CLI script to programmatically replace SSL certs on Synology NAS

replace_synology_ssl_certs.sh

# MOVED to public repo: https://github.com/catchdave/ssl-certs/blob/main/replace_synology_ssl_certs.sh

I've struggled with similar stuff. It's possible you originally uploaded the wrong files? (and I think synology changed this slightly too)

For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload cert.pem
Do not upload the intermediate certificate

See if that helps.

It also works (differently) with:

For "Private Key" in DSM, upload privkey.pem
For "Certificate" upload fullchain.pem
For "Intermediate Certificate" upload chain.pem

However I've run into issues with this second setup so I avoid it; perhaps this is the route you took originally... Synology does strange things. I only move privkey and cert.pem in my setup, ignoring fullchain. But it changes based on what you originally uploaded into DSM.

I'm having a hard time renewing openvpn certificates from cli.
I copy new {cert|fullchain|privkey}.pem to usr/local/etc/certificate/VPNCenter/OpenVPN
From the CLI, using the openssl command, I confirmed that these are valid
restart VPNCenter:
/usr/syno/bin/synopkg restart VPNCenter
and restart openvpn:
/var/packages/VPNCenter/target/scripts/openvpn.sh restart

The textfile /usr/local/etc/certificate/VPNCenter/OpenVPN/info seems to confirm that the location of the certs is indeed the one I just copied over:

{"certs":[{"cert":"/usr/local/etc/certificate/VPNCenter/OpenVPN/cert.pem","chain":"/usr/local/etc/certificate/VPNCenter/OpenVPN/fullchain.pem","key":"/usr/local/etc/certificate/VPNCenter/OpenVPN/privkey.pem"}],"service":"OpenVPN","subscriber":"VPNCenter"}

Yet my openvpn client states that the server certificate is expired.
It seems that synology openvpn-server is still using the old (expired) certificate.

What am I missing?
Thank you.

@mdlaat

sudo /var/packages/VPNCenter/target/hook/CertReload.sh copy_cert_only

@telnetdoogie
Thank you so much; it's working now!