Report bugs for Synology DSM deploy hook

[tresni]

Please report bugs for the Synology DSM hook here. Remember to include debug logs

acme.sh  --deploy --deploy-hook synology_dsm .....   --debug 2

[lippertmarkus]

@tresni thank's for your work! This doesn't support automatically renewing the cert, does it?

[tresni]

@lippertmarkus If you mean will the Synology automatically renew the certs, no. However, renewed certificates will be updated on the synology.

If you want to do renewals on your synology, I do this using a cronjob. Control Panel -> Task Scheduler -> Create -> Scheduled Task -> User-defined Script. Under General, set User to root. Under Schedule, set a schedule you feel is appropriate (I do monthly.) Under Task Settings, put the following in the Run Command box (assuming you installed to /usr/local/share/acme.sh):

/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/

[lippertmarkus]

@tresni Thanks for the quick response. I do basically the same, see https://github.com/lippertmarkus/synology-le-dns-auto-renew
I just think searching for all the directories of all apps where the certificate is used like the script in the Wiki and my script does is a bit ugly.

When I saw that you use the web API in your deployment hook, I wondered if we could use the this API also for the renewing process?

[tresni]

This does both issuance and renewal. No weird directory handling, it just uses the API for everything. Maybe an example is better then trying to explain :)

ash-4.3# acme.sh --issue -d example.us --dns dns_cf
...
[Fri Mar  6 22:21:47 MST 2020] Your cert is in  /usr/local/share/acme.sh/example.us/example.us.cer
[Fri Mar  6 22:21:47 MST 2020] Your cert key is in  /usr/local/share/acme.sh/example.us/example.us.key
[Fri Mar  6 22:21:47 MST 2020] The intermediate CA cert is in  /usr/local/share/acme.sh/example.us/ca.cer
[Fri Mar  6 22:21:47 MST 2020] And the full chain certs is there:  /usr/local/share/acme.sh/example.us/fullchain.cer
ash-4.3# export SYNO_Username=... SYNO_Password=...
ash-4.3# SYNO_Create=1 SYNO_Certificate=example.us acme.sh -d example.us --deploy --deploy-hook synology_dsm
[Fri Mar  6 22:22:40 MST 2020] Logging into localhost:5000
[Fri Mar  6 22:22:47 MST 2020] Getting certificates in Synology DSM
[Fri Mar  6 22:22:47 MST 2020] Generate form POST request
[Fri Mar  6 22:22:47 MST 2020] Upload certificate to the Synology DSM
[Fri Mar  6 22:22:53 MST 2020] http services were NOT restarted
[Fri Mar  6 22:22:53 MST 2020] Success
ash-4.3# acme.sh -d example.us --renew --force
[Fri Mar  6 22:24:03 MST 2020] Renew: 'example.us'
[Fri Mar  6 22:24:04 MST 2020] Single domain='example.us'
[Fri Mar  6 22:24:04 MST 2020] Getting domain auth token for each domain
[Fri Mar  6 22:24:06 MST 2020] Getting webroot for domain='example.us'
[Fri Mar  6 22:24:06 MST 2020] example.us is already verified, skip dns-01.
[Fri Mar  6 22:24:06 MST 2020] Verify finished, start to sign.
[Fri Mar  6 22:24:06 MST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/.../...
[Fri Mar  6 22:24:07 MST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/...
[Fri Mar  6 22:24:08 MST 2020] Cert success.
...
[Fri Mar  6 22:24:08 MST 2020] Your cert is in  /usr/local/share/acme.sh/example.us/example.us.cer
[Fri Mar  6 22:24:08 MST 2020] Your cert key is in  /usr/local/share/acme.sh/example.us/example.us.key
[Fri Mar  6 22:24:08 MST 2020] The intermediate CA cert is in  /usr/local/share/acme.sh/example.us/ca.cer
[Fri Mar  6 22:24:08 MST 2020] And the full chain certs is there:  /usr/local/share/acme.sh/example.us/fullchain.cer
[Fri Mar  6 22:24:09 MST 2020] Logging into localhost:5000
[Fri Mar  6 22:24:09 MST 2020] Getting certificates in Synology DSM
[Fri Mar  6 22:24:10 MST 2020] Generate form POST request
[Fri Mar  6 22:24:10 MST 2020] Upload certificate to the Synology DSM
[Fri Mar  6 22:24:10 MST 2020] http services were NOT restarted
[Fri Mar  6 22:24:10 MST 2020] Success
ash-4.3#

[lippertmarkus]

@tresni great, works like a charm! I added OTP/2-factor auth support in #2782 :)

[lippertmarkus]

@tresni sorry for hijacking this issue for discussing. Please tell me if you want to discuss elsewhere :)

While implementing #2782 I found that there is a binary which allows executing API requests without requiring authentication:

sudo /usr/syno/bin/synowebapi --exec api=SYNO.Core.Certificate.CRT method=list version=1
[Line 259] Exec WebAPI:  api=SYNO.Core.Certificate.CRT, version=1, method=list, param={}, runner=
{
   "data" : {
      "certificates" : [
         {
...

Maybe this could be used to implement a second way for importing the certificates? This wouldn't require any access information, so no scheme, host, port, username, password or device id environment variables. On the other hand this can only be used with a locally installed version of acme.sh and requires root. What do you think? Did you already try that?

I just briefly looked into that but couldn't figure out how to prepare a request for sending the binary certificate data with this method, but I think it should work somehow.

[tresni]

This module is designed where it can be run from any system, not just the Synology device itself, in line with what I believe acme.sh is attempting to accomplish. So using the WebApi allows for that, using the binary would not. Definitely a good find though!

[tatablack]

Nice work with the hook, much cleaner than looping over folders and certs. 👍 🙂

I was trying it today, but I ran into two separate issues:

Password
The password is not escaped when hitting login.cgi in this line, and mine (aA#99B$dIix!) contained characters which broke the authentication in multiple ways (# has meaning in URLs, $ has meaning in shell scripts). I also had an exclamation mark, which however seemed fine once I exported the env variable using single instead of double quotes.

Changing the password to an alphanumeric one fixed the issue, as the script proceeded further.

Certificate upload
Here's the (edited) output of ./acme.sh -d "*.subdomain.domain.net" --deploy --deploy-hook synology_dsm --debug 3 --home $PWD.

In short, uploading fails (after quite some time) and the response has an error code of 119. I'd welcome any suggestions here... 🤔

(EDIT: trying to upload the same files through the DSM Web UI works perfectly)

DSM: 6.2.2-24922 Update 4
Wget: GNU Wget 1.19.2

[Tue Apr 28 17:37:41 IST 2020] Upload certificate to the Synology DSM
[Tue Apr 28 17:37:41 IST 2020] ./acme.sh:_post:1733                     POST
[Tue Apr 28 17:37:41 IST 2020] ./acme.sh:_post:1734                     _post_url='http://localhost:5000/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=MYSYNOTOKEN'
[Tue Apr 28 17:37:41 IST 2020] ./acme.sh:_post:1735                     body='----------------------------20200428163741
Content-Disposition: form-data; name="key"; filename="*.subdomain.domain.net.key"
Content-Type: application/octet-stream

-----BEGIN RSA PRIVATE KEY-----
<PRIVATE KEY REMOVED>
-----END RSA PRIVATE KEY-----

----------------------------20200428163741
Content-Disposition: form-data; name="cert"; filename="*.subdomain.domain.net.cer"
Content-Type: application/octet-stream

-----BEGIN CERTIFICATE-----
<CERTIFICATE REMOVED>
-----END CERTIFICATE-----

----------------------------20200428163741
Content-Disposition: form-data; name="inter_cert"; filename="ca.cer"
Content-Type: application/octet-stream


-----BEGIN CERTIFICATE-----
<CERTIFICATE REMOVED>
-----END CERTIFICATE-----

----------------------------20200428163741
Content-Disposition: form-data; name="id"


----------------------------20200428163741
Content-Disposition: form-data; name="desc"

Letsencrypt wildcard certificate for my internal network
----------------------------20200428163741
Content-Disposition: form-data; name="as_default"

false
----------------------------20200428163741--
'
[Tue Apr 28 17:37:41 IST 2020] ./acme.sh:_post:1736                     _postContentType='multipart/form-data; boundary=--------------------------20200428163741'
[Tue Apr 28 17:37:42 IST 2020] ./acme.sh:_exists:494                    curl exists=0
[Tue Apr 28 17:37:42 IST 2020] ./acme.sh:_exists:494                    mktemp exists=0
[Tue Apr 28 17:37:42 IST 2020] ./acme.sh:_exists:494                    wget exists=0
[Tue Apr 28 17:37:42 IST 2020] ./acme.sh:_post:1794                     _WGET='wget -q -d  --content-on-error '
[Tue Apr 28 17:40:08 IST 2020] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 4
[Tue Apr 28 17:40:08 IST 2020] ./acme.sh:_sed_i:867                     options='s/^ *//g'
[Tue Apr 28 17:40:08 IST 2020] ./acme.sh:_sed_i:869                     Using sed  -i
[Tue Apr 28 17:40:09 IST 2020] ./acme.sh:_post:1843                     _ret='4'
[Tue Apr 28 17:40:09 IST 2020] deploy/synology_dsm.sh:synology_dsm_deploy:142 response='{"error":{"code":119},"success":false}'
[Tue Apr 28 17:40:09 IST 2020] Unable to update certificate, error code {"error":{"code":119},"success":false}
[Tue Apr 28 17:40:09 IST 2020] Error deploy for domain:*.subdomain.domain.net
[Tue Apr 28 17:40:09 IST 2020] Deploy error.

[tatablack]

Actually, according to the manual, Wget does not currently support multipart/form-data for transmitting POST data... 😖

I tried this again using cURL and it works.

So I guess the options are either doing the upload in a way that works with Wget, or bail out with a message if that's not possible and Wget is being used.

[tresni]

Exit code 4 is a network error which I don't think is related to the form data itself. Also, the documentation for wget is just saying that it cannot create multipart uploads itself. We construct the payload ourself and send it as data, I don't think this has any impact on wget, but I'll double check.

[JoJota]

I'm using default cURL for transferring the certificates, but receiving error code 119 too.

As the default synology certificate is not verified, I first got cURL error 60 with the combination of "SSL certificate problem: unable to get local issuer certificate". After resolving this problem with setting export HTTPS_INSECURE=1 I received the synology error 119, which I am stuck with now. Further investigation seemed that there is not very much known what causes this error in detail, at least I couldn't find anything helpful.

Apart from that after not getting any further, I tried importing the certificates with a different reload script which was linked here, but this broke my DSM certificate system completely (no certificates were shown and even after regenerating the nginx certificate folder all the services which use the certificates are gone and I am not able to restore them). So I will now restore the DSM system to factory settings to see if that somehow helps getting rid of the 119er.

Device: DS216j
DSM Version: DSM 6.2.2-24922 Update 4

Error 119 debug log using cURL (cleared of private data):

[Mon  4 May 10:37:42 CEST 2020] _postContentType='multipart/form-data; boundary=--------------------------20200504083742'
[Mon  4 May 10:37:42 CEST 2020] _CURL='curl -L --silent --dump-header /home/pi/.acme.sh/http.header  --trace-ascii /tmp/tmp.DOAhb8GRzk  -g  --insecure  '
[Mon  4 May 10:37:42 CEST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Mon  4 May 10:37:42 CEST 2020] Here is the curl dump log:
[Mon  4 May 10:37:42 CEST 2020] == Info: Expire in 0 ms for 6 (transfer 0x3fa880)
== Info: Expire in 1 ms for 1 (transfer 0x3fa880)
== Info: Expire in 0 ms for 1 (transfer 0x3fa880)
(...)
== Info: Expire in 0 ms for 1 (transfer 0x3fa880)
== Info:   Trying 192.168.222.21...
== Info: TCP_NODELAY set
== Info: Expire in 200 ms for 4 (transfer 0x3fa880)
== Info: Connected to example.com (192.168.222.21) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info:   CAfile: none
  CApath: /etc/ssl/certs
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: ......x..*79..%.).$.J.G..}...<..&..r.# ......b..j.G>....};...-
0040: O.,.....>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
<= Recv SSL data, 5 bytes (0x5)
0000: ....b
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 98 bytes (0x62)
0000: ...^../*.-.....Y.J.......C3]n~........ ..1.!.$..Nz.M.}d...lH...<
0040: .pY}..../.......................h2
<= Recv SSL data, 5 bytes (0x5)
0000: ....(
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 808 bytes (0x328)
0000: ...$..!...0...0.......|..{My.0...*.H........0Q1.0...U....TW1.0..
0040: .U....Taipei1.0...U....Synology Inc.1.0...U....Synology Inc. CA0
0080: ...200503181130Z..400119181130Z0M1.0...U....TW1.0...U....Taipei1
00c0: .0...U....Synology Inc.1.0...U....synology.com0.."0...*.H.......
0100: ......0..............K.u.v..^Ht.#..:.4......4.w..;..B.d.......
0140: (.'....W.>..(.........qlD.3.'B....EO3..Y.CvT.....X)i%?GE.DE..c
0180: (.]#........RbSn.hL~....1.A.....;..#....k..F...1....]w.G0.....^.
01c0: .......4X.....*..\.^..b_....5.K..u<s...D.-.....FU....._...V..(..
0200: W=4y.......m.-#.....0...*.H..............^.........e....E..O.MiB
0240: /n.....eC!...p..v.C7G...*n...."..N.|....E.).....s..C..t6.bx;..!.
0280: .(.iy!.*...~_p},{.<.R.........Lm.=mu..Q......U.%+H.)u6...T......
02c0: ..e...........9!..6..2.c.V..o.x..-iN2:.e...`....|.*+k.b..4.nc+..
0300: =........t.....h.....X..`xD.....q....*D6
<= Recv SSL data, 5 bytes (0x5)
0000: ....M
== Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
<= Recv SSL data, 333 bytes (0x14d)
0000: ...I...A...1...E.sNL..,8.5.....\l.ui.3. q.F..9E.3y1C.....}..3...
0040: ....... .......N$.?./.y5.......> ....e..b..}Cc....:..3.....@....
0080: ..%D.]...{.....V.......H!...#M". ...y.4.<..|.2.i^...;'J..UW..M
00c0: y......4..1..)T.dS.&[email protected].|.$U$.B'.M........
0100: [email protected].|6G...d~..Un......=.....9..Fk........W...s.r{...W.
0140: P..O.u2....MD
<= Recv SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: ....
=> Send SSL data, 5 bytes (0x5)
0000: ....F
== Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
=> Send SSL data, 70 bytes (0x46)
0000: ...BA..*~b.#.}>i.....?..G..Y.*....l.3..'..T...l6.h.&../[email protected]...@
0040: {}.=.E
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
=> Send SSL data, 1 bytes (0x1)
0000: .
=> Send SSL data, 5 bytes (0x5)
0000: ....(
== Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10)
0000: ........=.b....w
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 5 bytes (0x5)
0000: ....(
== Info: TLSv1.2 (IN), TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: .....%..S.......
== Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
== Info: ALPN, server accepted to use h2
== Info: Server certificate:
== Info:  subject: C=TW; L=Taipei; O=Synology Inc.; CN=synology.com
== Info:  start date: May  3 18:11:30 2020 GMT
== Info:  expire date: Jan 19 18:11:30 2040 GMT
== Info:  issuer: C=TW; L=Taipei; O=Synology Inc.; CN=Synology Inc. CA
== Info:  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
== Info: Using HTTP2, server supports multi-use
== Info: Connection state changed (HTTP/2 confirmed)
== Info: Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
=> Send SSL data, 5 bytes (0x5)
0000: ....0
=> Send SSL data, 5 bytes (0x5)
0000: ....3
=> Send SSL data, 5 bytes (0x5)
0000: ....%
== Info: Using Stream ID: 1 (easy handle 0x3fa880)
=> Send SSL data, 5 bytes (0x5)
0000: .....
=> Send header, 375 bytes (0x177)
0000: POST /webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&v
0040: ersion=1&SynoToken=ObIUVFgjj3w66 HTTP/2
0069: Host: example.com:port
008b: User-Agent: acme.sh/2.8.6 (https://github.com/acmesh-official/ac
00cb: me.sh)
00d3: Accept: */*
00e0: Content-Type: multipart/form-data; boundary=--------------------
0120: ------20200504083742
0136: Cookie: ;
0142: X-SYNO-TOKEN: ObIUVFgjj3w66
015f: Content-Length: 6185
0175:
<= Recv SSL data, 5 bytes (0x5)
0000: ....@
== Info: Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
=> Send SSL data, 5 bytes (0x5)
0000: ....!
=> Send SSL data, 5 bytes (0x5)
0000: ....J
=> Send data, 6185 bytes (0x1829)
0000: ----------------------------20200504083742
002c: Content-Disposition: form-data; name="key"; filename="my.key"
007e: Content-Type: application/octet-stream
00a6:
00a8: -----BEGIN RSA PRIVATE KEY----------END RSA PRIVAT
0728: E KEY-----.
0735: ----------------------------20200504083742
0761: Content-Disposition: form-data; name="cert"; filename="my.cer"
07b4: Content-Type: application/octet-stream
07dc:
07de: -----BEGIN CERTIFICATE----------END C
0f9e: ERTIFICATE-----.
0fb0: ----------------------------20200504083742
0fdc: Content-Disposition: form-data; name="inter_cert"; filename="ca.
101c: cer"
1022: Content-Type: application/octet-stream
104a:
104c: .-----BEGIN CERTIFICATE----------END CERTIFICATE-----.
16be: ----------------------------20200504083742
16ea: Content-Disposition: form-data; name="id"
1715:
1717:
1719: ----------------------------20200504083742
1745: Content-Disposition: form-data; name="desc"
1772:
1774: acme.sh certificate
1793: ----------------------------20200504083742
17bf: Content-Disposition: form-data; name="as_default"
17f2:
17f4: false
17fb: ----------------------------20200504083742--
== Info: We are completely uploaded and fine
<= Recv SSL data, 5 bytes (0x5)
0000: ....!
<= Recv SSL data, 5 bytes (0x5)
0000: ....O
<= Recv header, 13 bytes (0xd)
0000: HTTP/2 200
<= Recv header, 15 bytes (0xf)
0000: server: nginx
<= Recv header, 37 bytes (0x25)
0000: date: Mon, 04 May 2020 08:37:42 GMT
<= Recv header, 43 bytes (0x2b)
0000: content-type: text/plain; charset="UTF-8"
<= Recv header, 23 bytes (0x17)
0000: vary: Accept-Encoding
<= Recv header, 25 bytes (0x19)
0000: x-request-error: unauth
<= Recv header, 33 bytes (0x21)
0000: x-content-type-options: nosniff
<= Recv header, 33 bytes (0x21)
0000: x-xss-protection: 1; mode=block
<= Recv header, 63 bytes (0x3f)
0000: cache-control: max-age=0, no-cache, no-store, must-revalidate
<= Recv header, 18 bytes (0x12)
0000: pragma: no-cache
<= Recv header, 12 bytes (0xc)
0000: expires: 0
<= Recv header, 73 bytes (0x49)
0000: strict-transport-security: max-age=15768000; includeSubdomains;
0040: preload
<= Recv header, 2 bytes (0x2)
0000:
<= Recv data, 38 bytes (0x26)
0000: {"error":{"code":119},"success":false}
<= Recv SSL data, 5 bytes (0x5)
0000: ....%
== Info: HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
== Info: stopped the pause stream!
== Info: Connection #0 to host example.com left intact
[Mon  4 May 10:37:42 CEST 2020] _ret='92'
[Mon  4 May 10:37:42 CEST 2020] Unable to update certificate, error code {"error":{"code":119},"success":false}
[Mon  4 May 10:37:43 CEST 2020] Error deploy for domain:example.com
[Mon  4 May 10:37:43 CEST 2020] Deploy error.

[tresni]

I've fixed the URL encoding issue for passwords, I'll open a PR for that shortly. I have confirmed there appears to be an issue using wget. Comparing differences between wget and curl now.

[tresni]

@JoJota and @tatablack both of your issues should be fixed by #2935 . Thank you for the reports. @JoJota I'm not entirely sure but I believe this is actually the same issue that is causing wget to fail all the time. curl always worked for me, but looking at the code and digging through everything it looks like it should have been failing with the 119 error. (That error is not actually defined but it appears to be the id cookie is missing.) Anyway, should be resolved, please let me know if you continue to have any issues.

[ghost]

The Synology DSM deploy hook feature is broken - on master and dev branches.

The script does not detect or read exported SYNO_Create variable/data. Only when it is added to the synology_dsm.sh script are you able to progress up to the deployment function which after authentication and reading of cert data fails to add and apply the Let's Encrypt cert.

[Fri May 22 18:49:39 +03 2020] _postContentType='multipart/form-data; boundary=--------------------------20200522154939'
[Fri May 22 18:49:39 +03 2020] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.liqxVE82'
[Fri May 22 18:49:39 +03 2020] _ret='0'
[Fri May 22 18:49:39 +03 2020] Unable to update certificate, error code {"error":{"code":5529},"success":false}
[Fri May 22 18:49:39 +03 2020] Error deploy for domain:xxx.xxxxxxx.xxx
[Fri May 22 18:49:39 +03 2020] Deploy error.

Note: xxx.xxxxxxx.xxx replaces actual cert domain

There's also the issue of the missing sudo command which is not mentioned in the wiki - https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide

No issues to report with the issuance of Let's Encrypt certs, acme.sh itself or other exported variables ie. CERT_DOMAIN

[tresni]

@atam1 Please give some additional information. Are you attempting to run this on Synology NAS device or from a remote computer? If on a Synology NAS, what device and what version of DSM? I've just tested from my personal machine to a virtualized DS3615xs running DSM 6.1.7 with no issues (only the domain has been changed.)

With latest dev:

 bash-5.0$ ./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 10:34:34 MDT 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 10:34:34 MDT 2020] Logging into localhost:5000
[Fri May 22 10:34:35 MDT 2020] Getting certificates in Synology DSM
[Fri May 22 10:34:35 MDT 2020] Unable to find certificate: What In The World and $SYNO_Create is not set
[Fri May 22 10:34:35 MDT 2020] Error deploy for domain:example.com
[Fri May 22 10:34:35 MDT 2020] Deploy error.
bash-5.0$ SYNO_Create=1 ./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 10:34:45 MDT 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 10:34:45 MDT 2020] Logging into localhost:5000
[Fri May 22 10:34:45 MDT 2020] Getting certificates in Synology DSM
[Fri May 22 10:34:46 MDT 2020] Generate form POST request
[Fri May 22 10:34:46 MDT 2020] Upload certificate to the Synology DSM
[Fri May 22 10:34:46 MDT 2020] http services were NOT restarted
[Fri May 22 10:34:46 MDT 2020] Success

With master:

bash-5.0$ ./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 10:40:56 MDT 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 10:40:56 MDT 2020] Logging into localhost:5000
[Fri May 22 10:40:56 MDT 2020] Getting certificates in Synology DSM
/Users/bhartvig/Projects/acme.sh/deploy/synology_dsm.sh: line 113: SYNO_Create: parameter null or not set
[Fri May 22 10:40:56 MDT 2020] Deploy error.
bash-5.0$ SYNO_Create=1 ./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 10:41:04 MDT 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 10:41:04 MDT 2020] Logging into localhost:5000
[Fri May 22 10:41:04 MDT 2020] Getting certificates in Synology DSM
[Fri May 22 10:41:04 MDT 2020] Generate form POST request
[Fri May 22 10:41:04 MDT 2020] Upload certificate to the Synology DSM
[Fri May 22 10:41:04 MDT 2020] http services were NOT restarted
[Fri May 22 10:41:04 MDT 2020] Success

Additionally, the hook does not use sudo, so I'm not sure what you mean by "missing sudo command" at all.

[tresni]

I just tested master on the same virtual machine (DS3615sx running DSM 6.1.7) and had no issues:

tresni@testdsm:/$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
root@testdsm:~# wget https://github.com/Neilpang/acme.sh/archive/master.tar.gz
--2020-05-22 09:49:18--  https://github.com/Neilpang/acme.sh/archive/master.tar.gz
Resolving github.com... 140.82.113.4
Connecting to github.com|140.82.113.4|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [following]
--2020-05-22 09:49:18--  https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/acmesh-official/acme.sh/tar.gz/master [following]
--2020-05-22 09:49:18--  https://codeload.github.com/acmesh-official/acme.sh/tar.gz/master
Resolving codeload.github.com... 140.82.113.10
Connecting to codeload.github.com|140.82.113.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 193181 (189K) [application/x-gzip]
Saving to: 'master.tar.gz'

100%[====================================================================================================================>] 193,181      753KB/s   in 0.3s

2020-05-22 09:49:19 (753 KB/s) - 'master.tar.gz' saved [193181/193181]

root@testdsm:~# tar xvf master.tar.gz
[trimmed]
root@testdsm:~# cd acme.sh-master/
root@testdsm:~/acme.sh-master# ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "[email protected]"
[Fri May 22 09:49:59 MST 2020] It is recommended to install socat first.
[Fri May 22 09:49:59 MST 2020] We use socat for standalone server if you use standalone mode.
[Fri May 22 09:49:59 MST 2020] If you don't use standalone mode, just ignore this warning.
[Fri May 22 09:49:59 MST 2020] Installing to /usr/local/share/acme.sh
[Fri May 22 09:49:59 MST 2020] Installed to /usr/local/share/acme.sh/acme.sh
[Fri May 22 09:49:59 MST 2020] Installing alias to '/root/.profile'
[Fri May 22 09:49:59 MST 2020] OK, Close and reopen your terminal to start using acme.sh
[Fri May 22 09:50:00 MST 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Fri May 22 09:50:00 MST 2020] OK
root@testdsm:~/acme.sh-master# cd /usr/local/share/acme.sh
root@testdsm:/usr/local/share/acme.sh# export HE_Username=[USERNAME]
root@testdsm:/usr/local/share/acme.sh# export HE_Password=[PASSWORD]
root@testdsm:/usr/local/share/acme.sh# export SYNO_Username=[USERNAME]
root@testdsm:/usr/local/share/acme.sh# export SYNO_Password=[PASSWORD]
root@testdsm:/usr/local/share/acme.sh# . acme.sh.env
root@testdsm:/usr/local/share/acme.sh# acme.sh --test --issue -d example.com --dns dns_he
It seems that you are using sudo, please read this link first:
https://github.com/acmesh-official/acme.sh/wiki/sudo
root@testdsm:/usr/local/share/acme.sh# exit
logout
tresni@testdsm:/$ sudo su
ash-4.3# cd /usr/local/share/acme.sh
ash-4.3# . acme.sh.env
ash-4.3# export HE_Username=[USERNAME]
ash-4.3# export HE_Password=[PASSWORD]
ash-4.3# export SYNO_Username=[USERNAME]
ash-4.3# export SYNO_Password=[PASSWORD]
ash-4.3# export SYNO_Certificate="This is a test"
ash-4.3# acme.sh --test --issue -d example.com --dns dns_he
[Fri May 22 09:55:05 MST 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 09:55:06 MST 2020] Single domain='example.com'
[Fri May 22 09:55:06 MST 2020] Getting domain auth token for each domain
[Fri May 22 09:55:07 MST 2020] Getting webroot for domain='example.com'
[Fri May 22 09:55:07 MST 2020] Adding txt value: kdSTp4Gi5_88zn6WQFSUe9kxv1tlSQGpJzzkpkonbgk for domain:  _acme-challenge.example.com
[Fri May 22 09:55:07 MST 2020] Using DNS-01 Hurricane Electric hook
[Fri May 22 09:55:08 MST 2020] TXT record added successfully.
[Fri May 22 09:55:08 MST 2020] The txt record is added: Success.
[Fri May 22 09:55:08 MST 2020] Let's check each dns records now. Sleep 20 seconds first.
[Fri May 22 09:55:29 MST 2020] Checking example.com for _acme-challenge.example.com
[Fri May 22 09:55:29 MST 2020] Domain example.com '_acme-challenge.example.com' success.
[Fri May 22 09:55:29 MST 2020] All success, let's return
[Fri May 22 09:55:29 MST 2020] Verifying: example.com
[Fri May 22 09:55:32 MST 2020] Success
[Fri May 22 09:55:32 MST 2020] Removing DNS records.
[Fri May 22 09:55:32 MST 2020] Removing txt: kdSTp4Gi5_88zn6WQFSUe9kxv1tlSQGpJzzkpkonbgk for domain: _acme-challenge.example.com
[Fri May 22 09:55:32 MST 2020] Cleaning up after DNS-01 Hurricane Electric hook
[Fri May 22 09:55:33 MST 2020] Record removed successfully.
[Fri May 22 09:55:33 MST 2020] Removed: Success
[Fri May 22 09:55:33 MST 2020] Verify finished, start to sign.
[REMOVED LINKS TO CERT]
[Fri May 22 09:55:34 MST 2020] Cert success.
-----BEGIN CERTIFICATE-----
[TRIMMED]
-----END CERTIFICATE-----
[Fri May 22 09:55:34 MST 2020] Your cert is in  /usr/local/share/acme.sh/example.com/example.com.cer
[Fri May 22 09:55:34 MST 2020] Your cert key is in  /usr/local/share/acme.sh/example.com/example.com.key
[Fri May 22 09:55:34 MST 2020] The intermediate CA cert is in  /usr/local/share/acme.sh/example.com/ca.cer
[Fri May 22 09:55:34 MST 2020] And the full chain certs is there:  /usr/local/share/acme.sh/example.com/fullchain.cer
ash-4.3# acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 09:56:16 MST 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 09:56:16 MST 2020] Logging into localhost:5000
[Fri May 22 09:56:16 MST 2020] Getting certificates in Synology DSM
/usr/local/share/acme.sh/deploy/synology_dsm.sh: line 113: SYNO_Create: parameter null or not set
[Fri May 22 09:56:16 MST 2020] Deploy error.
ash-4.3# SYNO_Create=1 acme.sh --test -d example.com --deploy --deploy-hook synology_dsm
[Fri May 22 09:56:30 MST 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 09:56:30 MST 2020] Logging into localhost:5000
[Fri May 22 09:56:30 MST 2020] Getting certificates in Synology DSM
[Fri May 22 09:56:31 MST 2020] Generate form POST request
[Fri May 22 09:56:31 MST 2020] Upload certificate to the Synology DSM
[Fri May 22 09:56:31 MST 2020] http services were NOT restarted
[Fri May 22 09:56:31 MST 2020] Success
ash-4.3#

[ghost]

@tresni Hi Brian.

Yes, I am connected to the synology box via ssh from my computer (mac pro).

On sudo - if I run the command without sudo:

root@xxxx:/usr/local/share/acme.sh# ./acme.sh --deploy -d "$CERT_DOMAIN" --deploy-hook synology_dsm --ecc --debug 2
It seems that you are using sudo, please read this link first:
https://github.com/acmesh-official/acme.sh/wiki/sudo

The same goes for script installation. Once you execute 'sudo -i' and after entering password you are logged in as root. I did not try to install the script under an administrator account as 'sudo -i' was used in the instructions.

As for SYNO_Create, I just tried executing the same command line you used but with sudo and after exporting SYNO_Unsername, SYNO_Password, CERT_DOMAIN, SYNO_Certificate and the result:

root@xxxx:/usr/local/share/acme.sh# SYNO_Create=1 sudo ./acme.sh --test -d xxx.xxxxxxx.xxx --deploy --deploy-hook synology_dsm --ecc
[Fri May 22 19:59:00 +03 2020] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri May 22 19:59:00 +03 2020] Logging into xxx.xxxxxxx.xxx:14080
[Fri May 22 19:59:01 +03 2020] Getting certificates in Synology DSM
[Fri May 22 19:59:01 +03 2020] Unable to find certificate:  and $SYNO_Create is not set
[Fri May 22 19:59:01 +03 2020] Error deploy for domain:xxx.xxxxxxx.xxx
[Fri May 22 19:59:01 +03 2020] Deploy error.

acme.sh created and installed the cert and its files to /root/.acme.sh/xxx.xxxxxxx.xxx_ecc/

Also, another issue I had with the master branch was SYNO_Scheme, SYNO_Hostname, SYNO_Port were not being picked up by the deployment script so I manually saved them in /root/.acme.sh/xxx.xxxxxxx.xxx_ecc/xxx.xxxxxxx.xxx.conf ... haven't tested dev yet.

[tresni]

On sudo - if I run the command without sudo:

A shell started with sudo -i is detected as using sudo. Doing sudo su is not. YMMV.

As for SYNO_Create, I just tried executing the same command line you used but with sudo and after exporting SYNO_Unsername, SYNO_Password, CERT_DOMAIN, SYNO_Certificate and the result:

The command is incorrect. By doing SYNO_Create=1 sudo you are passing SYNO_Create in the environment to sudo, but it won't (normally) be passed on to the command you are actually running (./acme.sh).

If you are going to use sudo, the appropriate command would be sudo SYNO_Create=1 ./acme.sh. Any environmental variables you want to pass need to come after sudo and before the command you want to execute.

Just an additional note that I've update the Synology NAS guide to give steps that work with no workarounds necessary. Please let me know if you have problems after following the steps exactly as outlined there.

[ghost]

@tresni Alright. I'm going to start fresh and install after executing sudo su instead of sudo -i and see where that takes me.

Appreciate your help!

Thanks

[ghost]

@tresni Hello again Brian.

I gave this another try and had followed the updated wiki. While acme.sh can now be executed without sudo and the deployment script is detecting/reading the data for SYNO_xxxxxx, it's still complaining and failing when deploying the cert to DSM.

ash-4.3# SYNO_Create=1 ./acme.sh --deploy -d xxx.xxxxxxx.xxx --deploy-hook synology_dsm --ecc
[Fri May 22 23:15:37 +03 2020] Logging into xxx.xxxxxxx.xxx:14080
[Fri May 22 23:15:38 +03 2020] Getting certificates in Synology DSM
[Fri May 22 23:15:38 +03 2020] Generate form POST request
[Fri May 22 23:15:38 +03 2020] Upload certificate to the Synology DSM
[Fri May 22 23:15:39 +03 2020] Unable to update certificate, error code {"error":{"code":5529},"success":false}
[Fri May 22 23:15:39 +03 2020] Error deploy for domain:xxx.xxxxxxx.xxx
[Fri May 22 23:15:39 +03 2020] Deploy error.

What else can be causing this?

Thank you!

[ghost]

Adding debug output:

[Sat May 23 00:13:16 +03 2020] ./acme.sh:_post:1735                     _postContentType='multipart/form-data; boundary=--------------------------20200522211316'
[Sat May 23 00:13:16 +03 2020] ./acme.sh:_exists:494                    curl exists=0
[Sat May 23 00:13:16 +03 2020] ./acme.sh:_exists:494                    mktemp exists=0
[Sat May 23 00:13:16 +03 2020] ./acme.sh:_exists:494                    wget exists=0
[Sat May 23 00:13:16 +03 2020] ./acme.sh:_post:1747                     _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.4U3Sf34XpF  -g '
[Sat May 23 00:13:16 +03 2020] ./acme.sh:_post:1842                     _ret='0'
[Sat May 23 00:13:16 +03 2020] deploy/synology_dsm.sh:synology_dsm_deploy:139 response='{"error":{"code":5529},"success":false}'
[Sat May 23 00:13:16 +03 2020] Unable to update certificate, error code {"error":{"code":5529},"success":false}
[Sat May 23 00:13:16 +03 2020] Error deploy for domain:xxx.xxxxxxx.xxx
[Sat May 23 00:13:16 +03 2020] Deploy error.

Tested with synology_dsm.sh from both master and dev branches

[tresni]

What Synology device are you using? What version of DSM are you using? I can't find error code 5529 defined. The surrounding defined errors that I could find are:

5521:_T("certificate","err_connection"),
5522:_T("certificate","err_server_not_match"),
5523:_T("certificate","err_too_many_reg"),
5524:_T("certificate","err_too_many_req"),
5525:_T("certificate","err_mail"),
5526:_T("s2s","err_invalid_param_value")

I've been able to successfully deploy an ECC certificate as follows (DS3615sx and DSM 6.1.7):

./acme.sh --test --issue -d example.com --dns dns_he --keylength ec-256
./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm --ecc

With the information you've provided, I can't replicate what you are seeing.

[ghost]

What Synology device are you using? What version of DSM are you using? I can't find error code 5529 defined. The surrounding defined errors are that I could find are:

918+ with DSM 6.2.3 rel 25426 (latest release)

5521:_T("certificate","err_connection"),
5522:_T("certificate","err_server_not_match"),
5523:_T("certificate","err_too_many_reg"),
5524:_T("certificate","err_too_many_req"),
5525:_T("certificate","err_mail"),
5526:_T("s2s","err_invalid_param_value")

I've been able to successfully deploy an ECC certificate as follows (DS3615sx and DSM 6.1.7):

./acme.sh --test --issue -d example.com --dns dns_he --keylength ec-256
./acme.sh --test -d example.com --deploy --deploy-hook synology_dsm --ecc

With the information you've provided, I can't replicate what you are seeing.

Could the form fields/options have changed between versions as it is failing when uploading the new cert? The error code 5529 is very near to the error codes you posted so I am guessing it has something to do with the cert or its fields.

[tresni]

What Synology device are you using? What version of DSM are you using? I can't find error code 5529 defined. The surrounding defined errors are that I could find are:

918+ with DSM 6.2.3 rel 25426 (latest release)

Unfortunately I am not home to test with my DSM running latest and having trouble getting xpenology to run DSM 6.2 or later on VirtualBox.

Could the form fields/options have changed between versions as it is failing when uploading the new cert? The error code 5529 is very near to the error codes you posted so I am guessing it has something to do with the cert or its fields.

You could check the synoSDSjslib/sds.js file to see if it contains the the string '5529' similar to the ones I posted. Should be available at http://[synology_host]:[synology_port]/synoSDSjslib/sds.js .

[ghost]

You could check the synoSDSjslib/sds.js file to see if it contains the the string '5529' similar to the ones I posted. Should be available at http://[synology_host]:[synology_port]/synoSDSjslib/sds.js .

I checked and it's 5529:_T("certificate","not_support_ecc")

How does it not support ecc when with the previous acme/synology method (prior to the dsm deployhook) I was able to create and install ec-256 and ec-384 certs.

[tresni]

I can't answer that as I don't work for Synology. That's a response from their API. Can you add the certificates manually via the DSM webui?

I was able to get something setup to access my DS1515+ at home, it's running DSM 6.2.2 and supports ECC certificates. So either it's something new in 6.2.3 or something specific to the DS918. Reviewing the DS918+ Release Notes, the closest I see is "Added support for Let's Encrypt wildcard certificates for Synology DDNS."

[Mic13710]

@LordDarkneo Thank you for your help. The IP 172.17.0.1 is private and internal to the NAS (docker). It can't be resolve in a browser. Replacing the IP by the NAS IP can be resolved but does not provide relevant info:

{"data":{"SYNO.API.Auth":{"maxVersion":7,"minVersion":1,"path":"entry.cgi"}},"success":true}

Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json; charset="UTF-8"
Date: Fri, 26 Apr 2024 08:22:12 GMT
Expires: 0
Keep-Alive: timeout=20
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Host: 192.168.54.2:5000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0

@scruel I have search all over the NAS with WinSCP in root. Can't locate any log related to the deployment except those already given. My certs are valid till 22/05 for the 220+ and beginning of july for the 718+ so I have little time left. I am quite busy these days but I should be able to provide more information later on. At the moment :
Both NAS are under DSM7.2.1-69057U5. The acme.sh is in container manager and the image is neilpang/acme.sh at the latest.
However, all the active certificates have been renewed automatically with the previous version and deployed correctly on the 718, not on the 220 (that was the case sometime in the past).
Since the updates to the latest DSM and the latest acme.sh image, the deploy command is not working anymore on both NAS.

[LordDarkneo]

@Mic13710 in fact in does. It confirms that the query has been sent properly and that login should be made through entry.cgi. Now we still need to find which version is used dfor the authentication (i'd say the 7 but not sure...)did you try to set a value in the Syno Token and execute the script to see how it goes (just add a variable in the flat file).

[Mic13710]

@LordDarkneo I have tried to add values for Session ID and SynoToken in ndd.conf like this:

SAVED_SYNO_Session_ID='27_e3kXp9lHXGnNhIXmeqdTS33P5aa8LHZBt6581WwYx-VrBtWYRDJ2u0FFPSVFm80KYN0qu_Jci0eHsXglE8U'
SAVED_SYNO_SynoToken='yU5LMGVAgdCro'

Without any result. Still empty in the log. Values are those from the previous successful deployment.
Maybe I should force the values somewhere else or differently but I have no idea where and how.

[LordDarkneo]

Just fill syno token, not session id. If logs do not refresh, there's probably a problem elsewhere .... Le sam. 27 avr. 2024, 03:41, Mic13710 ***@***.***> a écrit :

…

@LordDarkneo <https://github.com/LordDarkneo> I have tried to add values for Session ID and SynoToken in ndd.conf like this: SAVED_SYNO_Session_ID='27_e3kXp9lHXGnNhIXmeqdTS33P5aa8LHZBt6581WwYx-VrBtWYRDJ2u0FFPSVFm80KYN0qu_Jci0eHsXglE8U' SAVED_SYNO_SynoToken='yU5LMGVAgdCro' Without any result. Still empty in the log. Values are those from the previous successful deployment. Maybe I should force the values somewhere else or differently but I have no idea where and how. — Reply to this email directly, view it on GitHub <#2727 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJXSJIRFBAHBX6YJ3H7RCKTY7NJCRAVCNFSM4KSAYNYKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBYGA2DAMRXGI2A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Mic13710]

Well, what can do more, can do less.
With synotoken alone, same result.
Maybe I should try to put it directly in the script. But if I can understand it, I am not confident enought to do that by myself.

[Mic13710]

Hello @scruel , @LordDarkneo ,
Back home today, I have rerun the script and both certificates have been deployed properly !
Session ID and SynoToken are now filled up in the log.
I have no idea why, in exactly the same conditions, all my previous attempts had failed. The NAS has not been restarted and no change was made during the period.
Problem seems to be solved. To be confirmed at the next renewal.
Thanks again for your support.

[spendist]

synology webapi 6.1 don't support auth api, soo, when call first api to get token, only return $sid, error exit.

may be use scp is sample method

[Eagle3386]

DSM 6.x is officially EOL at Synology, hence no support from this script either.
Your options: upgrade DSM to 7.x, buy a new NAS or work something out yourself.

[Saxfusion]

Hi,
the temp_admin seems to be working fine.

Do we have any idea why a SAVED_SYNO_LOCAL_HOSTNAME='1' would be replaced with the domain that is stored in SAVED_SYNO_HOSTNAME='hostname' after a successful deployment?
Because with SAVED_SYNO_LOCAL_HOSTNAME='hostname' the next deployment after successful renewal will fail again.

Is it not enough to edit the domain/domain.conf and set it to 1, but actively export SYNO_LOCAL_HOSTNAME='1' before the next successful domain certificate renewal? (to keep it set to 1 permanently)

So, instead of the task of running just '/path/.acme.sh/acme.sh --cron --home /path/.acme.sh' I would need to prepend a 'export SYNO_LOCAL_HOSTNAME=1' in the script?

Or would it be better (or best practice) to create a custom script (maybe even per domain) to export/unset variables, renew, deploy, and so forth with explicit acme.sh commands instead of the generic built-in cron job?

[Eagle3386]

I thought there's no cron on Synology's box?! 🤔
Other than that, I still didn't have enough time to try the temp admin thing - is it documented within the wiki?

[Saxfusion]

Yeah, there still isn't, but invoking the command via DSM scheduler does the job also.
There is info, but I am not sure if I am too dumb, or it is too scarce, or not completely working as intended (since it still is not running without interference on the second renewal).

The temp admin creation, deletion itself works (I did not check for safety checks, e.g. That 2FA is enabled again, but working so far).

[scruel]

@Saxfusion

Do we have any idea why a SAVED_SYNO_LOCAL_HOSTNAME='1' would be replaced with the domain that is stored in SAVED_SYNO_HOSTNAME='hostname' after a successful deployment?
Because with SAVED_SYNO_LOCAL_HOSTNAME='hostname' the next deployment after successful renewal will fail again.

I think its an issue, and I may have some time to check it soon, before I do, can u provide a step-by-step instruction which can reproduce it? This can really save me some time, thanks.

[Saxfusion]

Not sure which detail would be missing.

Installed acme.sh within /usr/local/share/acme.sh
Issued certs with dns-alias challenge. Renewal on this part is usually working fine.

For this i just run '/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh' scheduled task as root user.

Since i probably did get the documentation wrong i formerly had edited SAVED_SYNO_LOCAL_HOSTNAME='hostname' into the config file. The deployment after the next renewal was faulty.
I then edited the config again (without explicitly exporting any variable) to SAVED_SYNO_LOCAL_HOSTNAME='1' and ran the deployment via console ./acme.sh --deploy --home . -d domain --deploy-hook synology_dsm
Afterwards i checked the config again and it again did show SAVED_SYNO_LOCAL_HOSTNAME='hostname'

I now edited the config again to read SAVED_SYNO_LOCAL_HOSTNAME='1' and waiting on the next renewal end of October if it stays that way.
On a second Synology it still shows the hostname entry. I will try to modify the task for the next renewal, also end of October, to first set an "export SYNO_LOCAL_HOSTNAME=1" before calling the cron command.

[spicygardener]

Hi, I think this may be the right thread for the issue I'm having with deploying certificates in acme.sh. I can get a certificate with no issue but deploying it is where I run into the error "Unable to find certificate: mydomain.tld and is not set". I upgraded acme.sh and was considering reinstalling it but I am not sure if that will really do anything to help this situation. I'm bad with shell commands and not sure how to export the certificate files off of the Synology, otherwise I would feel comfortable with deleting all of them and starting over.

I also copied the certificate from the folder where they were created (/usr/local/share/acme.sh/mydomain.tld) into the working directory of (/usr/local/share/acme.sh) just in case it couldn't 'find' the files for some reason.

Steps to reproduce
Obtain certificate from LE using:
./acme.sh --issue --keylength 2048 --server letsencrypt --home . -d "mydomain.tld" --dns "$CERT_DNS" –-log

Debug log
ash-4.4# ./acme.sh --deploy --home . -d "mydomain.tld" --deploy-hook synology_dsm --debug 2
[Wed Sep 18 12:35:09 PM EDT 2024] Lets find script dir.
[Wed Sep 18 12:35:09 PM EDT 2024] SCRIPT='./acme.sh'
[Wed Sep 18 12:35:09 PM EDT 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Wed Sep 18 12:35:09 PM EDT 2024] _script_home='/usr/local/share/acme.sh'
[Wed Sep 18 12:35:09 PM EDT 2024] Using config home:.
[Wed Sep 18 12:35:10 PM EDT 2024] LE_WORKING_DIR='.'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Wed Sep 18 12:35:10 PM EDT 2024] Running cmd: deploy
[Wed Sep 18 12:35:10 PM EDT 2024] Using config home:.
[Wed Sep 18 12:35:10 PM EDT 2024] default_acme_server
[Wed Sep 18 12:35:10 PM EDT 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Wed Sep 18 12:35:10 PM EDT 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Wed Sep 18 12:35:10 PM EDT 2024] _ACME_SERVER_PATH='v2/DV90'
[Wed Sep 18 12:35:10 PM EDT 2024] DOMAIN_PATH='./mydomain.tld'
[Wed Sep 18 12:35:10 PM EDT 2024] DOMAIN_CONF='./mydomain.tld/mydomain.tld.conf'
[Wed Sep 18 12:35:10 PM EDT 2024] _deployApi='/usr/local/share/acme.sh/deploy/synology_dsm.sh'
[Wed Sep 18 12:35:10 PM EDT 2024] _cdomain='mydomain.tld'
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_USE_TEMP_ADMIN
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_USE_TEMP_ADMIN='1'
[Wed Sep 18 12:35:10 PM EDT 2024] Setting temp admin user credential...
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_SCHEME='http'
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_HOSTNAME='localhost'
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_PORT='5500'
[Wed Sep 18 12:35:10 PM EDT 2024] SYNO_CERTIFICATE='mydomain.tld'
[Wed Sep 18 12:35:10 PM EDT 2024] Getting API version...
[Wed Sep 18 12:35:10 PM EDT 2024] _base_url='http://localhost:5500/'
[Wed Sep 18 12:35:10 PM EDT 2024] GET
[Wed Sep 18 12:35:10 PM EDT 2024] url='http://localhost:5500/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Wed Sep 18 12:35:10 PM EDT 2024] timeout=
[Wed Sep 18 12:35:10 PM EDT 2024] _CURL='curl --silent --dump-header ./http.header -L --trace-ascii /tmp/tmp.J5OKU47YeA -g '
[Wed Sep 18 12:35:11 PM EDT 2024] ret='0'
[Wed Sep 18 12:35:11 PM EDT 2024] Logging into localhost:5500...
[Wed Sep 18 12:35:11 PM EDT 2024] SYNO_LOCAL_HOSTNAME='localhost'
[Wed Sep 18 12:35:11 PM EDT 2024] Creating temp admin user in Synology DSM...
[Wed Sep 18 12:35:12 PM EDT 2024] GET
[Wed Sep 18 12:35:12 PM EDT 2024] url='http://localhost:5500/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&format=sid&account=sc-acmesh-tmp&passwd=QmHVjnFwkt11zaSd&enable_syno_token=yes'
[Wed Sep 18 12:35:12 PM EDT 2024] timeout=
[Wed Sep 18 12:35:12 PM EDT 2024] _CURL='curl --silent --dump-header ./http.header -L --trace-ascii /tmp/tmp.akRdhBLx7L -g '
[Wed Sep 18 12:35:13 PM EDT 2024] ret='0'
[Wed Sep 18 12:35:13 PM EDT 2024] error_code
[Wed Sep 18 12:35:13 PM EDT 2024] Session ID='redacted'
[Wed Sep 18 12:35:13 PM EDT 2024] SynoToken='redacted'
[Wed Sep 18 12:35:13 PM EDT 2024] H1='X-SYNO-TOKEN: redacted'
[Wed Sep 18 12:35:13 PM EDT 2024] Getting certificates in Synology DSM...
[Wed Sep 18 12:35:13 PM EDT 2024] POST
[Wed Sep 18 12:35:13 PM EDT 2024] _post_url='http://localhost:5500/webapi/entry.cgi'
[Wed Sep 18 12:35:13 PM EDT 2024] body='api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=redacted'
[Wed Sep 18 12:35:13 PM EDT 2024] _postContentType
[Wed Sep 18 12:35:13 PM EDT 2024] _CURL='curl --silent --dump-header ./http.header -L --trace-ascii /tmp/tmp.1qyEiQPoVf -g '
[Wed Sep 18 12:35:13 PM EDT 2024] _ret='0'
[Wed Sep 18 12:35:13 PM EDT 2024] escaped_certificate='my.domain.tld'
[Wed Sep 18 12:35:13 PM EDT 2024] id
[Wed Sep 18 12:35:13 PM EDT 2024] error_code
[Wed Sep 18 12:35:13 PM EDT 2024] SYNO_CREATE
[Wed Sep 18 12:35:13 PM EDT 2024] Unable to find certificate: mydomain.tld and is not set.
[Wed Sep 18 12:35:13 PM EDT 2024] Cleanuping temp admin info...
[Wed Sep 18 12:35:14 PM EDT 2024] Error deploy for domain:mydomain.tld
[Wed Sep 18 12:35:14 PM EDT 2024] Deploy error.

If anyone could point me in the right direction I'd really appreciate it. I was able to renew certificates on all of my other Synologies except this specific one. Today, I am going to delete the acme.sh directories and start over to see if that helps.

Thanks.

[Saxfusion]

mydomain.tld is not set as description for any existing certificate or SYNO_CREATE is not set to 1?

[x2358473]

我的在dsm6.2.3中使用docker运行acme.sh证书申请成功了。便是最后一步 部署时总是报错，错误提示如下：
[Fri Sep 20 13:37:01 CST 2024] The domain 'frp.luobonas.cn' seems to have a ECC cert already, lets use ecc cert.
[Fri Sep 20 13:37:01 CST 2024] Logging into localhost:5001
[Fri Sep 20 13:37:01 CST 2024] Getting certificates in Synology DSM
[Fri Sep 20 13:37:01 CST 2024] Generate form POST request
[Fri Sep 20 13:37:01 CST 2024] Upload certificate to the Synology DSM
[Fri Sep 20 13:37:01 CST 2024] Unable to update certificate, error code {"error":{"code":5529},"success":false}
[Fri Sep 20 13:37:01 CST 2024] Error deploy for domain:frp.luobonas.cn
[Fri Sep 20 13:37:01 CST 2024] Deploy error.
docker 配置如下：
docker run -d
--privileged
--user=root
--name acme
-e Ali_Key=alikey
-e Ali_Secret=alisecret
-e SYNO_Scheme=http
-e SYNO_Hostname=localhost
-e SYNO_Port=5000
-e SYNO_Username=user
-e SYNO_Password=pwd
-e SYNO_Certificate=daemon
-e SYNO_Create=1
-v /volume2/docker/acme:/acme.sh
--network=host
neilpang/acme.sh
daemon

[Saxfusion]

Try to use a private RSA-key and not ECC.
DSM 6.2.3 did either never support ECC or they broke support (I think it's the first one).

https://kb.synology.com/en-nz/DSM/help/DSM/AdminCenter/connection_certificate?version=6

[x2358473]

Try to use a private RSA-key and not ECC. DSM 6.2.3 did either never support ECC or they broke support (I think it's the first one).

https://kb.synology.com/en-nz/DSM/help/DSM/AdminCenter/connection_certificate?version=6

Thank you very, very much. This incident has been bothering me for several days, and the result is due to an issue with the ECC certificate. Adding -- keylength 2048 really succeeded. Thanks again

[x2358473]

-- keylength 2048

你好，目前证书是添加进去了，但是我看了下日志，重启http服务失败了，想请问下是哪里的问题吗
en:
Hello, currently the certificate has been added, but I checked the logs and found that restarting the HTTP service failed. May I ask where the problem is
log:
[Fri Sep 20 16:27:23 CST 2024] Logging into localhost:5000...
[Fri Sep 20 16:27:24 CST 2024] Getting certificates in Synology DSM...
[Fri Sep 20 16:27:24 CST 2024] Generating form POST request...
[Fri Sep 20 16:27:24 CST 2024] Upload certificate to the Synology DSM.
[Fri Sep 20 16:27:24 CST 2024] Restart HTTP services failed.
[Fri Sep 20 16:27:24 CST 2024] Success

[spicygardener]

mydomain.tld is not set as description for any existing certificate or SYNO_CREATE is not set to 1?

No other certificates have the description of mydomain.tld and SYNO_CREATE is set to 1. I tried it again and unfortunately I am still getting the "Unable to find certificate: and is not set" error

Thanks.

[Saxfusion]

Can you try SYNO_LOCAL_HOSTNAME set to 1?

Maybe deploy with --insecure?

Also there might be something
escaped_certificate='my.domain.tld'
And
Unable to find certificate: mydomain.tld and is not set.
But not sure if there is any meaning behind the difference.

Not sure if that is an issue when you run the certificate issue with explicitly setting the letsencrypt server and the deploy without. Since I am directly setting my config to letsencrypt when installing acme.sh I have no clue if there could be any issue with directory structure or something.

Which DSM are you running?

[spicygardener]

Can you try SYNO_LOCAL_HOSTNAME set to 1?

Maybe deploy with --insecure?

Also there might be something escaped_certificate='my.domain.tld' And Unable to find certificate: mydomain.tld and is not set. But not sure if there is any meaning behind the difference.

Not sure if that is an issue when you run the certificate issue with explicitly setting the letsencrypt server and the deploy without. Since I am directly setting my config to letsencrypt when installing acme.sh I have no clue if there could be any issue with directory structure or something.

Which DSM are you running?

Setting SYNO_LOCAL_HOSTNAME to 1 worked, I was able to deploy the certificate and no longer receive the "Unable to find certificate: and is not set" error. I set this on both synology_dsm.sh files in the directories /root/acme.sh-master/deploy and /usr/local/share/acme.sh/deploy

Certificate was successfully deployed and is now in use:

You were so helpful and I am glad that I learned something new. I will update my other thread and include this as a solution. Many thanks!

[x2358473]

Can you try SYNO_LOCAL_HOSTNAME set to 1?
Maybe deploy with --insecure?
Also there might be something escaped_certificate='my.domain.tld' And Unable to find certificate: mydomain.tld and is not set. But not sure if there is any meaning behind the difference.
Not sure if that is an issue when you run the certificate issue with explicitly setting the letsencrypt server and the deploy without. Since I am directly setting my config to letsencrypt when installing acme.sh I have no clue if there could be any issue with directory structure or something.
Which DSM are you running?

Setting SYNO_LOCAL_HOSTNAME to 1 worked, I was able to deploy the certificate and no longer receive the "Unable to find certificate: and is not set" error. I set this on both synology_dsm.sh files in the directories /root/acme.sh-master/deploy and /usr/local/share/acme.sh/deploy

Certificate was successfully deployed and is now in use:

You were so helpful and I am glad that I learned something new. I will update my other thread and include this as a solution. Many thanks!

我看到你的日志也是 Restart HTTP services failed. 证书更替换了，但是http服务没有重启，你的新证书可以正常使用吗
I saw that your log also stated that Restart HTTP services failed. The certificate has been replaced, but the http service has not been restarted. Can your new certificate work normally?

[Saxfusion]

Yes, usually it works normally.
I assume if you have a page (afterwards I see the new certificate in DSM GUI) or session reload in the browser or browser restart a new Webserver worker thread is picking up the connection to the client with the new certificate.
I did not dive in or research the cause for this. Maybe someone else did already and can share their insights.

[x2358473]

还有一个问题。使用acme.sh部署成功了。发证人：R11,但是在使用时报错了VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=US, O=Let's Encrypt, CN=R11
是证书问题还是部署问题

[kapsh]

Got this error (because I forgot to set SYNO_CREATE variable):
Unable to find certificate: and is not set.
It's not really helpful when displaying empty values (source) and should refer to variable names instead. Or even better:
"Unable to find which certificate to replace, set SYNO_CERTIFICATE to replace by alias or SYNO_CREATE to install new one"

[FoldZero]

ash-4.4# cd /usr/local/share/acme.sh
ash-4.4# export CERT_DOMAIN="my.domain"
ash-4.4# export CERT_DNS="dns_freedns"
ash-4.4# ./acme.sh --issue --server letsencrypt --home . -d "$CERT_DOMAIN" --dns "$CERT_DNS" --keylength 2048
[Wed Nov 20 07:21:52 PM GMT 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Nov 20 07:21:52 PM GMT 2024] Single domain='my.domain'
[Wed Nov 20 07:21:54 PM GMT 2024] Getting webroot for domain='my.domain'
[Wed Nov 20 07:21:54 PM GMT 2024] Adding TXT value: vNXazqUNhVbw20QsbUwmBv3mDuUMLC623XE66sVryx8 for domain: _acme-challenge.my.domain
[Wed Nov 20 07:21:54 PM GMT 2024] Add TXT record using FreeDNS
[Wed Nov 20 07:22:11 PM GMT 2024] Domain my.domain found at FreeDNS, domain_id 1433557
[Wed Nov 20 07:22:17 PM GMT 2024] Added acme challenge TXT record for _acme-challenge.my.domain at FreeDNS
[Wed Nov 20 07:22:17 PM GMT 2024] The TXT record has been successfully added.
[Wed Nov 20 07:22:17 PM GMT 2024] Let's check each DNS record now. Sleeping for 20 seconds first.
[Wed Nov 20 07:22:38 PM GMT 2024] You can use '--dnssleep' to disable public dns checks.
[Wed Nov 20 07:22:38 PM GMT 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Wed Nov 20 07:22:38 PM GMT 2024] Checking my.domain for _acme-challenge.my.domain
[Wed Nov 20 07:22:38 PM GMT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60

[Saxfusion]

Is that the end of the log or is there more afterwards?
Double checked the DNS txt record yourself via web interface?
Increase timeout until the entry is checked, maybe it is not yet updated and delivered on external requests.

[zee2E]

Hi everyone,

I'm not sure if the problem exists since the last DSM update, but it worked before. Currently I always get:

[Sun Nov 13 06:58:37 CET 2022] Getting certificates in Synology DSM
[Sun Nov 13 06:58:37 CET 2022] Generate form POST request
[Sun Nov 13 06:58:37 CET 2022] Upload certificate to the Synology DSM
[Sun Nov 13 06:58:37 CET 2022] Unable to update certificate, error code {"error":{"code":108,"errors":{"upload_err":-5}},"success":false}
[Sun Nov 13 06:58:37 CET 2022] Error deploy for domain:xxxx
[Sun Nov 13 06:58:37 CET 2022] Deploy error.

Unfortunately, I have not found an error code overview. What does 108 mean?

The account does not use 2FA.

Thanks in advance

Chris

Recently, I've been attempting to synchronize SSL certificates and keys from the router to Synology, and stumbled upon this project.
I don't require the certificates maintained by acme.sh; I only need the code he provides for deploying SSL certificates to Synology. Therefore, my focus is solely on synology_dsm.sh in this project.

After reviewing and modifying the code, I encountered an issue with the response
{"error": {"code": 108, "errors": {"upload_err": -5}}, "success": false}.
I then attempted to use Postman to capture requests from Synology and compared them with the script's requests.

Through experimentation, I identified the following patterns:

1. Content-Type needs to be added after Content-Disposition
2. Each section of the body in multipart requires a Content-Length, which is the length of the corresponding section and is added after Content-Type

Therefore, the proper sequence should be:
Content-Disposition: xxxx
Content-Type: yyyyy
Content-Length: zzzzzz

Subsequently, I received a successful response.

I hope to help people who are facing the same problem.