Tag: let’s encrypt

Install *Synology* NAS managed *Let’s Encrypt Certificate* in *NGINX*

Install Synology NAS managed Let's Encrypt Certificate in NGINX

Certificate Management

Synology NAS can be used for certificate management, and Let's Encrypt certificate can be exported as ZIP file used for NGINX HTTPS configuration.

  1. Go to Control Panel -> Security -> Certificate
  2. Select certificate to be exported
  3. Select Export Certificate from right click menu
  4. Save exported file

For existing certificates, can use right click -> renew option to renew.

Note: All domain in the certificates, must be resolved to current Synology NAS at port 80 and port 443, otherwise, certificate generation will be failed.

In downloaded ZIP file, following files can be found.

  • certs.pem
  • chain.pem
  • privkey.pem

NGINX configuration

  1. Concatenate cert.pem and chain.pem to cert-with-chain.pem (or fullchain.pem) file

  2. Copy cert-with-chain.pem and privkey.pem into NGNIX conf.d folder

  3. Verify NGINX configuration as below

ssl_certificate     conf.d/cert-with-chain.pem;
ssl_certificate_key conf.d/privkey.pem;
  1. Restart NGINX

Verification

Browser

The date of issue for new certificate should be displayed in certificate information window.

Command line

Following command can be used for verification

openssl s_client -connect <domain_name>:<port>

If got following error, concatenate chain.pem into cert.pem, because the full chain is required.

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

References

How to install Let's Encrypt on Nginx

Using certbot apply let’s encrypt certificate

Using certbot apply let's encrypt certificate

In order to use NGINX module, certbot needs to use it's own NGINX server or it needs to modify the NGINX configuration.

Steps

Preparation

  • Shutdown application which listening on port 80 and port 443
docker stop nginx
  • Install software if haven't installed

Note: skip this step if packages installed

apt install certbot
apt install python3-certbot-nginx
  • Request certificate

Note: do not need to start nginx service, certbot will start it automatically

certbot certonly --nginx -d <domain1> -d <domain2> -d <domain3>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/<domain1>.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for <domain1> and <domain2>

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain1>/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/<domain1>/privkey.pem
This certificate expires on 2023-05-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for <domain1> to /etc/nginx/sites-enabled/default
Successfully deployed certificate for <domain2> to /etc/nginx/sites-enabled/default
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • certificate location

Certificate can be found in following directory

ls /etc/letsencrypt/live/domain1/
  • stop nginx created by certbot
systemctl stop nginx
systemctl disable nginx
  • setup docker certificates

Copy privkey.pem and fullchain.pem into docker configuration directory.

Troubleshooting

All domains in the command lines must be resolved to the running host for both port 80 and port 443, otherwise the certificate can not be created.

Another way

Run certbot docker choud be better as no additional package install, and the certbot service can be stopped using docker command

References

Issue using certbot with nginx
Get Certbot

Replace Certificate in Synology NAS

Replace Certificate in Synology NAS

Fill up info

Following steps can be used to replace certificate (not renew) in Synology NAS user interface.

  • Go to Control Panel -> Security -> Certificate
  • Select Add -> Add
  • Select Replace an existing certificate
  • Choose the certificate to be replaced
  • Select Get a certificate from Let's Encrypt
  • Fill up info, includes domain, email, alias (seperated by semi-colons)

Change port forwarding

Now, make sure Synology NAS can be accessed from internet via port forwarding at port 80 and 443 if required.

Suggest using A * record in DNS entry to avoid DNS change. Use NGINX to redirect traffic to this host.

Generate

Then generate certificate.