Personal Journey to Securing My Synology NAS with a Wildcard Certificate

A Journey Through Complexity: Triumphs and Trials in Securing My Digital Domain

Securing my Synology NAS with a wildcard SSL certificate was not just a task; it was an odyssey marked by trials, learning, and eventually triumph. The decision to embark on this journey was driven by the desire to use AdGuard to override DNS settings, allowing for seamless SSL certificate-backed domain connections to my NAS without the dreaded browser alerts.

The Challenge of Navigating Complex Documentation

The first hurdle was the daunting task of deciphering lengthy API documentation. The complexity and breadth of information felt overwhelming, a maze of technical jargon and endless pages. This initial phase tested my patience and perseverance, laying the groundwork for a deeply personal venture into the world of cybersecurity.

Choosing a Wildcard Certificate: A Strategic Move, but why?

The choice of a wildcard certificate was strategic, aimed at ensuring flexibility and security across multiple services hosted on my Synology NAS. This approach not only streamlined the SSL certification process but also safeguarded my domain, enabling secure connections through AdGuard’s DNS overwriting capabilities.

Solution arised — The Power of acme.sh

In the midst of research and trial, I discovered acme.sh, a tool that became my Excalibur. acme.sh harnessed the power of Let's Encrypt to effortlessly generate a wildcard certificate for my myriad services on Synology. This revelation was a turning point, offering a seamless path through the previously impenetrable thicket of SSL certification.

Steps that I took to make all things worked!

SSH into DSM and switch to root

1. After ssh access switch your role to root usersudo su
2. Switch to the root user home foldercd ~

Installation of acme.sh

1. download acme

wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz

2. unzip master.tar.gz

tar xvf master.tar.gzcd acme.sh-master/

3. Config the script

./acme.sh --install --nocron --home /usr/local/share/acme.sh --acountemail "youremail@example.com"

4. Refresh the environment variables and functions defined in the ~/.profile file into the current shell session by typingsource ~/.profile

Configure DNS

For this tutorial, we will be using CloudFlare as example. Refer to acme dns guide if you are using other DNS services

1. Go to CloudFlare and obtain a API token from API Token Section

select Create Token

2. Select Edit zone DNS template

3. When your create the token, under Permissions, select Zone > DNS > Edit, and under Zone Resources, only include the specific DNS zones within which you need to perform ACME DNS challenges. (See screenshot below)

4. Copy the token

5. Back to terminal, set two environment variables that acme.sh will read to set the DNS record

export CF_Token="the token you copied in step 4"
export CF_Email="youremail@example.com"

Creating the certificate

1. Switch to the acme installation folder, setup two environment variables as shown below.

cd /usr/local/share/acme.sh
# make sure to add a wildcard symbol here
export CERT_DOMAIN="*.example.com"
export CERT_DNS="dns_cf"
./acme.sh --issue --server letsencrypt --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS

2. Once success, you will get certificates and key as shown in below screenshot

Deploy the default certificate

1. We will deploy the certificate with a temporary admin user, let’s do this by typing below command

export SYNO_USE_TEMP_ADMIN=1

2. Deploy the certificate

./acme.sh - deploy - home . -d "$CERT_DOMAIN" - deploy-hook synology_dsm

Configure certificate renewal

1. Go to synology control panel select Task Scheduler

2. Create a user defined script

3. In General Setting, type the name of the scheduled task and select root to be the executer

4. Next, move to the Schedule tab, and key in the recurring rule

5. Next, move to the Task Settings tab, key in below command, click OK to save

# renew certificates 
cd /usr/local/share/acme.sh
./acme.sh --cron --home .

You can also get the notification if you select “Send run details by email”

Last step — don’t forget to config Synology DSM to use wildcard certificate as default

in the control panel, go to security and then security. select certificate, you should see the newly obtained wildcard certificate. you can make it as default for all service on the NAS or select which service you want to use along with the wildcard certificate.

Reflections on a Journey Completed

Reflecting on this journey, I am struck by a mix of frustration and triumph. The frustration stemmed from the initial confusion and the pitfalls of outdated information. Yet, these challenges were overshadowed by the exhilaration of solving complex problems, of turning a labyrinthine task into a streamlined process.

This odyssey through the world of wildcard SSL certification has been more than a technical endeavor; it has been a journey of growth, learning, and empowerment. By sharing my story, I hope to light the way for others, proving that with perseverance, insight, and the right tools, securing your digital domain is not just possible — it’s within reach.