Open roachkv opened 3 years ago
Find the --home
(LE_WORKING_DIR
) dir for acme.sh.
env
and:
crontab -l
When I ssh into my synology as an admin and do env
I do not get a variable for LE_WORKING_DIR
. However when I do sudo -i
then env
returns:
LE_WORKING_DIR=/usr/local/share/acme.sh
My renewal script in DSM is set to run as root.
crontab
is not a valid command on Synology
Hey @roachkv ,
The configuration for a domain is stored in ${LE_WORKING_DIR}/${DOMAIN_NAME}
. There's a file called ${DOMAIN_NAME}.conf
So if I have example.com, and I'm requesting a cert that is both a wildcard and the root I should see something like this:
ash-4.3# $LE_WORKING_DIR/example.com/example.com.conf
Le_Domain='example.com'
Le_Alt='*.example.com'
If you aren't seeing the wildcard in either Le_Domain
or Le_Alt
that would explain why the renewal didn't give you a wildcard certificate. It's entirely possible, that the updated configuration did not store. When that happens, I find the easiest thing to do is blow away the bad configuration and just try again (just delete the folder for the domain.)
For crontab
what is the job you setup in Task Scheduler (specifically, [1] what "User" is set under the "Genera" tab? and [2] what are the contents of the "Run command" field under the "Task Settings" tab?) If you didn't use Task Scheduler, how are you renewing the certificate?
Hope that helps!
Thanks for the comments @tresni ...
I'll use example.com as my domain.
I run the renew script from Task Scheduler as root. This is what I have under "Run Command":
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
In /usr/local/share/acme.sh/
, I have 2 directories: example.com
and *.example.com
.
My example.com.conf
shows the following (among other things):
Le_Domain='example.com'
Le_Alt='photos.example.com,pics.example.com,vids.example.com'
Le_CertCreateTimeStr='Sun Nov 1 04:07:34 UTC 2020'
Le_NextRenewTimeStr='Thu Dec 31 04:07:34 UTC 2020'
Le_RealCertPath='/usr/syno/etc/certificate/_archive/<random string>/cert.pem'
Le_RealCACertPath='/usr/syno/etc/certificate/_archive/<random string>/chain.pem'
Le_RealKeyPath='/usr/syno/etc/certificate/_archive/<random string>/privkey.pem'
Le_RealFullChainPath='/usr/syno/etc/certificate/_archive/<random string>/fullchain.pem'
In the other directory, *.example.com.conf shows:
Le_Domain='*.example.com'
Le_Alt='no'
Le_CertCreateTimeStr='Sun Nov 1 04:00:57 UTC 2020'
Le_NextRenewTimeStr='Thu Dec 31 04:00:57 UTC 2020'
Le_RealCertPath='/usr/syno/etc/certificate/_archive/<random string>/cert.pem'
Le_RealCACertPath='/usr/syno/etc/certificate/_archive/<random string>/chain.pem'
Le_RealKeyPath='/usr/syno/etc/certificate/_archive/<random string>/privkey.pem'
Le_RealFullChainPath='/usr/syno/etc/certificate/_archive/MvSa5e/fullchain.pem'
What's odd to me is that both certificates seem to be getting renewed, but for some reason the Synology seems to use just the example.com cert and not the *.example.com one.
Bottom line, are you saying that I can merely delete the example.com
and *.example.com
directories and rerun (or refollow) the instructions for creating a wildcard certificate on Synology?
Or could I delete the *.example.com
directory, modify example.com.conf
to show Le_Alt='*.example.com'
and then run the cron script?
Sounds like an issue with how deploy is setup for the certificates. Yes, you could choose to do a singe certificate for both example.com and *.exampe.com (that's how I do my certificate.)
In your configuration (the .example.com.conf file) check you Le_DeployHook
setting. If there isn't one set for .exampe.com, then you need to configure the deploy for that certificate (see deployhooks wiki page.) The actual output of /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
(possibly with --force
to force a cert renewal/depoy) should help determine what's going on. Sanitize the domain names if you are concerned about it.
I originally setup acme.sh to issue and renew a certificate on my Synology, with multiple subdomains using SANs. Since that time, acme.sh has been updated to allow for wildcard domains. In addition, the wiki was updated with new instructions for installing and renewing on a Synology machine (which also appeared to install acme is a different location that previously). I deleted my old certificate from DSM and proceeded to follow the new instructions for issuing and renewing a wildcard certificate. The issuing part went fine.
However, when the time came to renew, instead of my wildcard certificate renewing, the script somehow renewed the old certificate that had multiple subdomains.
No matter how many hours I spend reading and Googling, trying to understand certificates is like reading Sanskrit. How can I completely remove acme.sh from my Synology (and from any location it was previously installed), completely remove all files related to previous Lets Encrypt certificates, and start fresh?
And if this is not the forum for addressing this issue, kindly direct me to the proper location.