certificate

Article cover, Synology and Cloudflare - Wildcard SSL

Table of contents

Hello!

Today, online security and privacy are key aspects of running websites and managing data. SSL certificates play an important role in ensuring that communications between users and servers are encrypted. What’s more, as one of the most popular NAS solutions, Synology offers flexibility and advanced configurability, making it the ideal tool for implementing such certificates.

In this article, I will show how to configure a Wildcard SSL certificate on a Synology server using Cloudflare and the ACME protocol. With this guide, you will learn how to effectively secure your domain and all its subdomains using the automation offered by the acme.sh tool.

Introduction

What is Synology?

Synology is a company specializing in the production of network hardware and software for data storage and management. Their main products are NAS (Network Attached Storage) servers, which offer a wide range of functions such as file storage, media sharing, backup, and hosting network services.

Thanks to their flexibility, Synology devices are used both in home networks, where they serve as a central data storage and media server, and in businesses, where they are used to store and share files and run a variety of business applications, such as email servers, file servers, and project management platforms.

 

 

What is Cloudflare?

Cloudflare, logo

Cloudflare is a global technology company offering advanced web acceleration and security services. Above all, it provides CDN, protection against DDoS attacks, advanced DNS management, SSL/TLS, web application firewall (WAF) and performance optimisation. With a distributed network of servers, Cloudflare reduces page load times, protects against threats and provides fast and secure access to content. As a result, it improves the user experience across the globe while enhancing the security and performance of websites.

Cloudflare services are easy to integrate and offer advanced analytics. They automate the processes of securing and speeding up sites, which is particularly beneficial for companies of all sizes. Cloudflare also makes it easy to deploy SSL/TLS certificates, ensuring secure communications. This makes it a popular choice for site owners and network administrators.

Preparation

In order to prepare the tutorial, we will adopt an established domain name and certain configuration names, shown below. For customized configuration, apply settings according to individual requirements.

  • Full domain name (FQDN) of Synology DSM: https://dsm.xyz.com,

What is Wildcard SSL?

Wildcard SSL, Example iconWildcard SSL is a type of SSL/TLS certificate that allows you to secure not only one domain, but also all its sub-domains with a single certificate. This is an extremely convenient solution for companies and organisations that have multiple subdomains and want to ensure their protection with minimal certificate management.

Example of use

Suppose you have a lovecats.comwebsite and you also want to secure its subdomains, such as blog.lovecats.com etc. Instead of issuing separate certificates for each of these subdomains, you can install a single Wildcard SSL certificate for *.lovecats.com, which will automatically cover all existing and future subdomains.

How does Wildcard SSL work?

Wildcard SSL uses a special ‘*’ (asterisk) character in the domain name when generating the certificate. This means that the certificate is valid for each subdomain at a given level. For example, the certificate for *.lovecats.com will protect www.lovecats.com etc.

Wildcard SSL is particularly useful for dynamic and growing websites, where new subdomains can be added regularly. With this solution, each new subdomain is automatically covered without the need for new certificates.

What is ACME?

ACME Logo

ACME (Automatic Certificate Management Environment) is a protocol developed by the Internet Security Research Group (ISRG) and commonly used by Let’s Encrypt to automate SSL/TLS certificate management. It allows SSL certificates to be automatically obtained, installed and renewed, eliminating the need for manual administrator intervention. This makes the process much simpler, faster and much less open to human error.

ACME is extremely useful for server administrators who want to ensure that their websites are always protected by up-to-date SSL/TLS certificates. In addition, automating this process saves time and resources while enhancing the security and reliability of sites.

In addition, the use of ACME contributes to faster deployment of large-scale certificates, which is particularly important for high-traffic sites. What’s more, with ACME, even those with limited technical knowledge can easily manage the security of their website.

Restrictions

Since the introduction of Let’s Encrypt support on Synology devices, many users have taken advantage of the opportunity to obtain free SSL certificates. However, there are some limitations that are worth taking into account.

  • Many people avoid exposing ports 80/443 to the Internet, which requires opening these ports on the router.
  • An alternative is to use the DNS-01 protocol.
  • Unfortunately, the current implementation of Let’s Encrypt on Synology devices only supports the HTTP-01 method, which requires port 80 to be exposed to the Internet.
  • Additionally, if the domain of your NAS has an IPv6 AAAA record set, the implementation of Let’s Encrypt on Synology devices will fail.

Despite these limitations, there is a way around them. We can access the NAS via SSH and configure it to automatically renew certificates, bypassing the GUI panel.

In this guide, we will use the DNS-01 protocol using the Cloudflare API, where we host our domain. This allows us to manage certificates without having to issue ports on the router. Moreover, this way is safer and more flexible, especially for those who do not want to open additional ports on their network.

Step 1 – Configuration in Synology

SSH

If you do not already have SSH enabled on your Synology, follow the steps below:

  • Go to the Control Panel, then under Connectivity, select Terminal and SNMP;

  • Click Enable SSH service and set any high port, e.g. 45000.

Synology SSH

  • Save the settings and proceed to log in via SSH to our Synology.

Downloading files to a server

For Microsoft Windows operating system I recommend PuTTY, while for Apple macOS operating systems I recommend Termius.

  • I personally use macOS, thus I will use Termius.
  • Log in as super user: start the terminal and type the command sudo su to switch to the super user account.
sudo su
  • Navigate to the home directory: Type cd ~ to navigate to the current user’s home directory.
cd ~
  • Download the acme.sh package: Use the wgetcommand to download the acme.sh package. Type:
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
  • Unzip the downloaded package: Use the tar command to unpack the downloaded package. Type:
tar xvf master.tar.gz
  • Go to the acme.sh-master directory: Go to the acme.sh-master directory that was created when the package was unpacked. Type:
cd acme.sh-master/
  • Install acme.sh: Perform the acme.sh installation by specifying the installation path and entering your email address. Type:
./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"
  • Load the user profile: To ensure that changes made during installation are taken into account, load the user profile. Type:
source ~/.profile
  • Do not close the terminal and disconnect the SSH connection to the Synology, we will come back to it in a moment.

Step 2 – Configure Cloudflare’s DNS and obtain an API token

Make sure your domain is registered and managed by Cloudflare. If you haven’t already done so, add the domain to Cloudflare and configure its support. Next, configure DNS so that ACME can use the generated API token in Cloudflare to perform a DNS challenge when issuing a Let’s Encrypt SSL certificate.

  • Go to the menu for creating a user API Token in Cloudflare:
    • Go to the home page and select your domain name,
    • In the domain management interface (Overview tab), on the right side, search and click Get your API Token,

Cloudflare, API

    • In the list of your API Tokens, click Create Token,
    • In the API Token creation menu, click on Get Started next to Create Custom Token in the Custom Token section.

Cloudflare, Create token

    • When you go to create Custom API Token, fill the form with the following values:
      • Token name: e.g. acme-xyzcom,
      • Permissions: Set as follows Zone | DNS | Edit,
      • Zone Resources: Set as follows Include | Specific zone | Twoja domena xyz.com,
      • Filtrowanie adresów IP klienta: pozostaw bez uzupełniania,
      • TTL: pozostaw bez uzupełniania.

Cloudflare, User API Tokens Create

    • During the final stage, a summary of the API Token creation will appear. If all the information is correct, click Create Token.
    • Once the API Token is created, you will receive detailed information about it, along with the option to test it in the terminal.

Cloudflare, Created API Token

  • Save the copied API Token in a notepad, as you will need it when configuring the SSL certificate in ACME.

API export to ACME

  • Set environment variables for Cloudflare: Export your sensitive data, such as your Cloudflare token and email address, as environment variables. Type:
    • Make sure you replace API_TOKEN with your actual Cloudflare private token and [email protected] with your email address assigned to your Cloudflare account.
export CF_Token="API_TOKEN"
export CF_Email="[email protected]"

Setting these environment variables will enable acme.sh to authenticate using your Cloudflare account during the process of obtaining an SSL certificate.

Step 3 – Certificate creation

Now it is time to create a certificate for your domain. The following commands will create an SSL certificate for your domain with Let’s Encrypt, using Cloudflare’s DNS-01 verification method. Once this process is complete, you will be able to obtain a valid SSL certificate for your domain.

  • Moving to the acme.sh directory: we are still working in the same terminal where we performed the previous steps. Navigate to the directory where acme.sh is installed. Type:
cd /usr/local/share/acme.sh
  • Setting up your domain and DNS variables: Define the variables for your domain and the DNS service you are using (in this case Cloudflare). Type:
export CERT_DOMAIN="*.where-is-my-money.pl"
export CERT_DNS="dns_cf"
  • Generate a certificate: Now run the acme.sh command to generate a certificate for your domain. Type:
./acme.sh --issue --server letsencrypt --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS"

Step 4 – Implementation of the certificate

To use an existing admin user, it is recommended to create a separate admin account dedicated exclusively to these operations. It is worth ensuring that the password for this account is strong and complex to increase the level of security. Avoid using the same admin account that you use for other operations, for security reasons.

Below you will find the steps to follow:

  • Create a separate administrator account: Go to the Synology control panel and create a new administrator account that is only for SSL certificate operations. Make sure the username is unique (e.g. serviceaccount-ssl-acme) and the password is complex and difficult to guess.
  • Set environment variables: Once the administrator account has been created, export its username and password as environment variables. You can do this in the terminal by typing:
export SYNO_USERNAME='user_admin_account_for_acme'
export SYNO_PASSWORD='babajaga-never-u2se-easy-pas3sword'
  • Set connection variables: Define the use of HTTPS and enter the current port number you use to log in to the Synology admin panel. To do this, type:
    • Also, if you are using the default port number, it is worth considering changing it for security reasons. Changing the default port number can help secure access to the administration panel.
export SYNO_LOCAL_HOSTNAME=1
export SYNO_SCHEME="https"
export SYNO_PORT="5001"
export SYNO_CREATE=1
  • Start the certificate deployment: Type the following command.
./acme.sh --deploy --insecure --home . -d "$CERT_DOMAIN" --deploy-hook synology_dsm
  • Done! Wait a moment for the configuration to be saved. 🚀

Step 5 – Setting up automatic certificate renewal

To ensure the continued validity of the SSL certificate, it is recommended to configure automatic renewal.

On the Synology system, you can use the built-in tools to run the acme.sh script at regular intervals. To do this, you can create a task scheduler using the DSM control panel to execute the automatic certificate renewal script.

  • Go to the Control Panel, then scroll down to find the Task Scheduler.
  • Click Create and select Run task User-defined script,

Synology, Control Panel Task Scheduler

  • On the Edit task – General tab, enter the following values:
    • Task: renew certificate ssl,
    • User: root,
  • On the Edit task – Schedule tab, enter the following values:
    • Run on the following date: today's date, Repeat monthly
  • On the Edit task – Task Settings tab, enter the following values:
    • Send launch details in an email: Select and enter your e-mail address,
    • Send launch details only if the script is unexpectedly terminated: Check,
    • Run the command: Paste the following script into a text editor:
./acme.sh-master/acme.sh --cron --home /usr/local/share/acme.sh
  • After making these settings, click OK to save and activate the new scheduled task.
  • Now our script will run automatically every month.

Step 6 – Setting up certificates for individual applications in Synology DSM

Now that you have a valid SSL certificate, you can assign it to individual applications on your Synology DSM to ensure secure connections. Here’s how to do it:

  • Log in to DSM on your Synology device.
  • Go to the Control Panel, then to the Security – Certificate tab.

Synology DSM, Security panel

  • Click on Settings and go to the settings tab. All services/applications and their corresponding applications will be displayed.
  • Click the current certificate of the target service and select the appropriate certificate from the drop-down menu.
  • Once the certificates have been configured, click OK.Synology DSM, Security Certificates applications
  • Done! 🚀

If you have additional questions about the setup, go ahead and leave a comment under this article or contact me directly. I will be happy to answer any concerns and help solve any problems. Your questions can help improve this guide for other users.

Additional sources and information

Thank you for reaching this point. For further exploration and more information, I recommend checking out the links below. They are valuable sources that were used in the development of this guide.
Blog
print(“Hello World”)

Welcome on my blog, where ‘Hello World’ is a symbolic start. Discover with me the fascinating world of coding and news from the world of technology.

Gravatar Filip Chochół

Filip Chochół

Filip Chochol runs two blogs: personal “chochol.io” and together with his girlfriend “Warsaw Travelers” about travel. He specializes in IT resource management and technical support, and has been active in the field of cyber security awareness for almost two years. A proponent of open-source technologies, he previously worked in the film and television industry in the camera division (2013-2021). After hours, he develops interests in smart homes and networking.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.