Synology NAS Won't applicate the certificate after renewal

[blosters]

Hi !

I've followed the tutorial on how to issue certificate with dnsapi ovh.

Every steps works fine.

But when the script deploy the certificate, it is visible on the Synology UI that the certificate is OK with correct dates, but when i'm reaching my server, it take the old certificate.

Any step i've missed ?

[tresni]

@blosters I'm assuming you are using the DSM Hook, issues should really be reported to #2727 otherwise I and others using it don't get notified.

When the renewal runs, does it give a message at the end that says "http services were NOT restarted"? If so, the DSM did not think it needed to restart the webserver to reply your certificate. Currently we don't offer a way to force-restart the webserver, we just let Synology decide for itself.

What version of DSM are you running? What's your commit for acme.sh? Is the certificate you are deploying the default certificate?

[fqx]

@tresni

Run reload cmd: /usr/syno/sbin/synoservicectl --reload nginx
/usr/local/share/acme.sh//acme.sh: line 5597: /usr/syno/sbin/synoservicectl: No such file or directory

DSM 7 have changed to systemd, so the command should be /usr/syno/bin/synosystemctl restart nginx

[fqx]

@blosters If you have upgraded from DSM 6 to DSM 7, edit yourdomain.conf in /usr/local/share/acme.sh/yourdomain/ find Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9zeW5vL3NiaW4vc3lub3NlcnZpY2VjdGwgLS1yZWxvYWQgbmdpbng=__ACME_BASE64__END_' change to Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9zeW5vL2Jpbi9zeW5vc3lzdGVtY3RsIHJlc3RhcnQgbmdpbng=__ACME_BASE64__END_'

[Neilpang]

you can call --install-cert command to update the --reload-cmd "/usr/syno/bin/synosystemctl restart nginx"

[Neilpang]

you can also edit the the Le_ReloadCmd without base64 encoded:

Le_ReloadCmd='/usr/syno/bin/synosystemctl restart nginx'

acme.sh can recognize the value.

[tresni]

@fqx the deploy hook doesn't care what init system DSM is using under the covers. We don't access that at all, it just works through the internal API that Synology is using on the DSM web interface. If you are calling snyoservicectl or anything else, you are actively running acme.sh on the Synology (which is fine, I do that) and are manually modifying the certificates, not using the deployhook.

[fqx]

@tresni I don't know why DSM won't restart web server with new cert. However, changing Le_ReloadCmd works.

[kesawi]

Is there a way to restart the webserver if you're running acme.sh on a separate host?

[tresni]

It will be restarted automatically if you are touching the default certificate. That is the same behavior that you get through the UI (it happens under-the-hood, we don’t do anything special.) I haven’t looked into trying to restart it otherwise. Is there a use case for it?

[kesawi]

That's probably why it didn't restart as I added the Let's Encrypt certificate first and then changed it to be the default afterwards. I'm finding it restarts when I run the deployment now that it's the default certificate.

I did manage to remotely restart nginx via SSH but the synology deployment hook doesn't appear to have an option to run a post deployment command.

A potential use case could be someone running ACME.SH remotely and using multiple certificates across multiple services on the Synology. If the default certificate isn't touched during deployment, then potentially nginx won't restart?