mirror of
https://github.com/acmesh-official/acme.sh.git
synced 2025-03-24 18:40:09 +08:00
Updated deployhooks (markdown)
Martin Arndt
parent
c587e27255
commit
52ef7886e7
@ -593,33 +593,39 @@ acme.sh --deploy -d example.com --deploy-hook panos --insecure
|
||||
**Note:** after a successful deploy you can remove these environment variables as they will be stored by acme.sh. If the password for the user changes you will need to set the variables again. You can also remove --insecure if you deployed a cert and configured it as management cert.
|
||||
|
||||
|
||||
## 20. Deploy the cert into Synology DSM
|
||||
## 20. Deploy the certificate to Synology DSM
|
||||
|
||||
```sh
|
||||
# export SYNO_Scheme="http" # Can be set to HTTPS, defaults to HTTP
|
||||
# export SYNO_Hostname="localhost" # Specify if not using on localhost
|
||||
# export SYNO_Port="5000" # Port of DSM WebUI, defaults to 5000 for HTTP and 5001 for HTTPS
|
||||
export SYNO_Username="DSM_Admin_Username"
|
||||
export SYNO_Password="DSM_Admin_Password"
|
||||
export SYNO_Certificate="acme.sh certificate" # Description text in Control Panel -> Security -> Certificates
|
||||
export SYNO_Create=1 # defaults to off, this setting is not saved. By setting to 1 we create the certificate if it's not in DSM
|
||||
acme.sh --deploy -d example.com --deploy-hook synology_dsm
|
||||
```
|
||||
As pointed out [inside the deploy script file](https://github.com/acmesh-official/acme.sh/blob/0da839cce35f4ab014a6d62133fac03c8f4c6979/deploy/synology_dsm.sh#L11-L21) itself, only 3 simple steps are required for renewal:
|
||||
|
||||
When using https to connect to "localhost" we need to add the --insecure option to the deploy command. refer to [https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params]. If you enabled HTTP/2 you still receive a curl 16 error but the script succeeds.
|
||||
1. Execute `export SYNO_Username="adminUser"` where `adminUser` is any user with sufficient administrative rights, e. g. `admin`.
|
||||
2. Execute `export SYNO_Password="adminPassword"` where `adminPassword` is the chosen user's password.
|
||||
3. Execute `acme.sh --deploy --deploy-hook synology_dsm -d example.com` to deploy the certificate for `example.com` to your DSM.
|
||||
|
||||
```sh
|
||||
acme.sh --deploy --insecure -d example.com --deploy-hook synology_dsm
|
||||
```
|
||||
Optional exports that can be set as well (shown values are the defaults):
|
||||
* `export SYNO_Certificate=""` to replace a specific certificate via its description
|
||||
* `export SYNO_Scheme="http"`
|
||||
* `export SYNO_Hostname="localhost"`
|
||||
* `export SYNO_Port="5000"`
|
||||
* `export SYNO_Device_Name="CertRenewal"` - required for skipping 2FA-OTP, set via script upon first run
|
||||
* `export SYNO_Device_ID=""` - required for skipping 2FA-OTP, set via script upon first run
|
||||
|
||||
Certificate should now show up in "Control Panel" -> "Security" -> "Certificates" and can be assigned to Services or set as the default certificate.
|
||||
Additionally, when issuing a Let's Encrypt certificate instead of renewing it, `export SYNO_Create=1` must be executed _once_, too.
|
||||
Any subsequent run won't need that variable, hence it's not saved within your configuration file at all.
|
||||
|
||||
**With OTP (2-Factor-Authentication)**
|
||||
By default, Synology requires 2-factor authentication via TOTP (Time-based One Time Password) for each user upon API-based access to any recent DSM version - which basically breaks any automated deployment, if you (rightfully!) refuse to provide the TOTP secret in plaintext to some 3rd party CLI-based tool, generating the TOTP code for you.
|
||||
|
||||
Use your browser to sign in with the admin account you want to use. When entering the OTP code, check the "Save this device" checkbox and continue. Get the device ID from the cookie `did` (Left click on the lock to the left side of the URL -> Cookies and Copy the content of the `did` cookie). Set the environment variable to the cookie value:
|
||||
```sh
|
||||
export SYNO_DID=A1Bjk...
|
||||
```
|
||||
While legacy setups of `ACME.sh` continue to work with such a risky workaround (until Synology ultimately pulls the plug on that), new as well as security-sensitive users are expected to only use the secured API access method - which requires 1 additional step (executed only _once_) upon running the actual deploy command (see step 3 above):
|
||||
* manual input of the TOTP code for the user defined via `SYNO_Username`
|
||||
* optionally entering a "device name", if you don't like the default `CertRenewal` one
|
||||
|
||||
After that one-time manual input of the TOTP code, the deploy script request a so called `device ID` from the DSM API for the specified user.
|
||||
That ID is saved to your local configuration file & used upon subsequent deployments, in turn eliminating the need for another TOTP code or, even worse, the TOTP secret as the previous script did.
|
||||
|
||||
Additionally, it's recommended to set `SYNO_Scheme` to `https`, `SYNO_Port` to `5001` & `SYNO_Hostname` to your actual DSM's FQDN, e. g. `nas.example.com` instead of `http` & `localhost`. That's because of increased security due to TLS-based connection instead of a plaintext one.
|
||||
|
||||
However, using `https` & `localhost` requires addition of the [`--insecure` command line argument](https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params) to successfully deploy the certificate to DSM. Though, enabling HTTP/2 still might give you a `curl 16 error`, although the script succeeded anyways.
|
||||
|
||||
Afterwards, the certificate should show up inside `Control Panel` -> `Security` -> `Certificates` & can be assigned to specific services or set as the default certificate.
|
||||
|
||||
## 21. Deploy the cert to OpenStack Barbican
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user