群晖DSM7.0免费自动更新证书-命令版

群晖NAS是一个非常好用的存储,SSL现在非常重要,我们简单进行一些改造,让群晖使用acme自动申请和配置。(自动生成泛域名证书并同步至群晖)

前言

SSL 现在非常实用,随着完全普及没有SSL服务根本没通讯,比方苹果ios已经完全与 http 绝缘,各种同步需ssl 证书有效才能同步或通讯。SSL个人使用如果购买每年也是不小的一笔开销,还好现在有acme神奇的组织,一直在提供免费的SSL给大家使用,并且还是泛域名。不美的是只有三个月就会过期,三个月想着人工替换证书是一件很苦脑事情。github 就有热心的大神提供了解决办法(自动生成泛域名证书并同步至群晖),andyzhshg/syno-acme ,但是多年过去一直没有更新,最后次一直停留在2020年,大家需求旺盛,一直不断提出解决办法。这不现在完美版出来了。由于一直没有更新,都是以issues解决,我fork了一个版本,做了一个更新。相当于取之并还之。

我更新的版本:https://github.com/moteta/syno-acme


下载自动生成证书acme.sh脚本(二种方法)

A - 使用纯命令方式:

为什么用命令?可以实时看错误,对于免费域名会出幺蛾子的,eu.org ssl 这样证书,快速修正问题

  • 要求:群晖已开启ssh,使用任何管理员帐号登录群晖ssh
  • 有SSH客户端 如 putty 等

设定脚本文件放在 docker/acme下

  • 在共享文件夹(控制面板)中创建一个 docker 文件夹,然后创建一个子文件夹 acme 。
  • 结构为 docker/acme

提权:

(输入密码当前管理员密码,不是root的)拥有root权限

1
sudo -i

进入自定义目录

如:docker/acme 随便设,但要记得位置,接下来用得到。

1
cd /volume1/docker/acme/

git下载脚本

(一定要保证此目录为空,群晖需安装git server)

1
git clone https://github.com/moteta/syno-acme.git .

demo 样试:

1
2
3
4
5
6
7
8
xxx@xxxNAS:/volume1/docker/acme$ git clone https://github.com/moteta/syno-acme.git .
Cloning into '.'...
remote: Enumerating objects: 123, done.
remote: Counting objects: 100% (43/43), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 123 (delta 36), reused 36 (delta 32), pack-reused 80
Receiving objects: 100% (123/123), 35.68 KiB | 961.00 KiB/s, done.
Resolving deltas: 100% (57/57), done.

回到群晖网页,修改 Config 文件。

群晖需安装文本编辑器

  • Config 用什么填什么 DNS=dns_xxx 对应下面的 KEY
  • ZeroSSL 需要去 官网邮箱注册一次才能用 https://zerossl.com/
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# 你主域名,如 baidu.com sina.com.cn 等
export DOMAIN=your_domain

# DNS类型,根据域名服务商而定"dns_ali,dns_dp,dns_gd,dns_aws,dns_cf" 参考:https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export DNS=dns_xxx

# DNS API 生效等待时间 值(单位:秒)
# 某些域名服务商的API生效时间较大,需要将这个值加大(比如900)
export DNS_SLEEP=200

# Cloudflare DNS=dns_cf
export CF_Key="cloudflare 中查看你的 key" 
export CF_Email="你的 cloudflare 邮箱"

# 阿里云 DNS=dns_ali
export Ali_Key="LTqIA87hOKdjevsf5"
export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"

# Dnspod DNS=dns_dp
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

# Godaddy DNS=dns_gd
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"

# AWS DNS=dns_aws
export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
export AWS_SECRET_ACCESS_KEY="xxxxxxx"

# Linode DNS=dns_linode
export LINODE_API_KEY="xxxxxxxx"

# 证书服务商 zerossl(免费域名使用兼容性好) 和 letsencrypt (通用)
export CERT_SERVER=zerossl
#export CERT_SERVER=letsencrypt

# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="myemail@example.com"

运行acme脚本并自动更新证书:

前往SSH终端软件,输入: (一定要在 **/volume1/docker/acme/**目录下)

1
2
chmod a+x cert-up.sh 
./cert-up.sh update
  • 结果demo:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@XXXNAS:/volume1/docker/acme# ./cert-up.sh update
begin update cert
------ begin updateCrt ------
begin backupCrt
done backupCrt
skip acme installation
begin generateCrt
register zerossl account
[Sun Jun 12 02:53:56 CST 2022] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Jun 12 02:54:03 CST 2022] Already registered
[Sun Jun 12 02:54:03 CST 2022] ACCOUNT_THUMBPRINT='XXXXX'
begin updating default cert by acme.sh tool
[Sun Jun 12 02:54:07 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jun 12 02:54:08 CST 2022] Multi domain='DNS:XXX.com,DNS:*.XXX.com'
[Sun Jun 12 02:54:08 CST 2022] Getting domain auth token for each domain
[Sun Jun 12 02:54:21 CST 2022] Getting webroot for domain='xxx.com'
[Sun Jun 12 02:54:21 CST 2022] Getting webroot for domain='*.xx.com'
[Sun Jun 12 02:54:21 CST 2022] Adding txt value: v-WkgANeYYJLJSgllAqSdabJhQOCvnWa7YJFkoKl3Vg for domain:  _acme-challenge.moteta.eu.org
[Sun Jun 12 02:54:22 CST 2022] Adding record
[Sun Jun 12 02:54:23 CST 2022] Added, OK
[Sun Jun 12 02:54:23 CST 2022] The txt record is added: Success.
[Sun Jun 12 02:54:23 CST 2022] Adding txt value: vJa5CBICCVouWYreuA3mBe5ZdZCwYP7GYwsrS3BSx0E for domain:  _acme-challenge.moteta.eu.org
[Sun Jun 12 02:54:41 CST 2022] Adding record
[Sun Jun 12 02:54:42 CST 2022] Added, OK
[Sun Jun 12 02:54:42 CST 2022] The txt record is added: Success.
[Sun Jun 12 02:54:42 CST 2022] Sleep 600 seconds for the txt records to take effect
[Sun Jun 12 03:04:45 CST 2022] Verifying: xxxx.eu.org
[Sun Jun 12 03:04:51 CST 2022] The replay Nonce is not valid, let's get a new one, Sleeping 1 seconds.
[Sun Jun 12 03:04:58 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jun 12 03:05:06 CST 2022] Success
[Sun Jun 12 03:05:06 CST 2022] Verifying: *.xxx.eu.org
[Sun Jun 12 03:05:12 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jun 12 03:05:21 CST 2022] Success
[Sun Jun 12 03:05:21 CST 2022] Removing DNS records.
[Sun Jun 12 03:05:21 CST 2022] Removing txt: v-WkgANeYYJLJSgllAqSdabJhQOCvnWa7YJFkoKl3Vg for domain: _acme-challenge.xxx.eu.org
[Sun Jun 12 03:05:41 CST 2022] Removed: Success
[Sun Jun 12 03:05:41 CST 2022] Removing txt: vJa5CBICCVouWYreuA3mBe5ZdZCwYP7GYwsrS3BSx0E for domain: _acme-challenge.xxx.eu.org
[Sun Jun 12 03:05:43 CST 2022] Removed: Success
[Sun Jun 12 03:05:43 CST 2022] Verify finished, start to sign.
[Sun Jun 12 03:05:43 CST 2022] Lets finalize the order.
[Sun Jun 12 03:05:43 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/VC_5wCKUw3Qgou88vbVAXw/finalize'
[Sun Jun 12 03:05:49 CST 2022] Order status is processing, lets sleep and retry.
[Sun Jun 12 03:05:49 CST 2022] Retry after: 15
[Sun Jun 12 03:06:06 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/VC_5wCKUw3Qgou88vbVAXw
[Sun Jun 12 03:06:28 CST 2022] Downloading cert.
[Sun Jun 12 03:06:28 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/QuA-oqNvc0ahIQM7jhNGfQ'
[Sun Jun 12 03:06:35 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
XXXXXXXXXX
-----END CERTIFICATE-----
[Sun Jun 12 03:06:35 CST 2022] Your cert is in: /volume1/docker/acme/acme.sh/xxx.eu.org/xxx.eu.org.cer
[Sun Jun 12 03:06:35 CST 2022] Your cert key is in: /volume1/docker/acme/acme.sh/xxx.eu.org/xxx.eu.org.key
[Sun Jun 12 03:06:35 CST 2022] The intermediate CA cert is in: /volume1/docker/acme/acme.sh/xxx.eu.org/ca.cer
[Sun Jun 12 03:06:35 CST 2022] And the full chain certs is there: /volume1/docker/acme/acme.sh/xxx.eu.org/fullchain.cer
[Sun Jun 12 03:06:35 CST 2022] Installing cert to: /usr/syno/etc/certificate/_archive/GTgRGV/cert.pem
[Sun Jun 12 03:06:35 CST 2022] Installing key to: /usr/syno/etc/certificate/_archive/GTgRGV/privkey.pem
[Sun Jun 12 03:06:35 CST 2022] Installing full chain to: /usr/syno/etc/certificate/_archive/GTgRGV/fullchain.pem
done generateCrt
begin updateService
cp cert path to des
MajorVersion = 7, use system default python2
done updateService
begin reloadWebService
reloading new cert...
MajorVersion = 7
Sync W3 certificate info successfully
Generate nginx tmp config successfully
MajorVersion = 7, no need to reload apache
done reloadWebService
------ end updateCrt ------

做成定时任务 一个月一次

前往群晖网页,打开 控制面板 » 任务计划 » 新增 计划的任务 - 用户定义的脚本

对应下图将三个tab 都配好再确定

  • 常规 帐号要先 root
  • 计划 每月一次
  • 任务设置 下面代码copy
1
bash /volume1/docker/acme/cert-up.sh >>/volume1/docker/acme/log_acme/log.txt 2>&1

(完)


B - 纯界面方式:

对于小白用户需要UI界面操作,并且要一步一步操作。所以这个方法就不错了

  • 在共享文件夹(控制面板)中创建一个 docker 文件夹,然后创建一个子文件夹 acme 。
  • 结构为 docker/acme

1.Filestation进入自定目录 如:docker/acme

2.下载脚本

  • 下载地址:https://github.com/moteta/syno-acme/releases 选 source code (zip)
  • 电脑端 解压 将 config 和 cert-up.sh 文件上传至 acme 目录

3.编辑配置文件 config

群晖需安装文本编辑器

  • Config 用什么填什么 DNS=dns_xxx 对应下面的 KEY
  • ZeroSSL 需要去 官网邮箱注册一次才能用 https://zerossl.com/
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# 你主域名,如 baidu.com sina.com.cn 等
export DOMAIN=your_domain

# DNS类型,根据域名服务商而定"dns_ali,dns_dp,dns_gd,dns_aws,dns_cf" 参考:https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export DNS=dns_xxx

# DNS API 生效等待时间 值(单位:秒)
# 某些域名服务商的API生效时间较大,需要将这个值加大(比如900)
export DNS_SLEEP=200

# Cloudflare DNS=dns_cf
export CF_Key="cloudflare 中查看你的 key" 
export CF_Email="你的 cloudflare 邮箱"

# 阿里云 DNS=dns_ali
export Ali_Key="LTqIA87hOKdjevsf5"
export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"

# Dnspod DNS=dns_dp
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

# Godaddy DNS=dns_gd
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"

# AWS DNS=dns_aws
export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
export AWS_SECRET_ACCESS_KEY="xxxxxxx"

# Linode DNS=dns_linode
export LINODE_API_KEY="xxxxxxxx"

# 证书服务商 zerossl(免费域名使用兼容性好) 和 letsencrypt (通用)
export CERT_SERVER=zerossl
#export CERT_SERVER=letsencrypt

# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="myemail@example.com"

4.做成定时任务 一个月一次。

前往群晖网页,打开 控制面板 » 任务计划 » 新增 计划的任务 - 用户定义的脚本

对应下图将三个tab 都配好再确定

  • 常规 帐号要先 root
  • 计划 每月一次
  • 任务设置 下面代码copy
1
bash /volume1/docker/acme/cert-up.sh >>/volume1/docker/acme/log_acme/log.txt 2>&1

5.运行任务

6.查看是否成功

Filestation 前往 docker/acme 文件夹看有没有 证书文件。有就是成功。

后期看有没有自动续签。查看一下文件更新时间


结语

感谢前作者和爱好者不断的优化。

Licensed under CC BY-NC-SA 4.0
这是一个墨茶的博客
Built with Hugo
主题 StackJimmy 设计