Automating Wildcard SSL Certificates on Synology NAS with acme.sh
Implementation Summary
Deployed automated wildcard SSL certificate management for Synology NAS using acme.sh, Let's Encrypt, and Cloudflare DNS validation. Implemented custom directory structure for organized certificate storage and configured automatic renewal with DSM deployment hooks. Eliminates manual certificate management while maintaining security best practices.
> The Challenge
Synology DSM includes built-in Let's Encrypt support, but it has significant limitations:
> Built-in Limitations
- •No native wildcard certificate support (*.domain.com)
- •Requires port 80 or 443 exposed for HTTP validation
- •Limited flexibility for internal/private subdomains
- •Cannot use DNS validation for behind-firewall systems
For internal infrastructure with multiple subdomains that shouldn't be publicly accessible, we needed a wildcard certificate using DNS validation instead of HTTP validation.
> Solution Architecture
acme.sh is a pure shell script ACME protocol client that supports DNS validation via multiple providers. Combined with Cloudflare DNS API and Synology DSM deployment hooks, it provides fully automated certificate management.
> Key Components
- →acme.sh: Lightweight ACME client supporting DNS validation
- →Let's Encrypt: Free SSL/TLS certificate authority
- →Cloudflare DNS API: Automated DNS record management for validation
- →Synology DSM Hook: Auto-deployment to DSM services
> Step 0: Install acme.sh in Custom Location
To keep acme.sh organized and isolated, install it into custom directories. This makes certificate and configuration management cleaner and easier to back up.
Create custom directories
These directories will store certificates (acme_certs) and configuration files (acme_config), keeping your system organized.
Install acme.sh with custom paths
Flag Explanation:
- →
--home: Home directory for acme.sh scripts and utilities - →
--config-home: Location for configuration files and logs - →
--cert-home: Directory where SSL certificates will be saved - →
email=: Registers email with Let's Encrypt for notifications and recovery
> Step 1: Test in Staging Mode
Before issuing a production certificate, test your setup using Let's Encrypt's staging environment. This prevents hitting rate limits (5 certificates per domain per week) during configuration troubleshooting.
Flag Explanation:
- →
--staging: Uses Let's Encrypt staging environment (test certificates) - →
--dns dns_cf: Cloudflare DNS validation method - →
CF_Token: Cloudflare API token for DNS record updates - →
CF_Email: Cloudflare account email - →
SYNO_USE_TEMP_ADMIN=1: Synology-specific flag to bypass 2FA during deployment - →
-d '*.internal.example.com': Wildcard domain for certificate
DNS Validation Process: acme.sh will automatically create a TXT record at _acme-challenge.internal.example.com using the Cloudflare API. Let's Encrypt validates domain ownership by checking this record, then issues the certificate. No need to expose ports 80 or 443 to the internet.
> Step 2: Issue Production Certificate
After successful staging validation, issue a production certificate by switching to Let's Encrypt's production API endpoint.
Key Differences from Staging:
- →
--server https://acme-v02.api.letsencrypt.org/directory: Production API - →Removed
--stagingflag - →Issues browser-trusted certificates valid for 90 days
> Let's Encrypt API Endpoints
Staging Environment
https://acme-staging-v02.api.letsencrypt.org/directoryUse for testing. Issues untrusted certificates. No rate limits.
Production Environment
https://acme-v02.api.letsencrypt.org/directoryProduction certificates. Browser-trusted. Rate limits apply (5 certs/domain/week).
> Step 3: Automated Renewal and Deployment
Set up automatic certificate renewal and deployment to Synology DSM services using a scheduled task. acme.sh automatically renews certificates when they have 30 days or less remaining.
Combined Renew + Deploy Command
Command Behavior:
- →
--renew: Checks if certificate needs renewal (30 days before expiry) - →
--deploy: Deploys renewed certificate to target services - →
--deploy-hook synology_dsm: Uses Synology DSM deployment hook - →If renewal not needed, exits gracefully (safe to run daily)
- →Automatically restarts affected DSM services after deployment
Synology Task Scheduler Setup
- 1.Open Control Panel → Task Scheduler
- 2.Create → Scheduled Task → User-defined script
- 3.Task: "acme.sh Certificate Renewal"
- 4.User: root (required for certificate deployment)
- 5.Schedule: Daily at 3:00 AM
- 6.Paste the combined renew + deploy command above
> Security Considerations
> Cloudflare API Token Permissions
Create a scoped API token with minimal permissions instead of using your Global API Key.
- →Permission: Zone → DNS → Edit
- →Zone Resources: Include → Specific zone → example.com
- →This limits token to only editing DNS records for the target domain
> Credential Storage
API tokens are stored in acme_config/account.conf after first use. File permissions are automatically set to 600 (owner read/write only). Store backups securely.
> SYNO_USE_TEMP_ADMIN Flag
This flag temporarily creates an admin user to deploy certificates, then removes it. Required because Synology DSM certificate deployment needs admin privileges. The temporary user exists only during deployment (typically 2-3 seconds).
> Outcome
Fully automated wildcard SSL certificate management for internal infrastructure. Certificates automatically renew 30 days before expiration and deploy to all DSM services without manual intervention. No exposed ports required. Zero ongoing maintenance.
Implementation Benefits:
- →Single wildcard cert covers all subdomains (*.internal.example.com)
- →DNS validation works for behind-firewall systems (no port 80/443 exposure)
- →Automatic renewal prevents expiration-related outages
- →Custom directory structure simplifies backup and migration
- →Cloudflare API integration requires no manual DNS changes
Key Takeaways:
- →Built-in Synology Let's Encrypt support is limited; acme.sh provides enterprise flexibility
- →DNS validation is superior for internal/private infrastructure
- →Always test in staging before production to avoid rate limit issues
- →Custom directory structure prevents conflicts with future DSM updates
> Tools & References
acme.sh
Pure shell script ACME protocol client. Supports 50+ DNS providers and automatic deployment hooks.
github.com/acmesh-official/acme.sh →Let's Encrypt
Free, automated certificate authority. 90-day certificates with automated renewal support.
letsencrypt.org →Cloudflare DNS API
DNS management API enabling automated TXT record creation for ACME DNS-01 validation.
Synology DSM
NAS operating system. acme.sh includes native deployment hooks for automatic certificate installation.
Need Help with Infrastructure Automation?
We automate the tedious stuff—SSL certificates, backups, monitoring, deployments. Focus on your business, not certificate expiration alerts at 2 AM.
CONTACT_US