雖然 Synology NAS 有提供申請 Let’s Encrypt 功能,但卻無法申請 *.domain 的憑證,限制只能申請 synology 的,若申請的字元超過 255 就得必須把憑證拆開申請,造成很大困擾。
使用 acme.sh script 來自己建立萬用憑證。
登入到 Synology NAS 系統,切換到 root 帳號,並抓回 acme.sh 檔案。
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
chmod a+x acme.sh執行 issue
./acme.sh --issue -d *.yourdomain --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please會得到類似下面一些訊息。
Using CA: https://acme-v02.api.letsencrypt.org/directory
Creating domain key
The domain key is here: /root/.acme.sh/*.yourdomain/*.yourdomain.key
Single domain='*.yourdomain'
Getting domain auth token for each domain
Getting webroot for domain='*.yourdomain'
Add the following TXT record:
Domain: '_acme-challenge.yourdomain'
TXT value: 'IIA-4FOaqlPeUeAvkI_w3F0ctWT86lNdFPdPmLqneXo'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.yourdomain
Please add the TXT records to the domains, and re-run with --renew.
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh到 DNS Server 中建立一個 TXT type 的資源紀錄, 並在名稱欄位中輸入 _acme-challenge,資訊欄位將 TXT value 填入。
執行 renew
./acme.sh --renew -d *.yourdomain --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please執行後會得到一些訊息並告訴你新的憑證放在哪裡。
Renew: '*.yourdomain'
Using CA: https://acme-v02.api.letsencrypt.org/directory
Single domain='*.yourdomain'
Getting domain auth token for each domain
Verifying: *.yourdomain
Success
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/99459311/5714253128'
Downloading cert.
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04fde0a589b8c7fc6cafcd7da87173eae280'
Cert success.
-----BEGIN CERTIFICATE-----
MIIFUDCCBDigAwIBAgISBP3gpYm4x/xsr819qHFz6uKAMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
略
ijfcjWe8ZeEM0qHR4xvmiNGUYGmdfxEUSvJux8hGTdclL6jytZLQDSUZilnavtJ8
DGxlSH7UUDgP3x2lBzMtPqmUK3k=
-----END CERTIFICATE-----
Your cert is in /root/.acme.sh/*.yourdomain/*.yourdomain.cer
Your cert key is in /root/.acme.sh/*.yourdomain/*.yourdomain.key
The intermediate CA cert is in /root/.acme.sh/*.yourdomain/ca.cer
And the full chain certs is there: /root/.acme.sh/*.yourdomain/fullchain.cer將該憑證複製出來,回到 Synology NAS 的 控制台 => 安全 => 憑證 點擊新增按鈕,建立憑證,然後選擇匯入憑證,將你下載的憑證匯入即可。
每三個月只需要執行一次 renew 就可以繼續使用這個萬用憑證。