Deployed automated wildcard SSL certificate management for Synology NAS using acme.sh, Let's Encrypt, and Cloudflare DNS validation. Custom directory structure for organized storage, automatic renewal with DSM deployment hooks. Eliminates manual certificate management while maintaining security.
Synology DSM includes built-in Let's Encrypt support, but it has significant limitations:
For internal infrastructure with multiple subdomains that shouldn't be publicly accessible, we needed wildcard certificates using DNS validation.
acme.sh is a pure shell script ACME client supporting DNS validation via multiple providers. Combined with Cloudflare API and Synology DSM hooks, it provides fully automated certificate management.
Install into custom directories for clean management and easy backup:
# Create custom directories mkdir -p /var/services/homes/sysadmin/acme.sh/acme_certs mkdir -p /var/services/homes/sysadmin/acme.sh/acme_config # Install acme.sh with custom paths curl https://get.acme.sh | sh -s [email protected] \ --home /var/services/homes/sysadmin/acme.sh/acme_config \ --config-home /var/services/homes/sysadmin/acme.sh/acme_config \ --cert-home /var/services/homes/sysadmin/acme.sh/acme_certs
Test with Let's Encrypt staging environment to avoid rate limits (5 certs per domain per week) during troubleshooting:
CF_Token="YOUR_CLOUDFLARE_API_TOKEN" \ CF_Email="[email protected]" \ SYNO_USE_TEMP_ADMIN=1 \ /var/services/homes/sysadmin/acme.sh/acme_config/acme.sh \ --home /var/services/homes/sysadmin/acme.sh/acme_config \ --cert-home /var/services/homes/sysadmin/acme.sh/acme_certs \ --config-home /var/services/homes/sysadmin/acme.sh/acme_config \ --staging \ --issue \ -d '*.internal.example.com' \ --dns dns_cf
DNS validation: acme.sh creates TXT record at _acme-challenge.domain.com via Cloudflare API. No port exposure required.
After successful staging, issue production certificate:
CF_Token="YOUR_CLOUDFLARE_API_TOKEN" \ CF_Email="[email protected]" \ SYNO_USE_TEMP_ADMIN=1 \ /var/services/homes/sysadmin/acme.sh/acme_config/acme.sh \ --home /var/services/homes/sysadmin/acme.sh/acme_config \ --cert-home /var/services/homes/sysadmin/acme.sh/acme_certs \ --config-home /var/services/homes/sysadmin/acme.sh/acme_config \ --server https://acme-v02.api.letsencrypt.org/directory \ --issue \ -d '*.internal.example.com' \ --dns dns_cf
Set up automatic renewal and deployment via Synology Task Scheduler:
# Combined Renew + Deploy (add to Task Scheduler) CF_Token="YOUR_CLOUDFLARE_API_TOKEN" \ CF_Email="[email protected]" \ SYNO_USE_TEMP_ADMIN=1 \ /var/services/homes/sysadmin/acme.sh/acme_config/acme.sh \ --home /var/services/homes/sysadmin/acme.sh/acme_config \ --cert-home /var/services/homes/sysadmin/acme.sh/acme_certs \ --config-home /var/services/homes/sysadmin/acme.sh/acme_config \ --renew \ --server https://acme-v02.api.letsencrypt.org/directory \ --deploy \ --deploy-hook synology_dsm \ -d '*.internal.example.com'
Fully automated wildcard SSL certificate management for internal infrastructure. Certificates auto-renew 30 days before expiration and deploy to all DSM services without intervention. No exposed ports. Zero maintenance.
Need infrastructure automation? We handle the tedious stuff - SSL certificates, backups, monitoring, deployments. No more 2 AM expiration alerts.
Contact Us