github-repos/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-03-24 18:40:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

pre-update

Scruel Tao 2024-02-28 16:09:45 +08:00
parent 73163fe584
commit 226bd8c713
1 changed files with 41 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
deployhooks.md

@ -595,33 +595,50 @@ acme.sh --deploy -d example.com --deploy-hook panos --insecure
## 20. Deploy the certificate to Synology DSM
As pointed out [inside the deploy script file](https://github.com/acmesh-official/acme.sh/blob/59d1e16f9cb33ebeac1624f131a39c7088514204/deploy/synology_dsm.sh#L11-L34) itself, only 3 simple steps are required for deploy:
As pointed out [inside the deploy script file](https://github.com/acmesh-official/acme.sh/blob/ff090d2f74f994da4bca89b942b08bb714b25a46/deploy/synology_dsm.sh#L11-L38) itself, only 3 simple steps are required for deploy:
1. Set the required environment variables which used for authentication while deploying:
- (Recommend) Use an automatically created temp admin user by executing `export SYNO_UseTempAdmin=1`.
- (Recommend) Use an automatically created temp admin user by executing `export SYNO_USE_TEMP_ADMIN=1`.
In this way, you won't need to provide any admin credentials, and it will be automatically deleted after the script is executed. It depends on DSM built-in utils, so you won't able to use this way in docker.
In this way, you won't need to provide any admin credentials, it depends on Synology built-in utils to achieve such convenience, as it is designed to only support locally deployment, it can't be used to deploy in docker or deoply remotely. To prevent confusion, the value of `SYNO_HOSTNAME` must targets current local machine (can be `localhost` or `127.0.0.1`), however if your custom `SYNO_HOSTNAME` does indeed target to the current local machine, you should also execute `export SYNO_LOCAL_HOSTNAME=1` before deploying.
After deployed done, the temp admin user should be automatically deleted after execution, if the script unexpectedly stopped while running (e.g., aborted by pressing "Ctrl+C"), it may remain if it has already been created, in this case, you can safely delete it via Control panel.
If you want to back to deploy with existing admin user, you need to execute `export CLEAR_SYNO_USE_TEMP_ADMIN=1`.
Notice: the temp admin user should be automatically deleted after execution, if the script unexpectedly stopped while running (e.g., abort by pressing "Ctrl+C"), it may remain if it has already been created, in this case, you can safely delete it via Control panel.
- Use your existing admin user by provide its credential (username, password, OTP):
1. Execute `export SYNO_Username="adminUser"` where `adminUser` is any user with sufficient administrative rights, e. g. `admin`.
2. Execute `export SYNO_Password="adminPassword"` where `adminPassword` is the chosen user's password.
2. Set optional environment variables, if you won't need to change the defaults, then just skip this step, all optional exports are as the following (shown values are the defaults):
1. Execute `export SYNO_USERNAME="adminUser"` where `adminUser` is any user with sufficient administrative rights, e. g. `admin`.
2. Execute `export SYNO_PASSWORD="adminPassword"` where `adminPassword` is the chosen user's password.
2. Set optional environment variables, if you won't need to change the defaults, then just skip this step, all optional exports are as the following (shown values are the examples):
- common optional variables
- `export SYNO_Certificate=""` - to replace a specific certificate via description
- `export SYNO_Scheme="http"`
- `export SYNO_Hostname="localhost"`
- `export SYNO_Port="5000"`
- `export SYNO_Create=1` - to allow creating the certificate if it doesn't exist
- own admin user 2FA-OTP optional variables
- `export SYNO_DeviceName=""` - required for 2FA-OTP, script won't require interactive input the device name if set.
- `export SYNO_OTPCode=""` - required for 2FA-OTP, script won't require interactive input the code if set.
- `export SYNO_DeviceID=""` - required for omitting 2FA-OTP (might be deprecated, auth with OTP code instead)
```
- export SYNO_SCHEME="http" - defaults to "http"
- export SYNO_HOSTNAME="localhost" - defaults to "localhost"
- export SYNO_PORT="5000" - defaults to "5000"
- export SYNO_CREATE=1 - to allow creating the cert if it doesn't exist
- export SYNO_CERTIFICATE="" - to replace a specific cert by its description
```
- temp admin 2FA-OTP optional variables
```
- export SYNO_LOCAL_HOSTNAME=1 - if set to 1, force to treat hostname is
targeting current local machine (since
this method only locally supported)
```
- existing admin 2FA-OTP optional variables
```
- export SYNO_OTP_CODE="XXXXXX" - if set, script won't require to
interactive input the OTP code
- export SYNO_DEVICE_NAME="CertRenewal" - if set, script won't require to
interactive input the device name
- export SYNO_DEVICE_ID="" - (deprecated, auth with OTP code instead)
required for omitting 2FA-OTP
```
3. Execute the command `acme.sh --deploy --deploy-hook synology_dsm -d example.com` to deploy the certificate for `example.com` to your DSM.
### About the authentication
> If you installed `acme.sh` in DSM rather than docker, and executed `export SYNO_UseTempAdmin=1`, feel free to skip this section, because we won't need your own credential at all. BTW, if your DSM lost the required built-in tools to create temp admin user, the script will let you know, so you can back here to learn more.
> If you installed `acme.sh` in DSM rather than docker, and executed `export SYNO_USE_TEMP_ADMIN=1`, feel free to skip this section, because we won't need your own credential at all. BTW, if your DSM lost the required built-in tools to create temp admin user, the script will let you know, so you can back here to learn more.
>
> We highly recommand you to choose the temp user method if avaiable, so you won't need to provide any of your own DSM credential, and the script won't need to store relaetd credential (in plaintext) on your disk.
@ -632,17 +649,17 @@ In recent DSM versions, Synology requires 2-factor authentication enabled for ad
- require the user to provide their TOTP **SECRET**, it will be provided to the third party CLI tool every time we execute the script, and will be saved (in plaintext) on user's disk.
The **new** setup method won't require generating TOTP each time - TOTP can be omitted by utilizing so-called parameter "device ID".
In the early version of the deployment script, the users need to get it like a pro - its a cookie value leisurely stored in their browser, usually via devtools, then execute `export SYNO_DeviceID="<device_id>"`.
In the early version of the deployment script, the users need to get it like a pro - its a cookie value leisurely stored in their browser, usually via devtools, then execute `export SYNO_DEVICE_ID="<device_id>"`.
After a few updates, we simplified the process, so we can now act as the same as we are on web UI while deploying - script will require you to input the TOTP code for the admin user (defined by `SYNO_Username`) only once, and will require you to input the device name for verifaction (`CertRenewal` by default), then obtain to store the "device ID" info (still in plaintext) to your local configuration file, which can be used upon subsequent deployments.
After a few updates, we simplified the process, so we can now act as the same as we are on web UI while deploying - script will require you to input the TOTP code for the admin user (defined by `SYNO_USERNAME`) only once, and will require you to input the device name for verifaction (`CertRenewal` by default), then obtain to store the "device ID" info (still in plaintext) to your local configuration file, which can be used upon subsequent deployments.
If you don't want to interactive input the info, you can just excute `export SYNO_OTPCode="XXXXXX"` and `export SYNO_DeviceName="CertRenewal"` for the above steps.
If you don't want to interactive input the info, you can just excute `export SYNO_OTP_CODE="XXXXXX"` and `export SYNO_DEVICE_NAME="CertRenewal"` for the above steps.
### Additional optional parameters
It's recommended to set `SYNO_Scheme` to `https`, `SYNO_Port` to `5001` and `SYNO_Hostname` to your actual DSM's domain (e.g., `nas.example.com`) instead of the defaults. Which increased security by TLS-based connection.
It's recommended to set `SYNO_SCHEME` to `https`, `SYNO_PORT` to `5001` and `SYNO_HOSTNAME` to your actual DSM's domain (e.g., `nas.example.com`) instead of the defaults. Which increased security by TLS-based connection.
However, using `https` & `localhost` requires addition of the [`--insecure` command line argument](https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params) to successfully deploy the certificate to DSM:
However, using `https` & `localhost` may require addition of the [`--insecure` command line argument](https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params) to successfully deploy the certificate to DSM:
```sh
acme.sh --deploy --insecure --deploy-hook synology_dsm -d example.com
```
@ -650,12 +667,11 @@ acme.sh --deploy --insecure --deploy-hook synology_dsm -d example.com
Though, enabling HTTP/2 still might give you a `curl 16 error` warning, although the script succeeded anyways.
When issuing a certificate (e.g., Let's Encrypt) for the first time instead of renewing it, `export SYNO_Create=1` will be executed once by default.
When issuing a certificate (e.g., Let's Encrypt) for the first time instead of renewing it, `export SYNO_CREATE=1` must be executed once.
Any subsequent run won't need that variable, hence it's not saved within your configuration file at all.
`SYNO_Certificate` is set as empty string by default, so the script will replace "default synology certificate" by your domain certificate, it should be all fine. however if you don't want to do so, you can always change it's value to anything you want to describe the certificate.
`SYNO_CERTIFICATE` is set as empty string by default, so the script will replace "default synology certificate" by your domain certificate, it should be all fine. however if you don't want to do so, you can always change it's value to anything you want to describe the certificate.
The deployed certificate should show up inside `Control Panel` -> `Security` -> `Certificates`, it can be assigned to specific services (or set as the default certificate).
## 21. Deploy the cert to OpenStack Barbican