Table of Contents

Set Let's Encrypt certificate for NAS behind Turris

Requirements:

This article describes how to configure a device behind Turris to use Let's Encrypt certificate infrastructure. With special focus on Synology NAS.

General

Information related specificaly to Synology (ports, etc.) are detailed at the end.

Any device requesting or renewing the Let's Encrypt certificate have to have acces to its hostname via HTTP or HTTPS protocol, ports 80 and 443. How exactly the process is done depends on given device. Some of them are using port 80, some 443, some both; depends on implementation. Synology NAS requires 80 a 5000.

Because of that Turris must pass such traffic to requseted device. That requires modification of firewall rules for port-forwarding temporarly.
This greatly depends on existing setup and the steps need to be modified accordingly.

This guide expects just lighttpd to be running and potentialy using ports 80 and 443. No other services using 80 and / or 443 are expected.

How to

All things are going to happen in /root/.acme.sh to be consistent with Set Let's Encrypt certificate for web GUI

Create file addNAS.gw (vi addNAS.gw)
Ports mentioned here are for Synology NAS. Update according to your device needs.

addNAS.gw
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.10.10'
        option dest_port '80'
        option name 'NAS Lets Encrypt'
 
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5000'
        option dest_ip '192.168.10.10'
        option dest_port '5000'
        option name 'NAS Lets Encrypt 2'

Create file open_acme_NAS.sh (vi open_acme_NAS.sh)

open_acme_NAS.sh
#!/bin/bash
VER=1.1.0
 
# Backup firewall config
cp /etc/config/firewall  /etc/config/firewall.nas~
# Update firewall rules to remove any forward of port 80 and 443 on WAN (temporary ports are 60806 and 64436)
cat /etc/config/firewall.nas~ | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(443)'(.*)$/\1\2\3\4\5'64436'\7/" > /etc/config/firewall.nas2
cat /etc/config/firewall.nas2 | sed -r "s/^(\s*)(option)(\s*)(src_dport)(\s*)'(80)'(.*)$/\1\2\3\4\5'60806'\7/" > /etc/config/firewall
rm -f /etc/config/firewall.nas2
 
# Stop lighttpd to prevent interference - optional based on conditions
/etc/init.d/lighttpd stop
 
# Update firewall rules to allow access via port 443 from internet
cat "/root/.acme.sh/addNAS.gw" >> /etc/config/firewall
/etc/init.d/firewall reload

Create file close_acme_NAS.sh (vi close_acme_NAS.sh)

close_acme_NAS.sh
#!/bin/bash
VER=1.1.0
 
# Restore firewall to original state
mv /etc/config/firewall.nas~ /etc/config/firewall
/etc/init.d/firewall reload
 
# Start back lighttpd - optional based on conditions
/etc/init.d/lighttpd start

All files an scritps are ready. As last step add this into cron with your own frequency and time.
Timeframe depends on the target device. Time must be synchronized via NTP and bellow timing must be in line with automated steps on target.

25 4 * * * "/root/.acme.sh"/open_acme_NAS.sh > /dev/null
35 4 * * * "/root/.acme.sh"/close_acme_NAS.sh > /dev/null

Synology in details

In previous steps there was mentioned port 5000. This is default HTTP port of Synology DSM system. Update it if needed.

The timing when Synology NAS is performing the Let's Encrypt operation is not straightforward.

Connect via SSH as admin
Then switch to root sudo -i -u root
Open file /usr/syno/etc/synocrond.config

Find similar section:
"builtin-syno-letsencrypt-syno-letsencrypt: autorenew":{"cmd_list":["/tmp/synocrond/builtin-syno-letsencrypt-syno-letsencrypt: autorenew","renew-all"],"cmd_str":"/usr/syno/sbin/syno-letsencrypt renew-all","config":{"assure_execute":0,"cmd":"/usr/syno/sbin/syno-letsencrypt renew-all","expire":3,"expire_action":"skip","name":"builtin-syno-letsencrypt-syno-letsencrypt: autorenew","period":"weekly","user":"root"},"expireTime":0,"lastExecution":1507629605,"schedule":{"Minute":[47],"day":[-1],"hour":[13],"month":[-1],"week":[6]}}

At the end there is the time needed - hours and minutes used in crontab of the Turris.

And last where to find the dialog to ask for Let's Encrypt certificate in Synology DSM if not known.
Before first try the port forwarding must be done manually. Then time can be searched and cron job set up