群晖DSM7.0免费自动更新证书-命令版

前言

SSL 现在非常实用，随着完全普及没有SSL服务根本没通讯，比方苹果ios已经完全与 http 绝缘，各种同步需ssl 证书有效才能同步或通讯。SSL个人使用如果购买每年也是不小的一笔开销，还好现在有acme神奇的组织，一直在提供免费的SSL给大家使用，并且还是泛域名。不美的是只有三个月就会过期，三个月想着人工替换证书是一件很苦脑事情。github 就有热心的大神提供了解决办法（自动生成泛域名证书并同步至群晖），andyzhshg/syno-acme ，但是多年过去一直没有更新，最后次一直停留在2020年，大家需求旺盛，一直不断提出解决办法。这不现在完美版出来了。由于一直没有更新，都是以issues解决，我fork了一个版本，做了一个更新。相当于取之并还之。

我更新的版本：https://github.com/moteta/syno-acme

下载自动生成证书acme.sh脚本（二种方法）

A - 使用纯命令方式：

为什么用命令？可以实时看错误，对于免费域名会出幺蛾子的，eu.org ssl 这样证书，快速修正问题

要求：群晖已开启ssh，使用任何管理员帐号登录群晖ssh
有SSH客户端如 putty 等

设定脚本文件放在 docker/acme下

在共享文件夹(控制面板)中创建一个 docker 文件夹，然后创建一个子文件夹 acme 。
结构为 docker/acme

提权:

（输入密码当前管理员密码，不是root的）拥有root权限

1

sudo -i

进入自定义目录

如：docker/acme 随便设，但要记得位置，接下来用得到。

1

cd /volume1/docker/acme/

git下载脚本

（一定要保证此目录为空，群晖需安装git server）

1

git clone https://github.com/moteta/syno-acme.git .

demo 样试：

1
2
3
4
5
6
7
8


xxx@xxxNAS:/volume1/docker/acme$ git clone https://github.com/moteta/syno-acme.git .
Cloning into '.'...
remote: Enumerating objects: 123, done.
remote: Counting objects: 100% (43/43), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 123 (delta 36), reused 36 (delta 32), pack-reused 80
Receiving objects: 100% (123/123), 35.68 KiB | 961.00 KiB/s, done.
Resolving deltas: 100% (57/57), done.

回到群晖网页，修改 Config 文件。

群晖需安装文本编辑器

Config 用什么填什么 DNS=dns_xxx 对应下面的 KEY
ZeroSSL 需要去官网邮箱注册一次才能用 https://zerossl.com/

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


# 你主域名，如 baidu.com sina.com.cn 等
export DOMAIN=your_domain

# DNS类型，根据域名服务商而定"dns_ali,dns_dp,dns_gd,dns_aws,dns_cf" 参考：https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export DNS=dns_xxx

# DNS API 生效等待时间 值(单位：秒)
# 某些域名服务商的API生效时间较大，需要将这个值加大(比如900)
export DNS_SLEEP=200

# Cloudflare DNS=dns_cf
export CF_Key="cloudflare 中查看你的 key" 
export CF_Email="你的 cloudflare 邮箱"

# 阿里云 DNS=dns_ali
export Ali_Key="LTqIA87hOKdjevsf5"
export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"

# Dnspod DNS=dns_dp
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

# Godaddy DNS=dns_gd
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"

# AWS DNS=dns_aws
export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
export AWS_SECRET_ACCESS_KEY="xxxxxxx"

# Linode DNS=dns_linode
export LINODE_API_KEY="xxxxxxxx"

# 证书服务商 zerossl（免费域名使用兼容性好） 和 letsencrypt （通用）
export CERT_SERVER=zerossl
#export CERT_SERVER=letsencrypt

# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="myemail@example.com"

运行acme脚本并自动更新证书：

前往SSH终端软件，输入: (一定要在 **/volume1/docker/acme/**目录下)

1
2


chmod a+x cert-up.sh 
./cert-up.sh update

结果demo:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70


root@XXXNAS:/volume1/docker/acme# ./cert-up.sh update
begin update cert
------ begin updateCrt ------
begin backupCrt
done backupCrt
skip acme installation
begin generateCrt
register zerossl account
[Sun Jun 12 02:53:56 CST 2022] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Jun 12 02:54:03 CST 2022] Already registered
[Sun Jun 12 02:54:03 CST 2022] ACCOUNT_THUMBPRINT='XXXXX'
begin updating default cert by acme.sh tool
[Sun Jun 12 02:54:07 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jun 12 02:54:08 CST 2022] Multi domain='DNS:XXX.com,DNS:*.XXX.com'
[Sun Jun 12 02:54:08 CST 2022] Getting domain auth token for each domain
[Sun Jun 12 02:54:21 CST 2022] Getting webroot for domain='xxx.com'
[Sun Jun 12 02:54:21 CST 2022] Getting webroot for domain='*.xx.com'
[Sun Jun 12 02:54:21 CST 2022] Adding txt value: v-WkgANeYYJLJSgllAqSdabJhQOCvnWa7YJFkoKl3Vg for domain:  _acme-challenge.moteta.eu.org
[Sun Jun 12 02:54:22 CST 2022] Adding record
[Sun Jun 12 02:54:23 CST 2022] Added, OK
[Sun Jun 12 02:54:23 CST 2022] The txt record is added: Success.
[Sun Jun 12 02:54:23 CST 2022] Adding txt value: vJa5CBICCVouWYreuA3mBe5ZdZCwYP7GYwsrS3BSx0E for domain:  _acme-challenge.moteta.eu.org
[Sun Jun 12 02:54:41 CST 2022] Adding record
[Sun Jun 12 02:54:42 CST 2022] Added, OK
[Sun Jun 12 02:54:42 CST 2022] The txt record is added: Success.
[Sun Jun 12 02:54:42 CST 2022] Sleep 600 seconds for the txt records to take effect
[Sun Jun 12 03:04:45 CST 2022] Verifying: xxxx.eu.org
[Sun Jun 12 03:04:51 CST 2022] The replay Nonce is not valid, let's get a new one, Sleeping 1 seconds.
[Sun Jun 12 03:04:58 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jun 12 03:05:06 CST 2022] Success
[Sun Jun 12 03:05:06 CST 2022] Verifying: *.xxx.eu.org
[Sun Jun 12 03:05:12 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jun 12 03:05:21 CST 2022] Success
[Sun Jun 12 03:05:21 CST 2022] Removing DNS records.
[Sun Jun 12 03:05:21 CST 2022] Removing txt: v-WkgANeYYJLJSgllAqSdabJhQOCvnWa7YJFkoKl3Vg for domain: _acme-challenge.xxx.eu.org
[Sun Jun 12 03:05:41 CST 2022] Removed: Success
[Sun Jun 12 03:05:41 CST 2022] Removing txt: vJa5CBICCVouWYreuA3mBe5ZdZCwYP7GYwsrS3BSx0E for domain: _acme-challenge.xxx.eu.org
[Sun Jun 12 03:05:43 CST 2022] Removed: Success
[Sun Jun 12 03:05:43 CST 2022] Verify finished, start to sign.
[Sun Jun 12 03:05:43 CST 2022] Lets finalize the order.
[Sun Jun 12 03:05:43 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/VC_5wCKUw3Qgou88vbVAXw/finalize'
[Sun Jun 12 03:05:49 CST 2022] Order status is processing, lets sleep and retry.
[Sun Jun 12 03:05:49 CST 2022] Retry after: 15
[Sun Jun 12 03:06:06 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/VC_5wCKUw3Qgou88vbVAXw
[Sun Jun 12 03:06:28 CST 2022] Downloading cert.
[Sun Jun 12 03:06:28 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/QuA-oqNvc0ahIQM7jhNGfQ'
[Sun Jun 12 03:06:35 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
XXXXXXXXXX
-----END CERTIFICATE-----
[Sun Jun 12 03:06:35 CST 2022] Your cert is in: /volume1/docker/acme/acme.sh/xxx.eu.org/xxx.eu.org.cer
[Sun Jun 12 03:06:35 CST 2022] Your cert key is in: /volume1/docker/acme/acme.sh/xxx.eu.org/xxx.eu.org.key
[Sun Jun 12 03:06:35 CST 2022] The intermediate CA cert is in: /volume1/docker/acme/acme.sh/xxx.eu.org/ca.cer
[Sun Jun 12 03:06:35 CST 2022] And the full chain certs is there: /volume1/docker/acme/acme.sh/xxx.eu.org/fullchain.cer
[Sun Jun 12 03:06:35 CST 2022] Installing cert to: /usr/syno/etc/certificate/_archive/GTgRGV/cert.pem
[Sun Jun 12 03:06:35 CST 2022] Installing key to: /usr/syno/etc/certificate/_archive/GTgRGV/privkey.pem
[Sun Jun 12 03:06:35 CST 2022] Installing full chain to: /usr/syno/etc/certificate/_archive/GTgRGV/fullchain.pem
done generateCrt
begin updateService
cp cert path to des
MajorVersion = 7, use system default python2
done updateService
begin reloadWebService
reloading new cert...
MajorVersion = 7
Sync W3 certificate info successfully
Generate nginx tmp config successfully
MajorVersion = 7, no need to reload apache
done reloadWebService
------ end updateCrt ------

做成定时任务一个月一次

前往群晖网页，打开控制面板 » 任务计划 » 新增 计划的任务 - 用户定义的脚本

对应下图将三个tab 都配好再确定

常规帐号要先 root
计划每月一次
任务设置下面代码copy

1

bash /volume1/docker/acme/cert-up.sh >>/volume1/docker/acme/log_acme/log.txt 2>&1

(完)

B - 纯界面方式：

对于小白用户需要UI界面操作，并且要一步一步操作。所以这个方法就不错了

在共享文件夹(控制面板)中创建一个 docker 文件夹，然后创建一个子文件夹 acme 。
结构为 docker/acme

1.Filestation进入自定目录如:docker/acme

2.下载脚本

下载地址：https://github.com/moteta/syno-acme/releases 选 source code (zip)
电脑端解压将 config 和 cert-up.sh 文件上传至 acme 目录

3.编辑配置文件 config

群晖需安装文本编辑器

Config 用什么填什么 DNS=dns_xxx 对应下面的 KEY
ZeroSSL 需要去官网邮箱注册一次才能用 https://zerossl.com/

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


# 你主域名，如 baidu.com sina.com.cn 等
export DOMAIN=your_domain

# DNS类型，根据域名服务商而定"dns_ali,dns_dp,dns_gd,dns_aws,dns_cf" 参考：https://github.com/acmesh-official/acme.sh/wiki/dnsapi
export DNS=dns_xxx

# DNS API 生效等待时间 值(单位：秒)
# 某些域名服务商的API生效时间较大，需要将这个值加大(比如900)
export DNS_SLEEP=200

# Cloudflare DNS=dns_cf
export CF_Key="cloudflare 中查看你的 key" 
export CF_Email="你的 cloudflare 邮箱"

# 阿里云 DNS=dns_ali
export Ali_Key="LTqIA87hOKdjevsf5"
export Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"

# Dnspod DNS=dns_dp
export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

# Godaddy DNS=dns_gd
export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdfsfsdfsdfdfsdf"

# AWS DNS=dns_aws
export AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
export AWS_SECRET_ACCESS_KEY="xxxxxxx"

# Linode DNS=dns_linode
export LINODE_API_KEY="xxxxxxxx"

# 证书服务商 zerossl（免费域名使用兼容性好） 和 letsencrypt （通用）
export CERT_SERVER=zerossl
#export CERT_SERVER=letsencrypt

# ZeroSSL 注册邮箱账户
export ACCOUNT_EMAIL="myemail@example.com"

4.做成定时任务一个月一次。

前往群晖网页，打开控制面板 » 任务计划 » 新增 计划的任务 - 用户定义的脚本

对应下图将三个tab 都配好再确定

常规帐号要先 root
计划每月一次
任务设置下面代码copy

1

bash /volume1/docker/acme/cert-up.sh >>/volume1/docker/acme/log_acme/log.txt 2>&1

5.运行任务

6.查看是否成功

Filestation 前往 docker/acme 文件夹看有没有证书文件。有就是成功。

后期看有没有自动续签。查看一下文件更新时间

结语

感谢前作者和爱好者不断的优化。