Renewing LAN based SSL certificates and installing them to a Synology NAS and RouterOS device was a bit of a hullabaloo, so want it documented for when it breaks in three years, by which time I will have forgotten how it was configured.
This approach was inspired by Renew Let’s Encrypt certificates on Synology using acme.sh – Christos Georgiadis.
The updating is via a monthly CRON script which runs on my Synology NAS device (SINO).
acme.sh is used to do the updating, but rather than install it directly on SINO, it will be run from within the neilpang/acme.sh docker image. For context, I used to have it installed directly on SINO, but with a host of permission issues, it needed to run as root, and was never entirely stable. Using Docker will allow me to keep things simple, with the least setup should it need to be moved to a different host. the image is based on Alpine Linux, so only about 5MB.
SINO Setup
- Install the Docker app onto Synology.
- From Docker, download the neilpang/acme.sh docker image.
- SSH into SINO and create the following folder:
/volume1/docker/acme
- From the Synology control panel, create a user with the following permissions:
- Disallow user to change password
- Groups: Administrators, Users
- Share Permissions: docker
- Applications: DSM
Mikrotik Setup
- Create a new user group with the following permissions:
- ssh, ftp, read, write, password, sensitive
- Create a new user, and assign to the newly created group
SSH Configuration
In order to update the Mikrotik RouterOS, we will need to be able to connect via SSH. For this to work, we need to setup several things.
- Create a pair of SSH keys with
ssh-keygen
. - Copy the keys to
/volume1/docker/acme
on Redbeard. - Copy the public key (probably id_rsa.pub) to the Mikrotik router, and assign it to the user we created under System -> Users -> SSH Keys
Renewal Script
Create a bash script to run the renewal steps and save it to /volume1/docker/acme
<code class="language-bash"># DNS verification variables export DH_API_KEY='ZZZ-ZZZ' # Synology deployment variables export SYNO_Server='192.16.1.1' export SYNO_Username='sinoUser' export SYNO_Password='xxxx-xxxx' # RouterOS deployment variables export ROUTER_OS_USERNAME=mikUser export ROUTER_OS_PASSWORD='yyyy-yyyy' export ROUTER_OS_HOST=192.168.2.2 export ROUTER_OS_PORT=22 # setup acme acme.sh --upgrade acme.sh --set-default-ca --server letsencrypt # get certificates acme.sh --issue --dns dns_dreamhost -d <gaul's domain name> --dnssleep 300 acme.sh --issue --dns dns_dreamhost -d <sino's domain name> --dnssleep 300 #deploy to Synology NAS acme.sh --deploy -d <sino's domain name> --deploy-hook synology_dsm # deploy to RouterOS # Setup SSH before we can deploy to RouterOS. mkdir /root/.ssh cp /acmeConf/id_rsa /root/.ssh/ chmod 600 /root/.ssh/id_rsa ssh-keyscan -H $SOUTER_OS_HOST >> /root/.ssh/known_hosts echo "Host * HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa" >> /root/.ssh/config acme.sh --deploy -d <gaul's domain name> --deploy-hook routeros</code>
Wiring it all up
The final step is to create a cron job on SINO to renew the certs every two months.
- SSH into SINO, and elivate the terminal with sudo -i.
- Add the following line to the crontab file (note, tabs, not spaces):
<code class="language-bash">0 0 1 */2 * root bin/su -c 'docker run --rm --mount type=bind,source=/volume1/docker/acme,target=/acmeConf neilpang/acme.sh ./acmeConf/dockerRenew.sh >> /volume1/docker/acme/certInstall.log' sslUpdator </code>
Some blurb to remind me of what’s going on.
- The docker image is raw; no changes are made to it, so we can grab a new image with a new version of acme.sh, and no additional changes will be required to the image.
- All config is found on SINO at /volume1/docker/acme.
- When docker starts the container, it binds the config folder to the container, making it available within the running docker container.
- The docker container is not long running. The bash script starts the container up, causes it to execute our script, then shuts down the container. The log file is saved to the config folder.
- Oh, and Lance, remember that the scripts are in your GitHub repository.