search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.77k stars 4.92k forks source link

Synology renewing wrong certificate #3212

Open roachkv opened 3 years ago

roachkv commented 3 years ago

I originally setup acme.sh to issue and renew a certificate on my Synology, with multiple subdomains using SANs. Since that time, acme.sh has been updated to allow for wildcard domains. In addition, the wiki was updated with new instructions for installing and renewing on a Synology machine (which also appeared to install acme is a different location that previously). I deleted my old certificate from DSM and proceeded to follow the new instructions for issuing and renewing a wildcard certificate. The issuing part went fine.

However, when the time came to renew, instead of my wildcard certificate renewing, the script somehow renewed the old certificate that had multiple subdomains.

No matter how many hours I spend reading and Googling, trying to understand certificates is like reading Sanskrit. How can I completely remove acme.sh from my Synology (and from any location it was previously installed), completely remove all files related to previous Lets Encrypt certificates, and start fresh?

And if this is not the forum for addressing this issue, kindly direct me to the proper location.

Neilpang commented 3 years ago

Find the --home(LE_WORKING_DIR) dir for acme.sh.

env

and:

crontab -l
roachkv commented 3 years ago

When I ssh into my synology as an admin and do env I do not get a variable for LE_WORKING_DIR. However when I do sudo -i then env returns:

LE_WORKING_DIR=/usr/local/share/acme.sh

My renewal script in DSM is set to run as root.

crontab is not a valid command on Synology

tresni commented 3 years ago

Hey @roachkv ,

The configuration for a domain is stored in ${LE_WORKING_DIR}/${DOMAIN_NAME}. There's a file called ${DOMAIN_NAME}.conf So if I have example.com, and I'm requesting a cert that is both a wildcard and the root I should see something like this:

ash-4.3# $LE_WORKING_DIR/example.com/example.com.conf
Le_Domain='example.com'
Le_Alt='*.example.com'

If you aren't seeing the wildcard in either Le_Domain or Le_Alt that would explain why the renewal didn't give you a wildcard certificate. It's entirely possible, that the updated configuration did not store. When that happens, I find the easiest thing to do is blow away the bad configuration and just try again (just delete the folder for the domain.)

For crontab what is the job you setup in Task Scheduler (specifically, [1] what "User" is set under the "Genera" tab? and [2] what are the contents of the "Run command" field under the "Task Settings" tab?) If you didn't use Task Scheduler, how are you renewing the certificate?

Hope that helps!

roachkv commented 3 years ago

Thanks for the comments @tresni ...

I'll use example.com as my domain.

I run the renew script from Task Scheduler as root. This is what I have under "Run Command":

/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/

In /usr/local/share/acme.sh/, I have 2 directories: example.com and *.example.com.

My example.com.confshows the following (among other things):

Le_Domain='example.com'
Le_Alt='photos.example.com,pics.example.com,vids.example.com'

Le_CertCreateTimeStr='Sun Nov  1 04:07:34 UTC 2020'
Le_NextRenewTimeStr='Thu Dec 31 04:07:34 UTC 2020'

Le_RealCertPath='/usr/syno/etc/certificate/_archive/<random string>/cert.pem'
Le_RealCACertPath='/usr/syno/etc/certificate/_archive/<random string>/chain.pem'
Le_RealKeyPath='/usr/syno/etc/certificate/_archive/<random string>/privkey.pem'

Le_RealFullChainPath='/usr/syno/etc/certificate/_archive/<random string>/fullchain.pem'

In the other directory, *.example.com.conf shows:

Le_Domain='*.example.com'
Le_Alt='no'

Le_CertCreateTimeStr='Sun Nov  1 04:00:57 UTC 2020'
Le_NextRenewTimeStr='Thu Dec 31 04:00:57 UTC 2020'

Le_RealCertPath='/usr/syno/etc/certificate/_archive/<random string>/cert.pem'
Le_RealCACertPath='/usr/syno/etc/certificate/_archive/<random string>/chain.pem'
Le_RealKeyPath='/usr/syno/etc/certificate/_archive/<random string>/privkey.pem'

Le_RealFullChainPath='/usr/syno/etc/certificate/_archive/MvSa5e/fullchain.pem'

What's odd to me is that both certificates seem to be getting renewed, but for some reason the Synology seems to use just the example.com cert and not the *.example.com one.

Bottom line, are you saying that I can merely delete the example.com and *.example.com directories and rerun (or refollow) the instructions for creating a wildcard certificate on Synology?

Or could I delete the *.example.com directory, modify example.com.conf to show Le_Alt='*.example.com' and then run the cron script?

tresni commented 3 years ago

Sounds like an issue with how deploy is setup for the certificates. Yes, you could choose to do a singe certificate for both example.com and *.exampe.com (that's how I do my certificate.)

In your configuration (the .example.com.conf file) check you Le_DeployHook setting. If there isn't one set for .exampe.com, then you need to configure the deploy for that certificate (see deployhooks wiki page.) The actual output of /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ (possibly with --force to force a cert renewal/depoy) should help determine what's going on. Sanitize the domain names if you are concerned about it.