群晖NAS安装https证书

cd /usr/local/share/acme.sh export DP_Id="XXXX" # 修改 id export DP_Key="XXXXX" #修改 key ./acme.sh --issue --dns dns_dp -d admin.google.com \ #修改域名 --cert-file /usr/syno/etc/certificate/system/default/cert.pem \ --key-file /usr/syno/etc/certificate/system/default/privkey.pem \ --fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \ --reloadcmd "/usr/syno/sbin/synoservicectl --reload nginx" \ --dnssleep 20

# Note: The $CERT_FOLDER must be hardcoded here since the running environment is unknown. Don't blindly copy&paste! # if you used the normal method the certificate will be installed in the system/default directory CERTDIR="system/default" # if you used the alternative method it is copied to an unknown path, change the following example to the output of the creation process and uncomment. #CERTDIR="_archive/AsDFgH" # do not change anything beyond this line! CERTROOTDIR="/usr/syno/etc/certificate" PACKAGECERTROOTDIR="/usr/local/etc/certificate" FULLCERTDIR="$CERTROOTDIR/$CERTDIR" # renew certificates, this used to be explained as a custom cronjob but works just as well within this script according to the output of the task. /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ # find all subdirectories containing cert.pem files PEMFILES=$(find $CERTROOTDIR -name cert.pem) if [ ! -z "$PEMFILES" ]; then for DIR in $PEMFILES; do # replace the certificates, but never the ones in the _archive folders as those are all the unique # certificates on the system. if [[ $DIR != *"/_archive/"* ]]; then rsync -avh "$FULLCERTDIR/" "$(dirname $DIR)/" fi done fi # reload /usr/syno/sbin/synoservicectl --reload nginx # update and restart all installed packages PEMFILES=$(find $PACKAGECERTROOTDIR -name cert.pem) if [ ! -z "$PEMFILES" ]; then for DIR in $PEMFILES; do #active directory has it's own certificate so we do not update that package if [[ $DIR != *"/ActiveDirectoryServer/"* ]]; then rsync -avh "$FULLCERTDIR/" "$(dirname $DIR)/" /usr/syno/bin/synopkg restart $(echo $DIR | awk -F/ '{print $6}') fi done fi

根据观察，2月底的那次安装acme.sh是个有问题的版本。如下面的链接中所示，因为装的是最新版本，所以估计应该是有问题的那个版本。

https://github.com/Neilpang/acme.sh/wiki/Synology-NAS-Guide

查看是否是有问的版本的步骤：

1. 控制面板 终端机和SNMP   开启SSH
2. ssh登录进去 ssh [email protected] 并执行 sudo -i 提权到root账户
3. ls -al /usr/local/share/acme.sh/
是否看到一个为域名为名字的目录，例如 nas.example.com/
看不到则需要重新装一下。

具体步骤：

删掉老版本

rm -rf /usr/local/share/acme.sh

重新安装

wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
tar xvf master.tar.gz
cd acme.sh-master/

这里要修改邮箱

./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"

这里要修改id key 和域名

cd /usr/local/share/acme.sh
export DP_Id="12345"
export DP_Key="2310f2f4ac91a2cda2c6cfa6ef1004b0"
./acme.sh   --issue   --dns dns_dp   -d nas.example.com \
      --cert-file /usr/syno/etc/certificate/system/default/cert.pem \
      --key-file /usr/syno/etc/certificate/system/default/privkey.pem \
      --fullchain-file /usr/syno/etc/certificate/system/default/fullchain.pem \
      --reloadcmd "/usr/syno/sbin/synoservicectl --reload nginx" \
      --dnssleep 20

至此重新安装好了。理论上这里就应该结束了。2019.5.6

检测

测试1

ls -al /usr/local/share/acme.sh/

看一下是否有域名为名字的目录

测试2

/usr/local/share/acme.sh/acme.sh --force --cron --home /usr/local/share/acme.sh/

是否重新签发了一张证书，也就是输出了半屏幕的十六进制码

测试3

测试计划任务，如果测试2 没有问题，并且自定义脚本没动过，那么就不会有问题。可以略过如下内容。

先记录下https网页的证书的指纹或者序列号(末尾两个十六进制就好)

真要测试也可以把计划任务的用户脚本里面的如下内容的一行

/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/

加上--force，然后手动运行计划任务，等一分钟。然后刷新https网页，会观察到证书指纹变化。这表示计划任务执行成功并重新签发了证书。

测试完了记得删掉加上的--force，不然更新证书太频繁也不好。

lesonky/Readme.md

具体步骤：

检测