validateSSLCerts (vSC.sh) is an automated bash script that attempts to validate and update a Lets Encrypt SSL certification generated from a Synology NAS (Let's Encrypt Authority X3 certificate). The Let's Encrypt certificate is not only being used by the Synology NAS, but is also being shared with a sameersbn/docker-gitlab container.
- Introduction
- Requirements
- Installation and Usage
- Advanced Usage: Custom Flags
- Automation Through Crontab
The idea behind this script is to seamlessly automate the process for updating the shared certificate across services with minimal downtime.
- Have already read the Let's Encrypt - Synology NAS + sameersbn/docker-gitlab gist
- A Synology device that can generate a Let's Encrypt certificate
- A Synology user with system administrator access (ex: admin)
- A Gitlab certs folder (for example: /volume1/docker/personal/gitlab/gitlab/data/certs)
- Inside the Gitlab certs folder, there needs to be 4 files:
gitlab.key
,gitlab.crt
,dhparam.pem
, and acert.pem
(see: step 9, then step 10) - RECOMMENDED: For ease of use, I highly recommend adding Synocommunity package sources to your Synology's Package Center, then installing the Nano text editor on your device. Otherwise, you can use the not-so-user-friendly vi text editor.
The following steps need to be done in order...
-
Download the latest version of vSC.sh to your Desktop by entering the following commands in a terminal window:
cd ~/Desktop && curl -O -L https://raw.githubusercontent.com/mattcarlotta/validateSSLCerts/master/vSC.sh
-
You must then change the file permissions to make it executable:
chmod +x vSC.sh
- You will then need to SFTP/SCP the vSC.sh script from your Desktop and into your Synology's Gitlab data certs folder (similar to step 10: option 1 or option 2)
-
Open a terminal and SSH into your Synology NAS (replace synology_ip_address with your Synology IP) as a system administrator:
ssh admin@synology_ip_address -- ex: ssh [email protected]
-
Now, type the following command to elevate yourself to a root user:
sudo -s
-
Next, copy the script from the Gitlab certs folder to your Let's Encrypt certifications folder, for example (to find the RANDOM_ALPHANUMERIC_STRING folder, follow step 9 ):
cp /volume1/docker/personal/gitlab/gitlab/data/certs/vSC.sh /usr/syno/etc/certificate/_archive/RANDOM_ALPHANUMERIC_STRING
-
Remove the script from your Gitlab certs folder:
rm /volume1/docker/personal/gitlab/gitlab/data/certs/vSC.sh
Why did we have to move the script into the Gitlab certs folder if we were just going to copy it to another folder, then delete it?
- Put simply, the Synology DSM restricts SCP/SFTP to directories owned by you. By transferring from the Gitlab certs folder (owned by you), we can then transfer it to the Let's Encrypt certificate folder (owned by root). Alternatively, we could have changed the ownership of the Let's Encrypt folder from root to you, but that may cause unintended consequences.
-
Next,
cd
into the Let's Encrypt certifications directory, for example:cd /usr/syno/etc/certificate/_archive/RANDOM_ALPHANUMERIC_STRING
-
Use this command to run the script:
./vSC.sh
See Advanced Usage: Custom Flags for custom configurations.
-
To test if the script worked,
cd
back into to your gitlab certs folder and check if avSC.log
file exists:cd /volume1/docker/personal/gitlab/gitlab/data/certs ls
-
You should see:
cert.cem dhparam.pem gitlab.crt gitlab.key vSC.log
-
You can view the contents of the log by running:
cat vSC.log
-
Ideally, you'll want to see something like this:
------------------------------------ SESSION STARTED ON 08/12/2018 ---------------------------------- 01:30 AM -- Attempting to validate your current Let's Encrypt certificates. 01:30 AM -- You are valid from Aug 5 15:16:14 2018 GMT through Nov 3 15:16:14 2018 GMT. 01:30 AM -- No need to update yet! Your certificates will not expire within 7 day(s). ------------------------------------------ END OF SESSION -------------------------------------------
In order to keep this script as flexible as possible, you can override default options with a flag, for example:
./vSC.sh -ls 2000 -gd /srv/docker/gitlab -led /etc/letsencrypt -ac
(This can be read as: Run the script, but change: max log size to 2000 bytes, gitlab directory to /srv/docker/gitlab, lets encrypt directory to /etc/letsencrypt, and create a new cron job with these custom options)
You can view all of the custom flag options by running this command:
./vSC.sh -h
or find them here:
SYNOPSIS:
./vSC.sh [OPTIONS]
OPTIONS:
Options below will overwrite their respective defaults (some may have side effects).
-ac, -addcron
adds a new cron job to /etc/crontab (default: runs the script every Monday at 1:30am)
side effect: any other specified custom flag options will also be appended to the cron job
-exp, -expires
check if certificate expires in specified amount of days; min: 1, max: 30 (default: 30)
-gc, -gitcertdir
Gitlab certificate directory folder (default: /volume1/docker/personal/gitlab/gitlab/data/certs)
side effect: updates vSC.log directory
-gd, -gitlabdir
Gitlab directory folder (default: /volume1/docker/personal/gitlab)
side effect: updates Gitlab certificate directory
side effect: updates vSC.log directory
-led, -letsencryptdir
Let's Encrypt directory folder (default: /usr/syno/etc/certificate/_archive)
-lef, -letsencryptfolder
Let's Encrypt certificate folder (default: automatically calculated via Let's Encrypt directory)
-ls, -logsize
maximum log file size in bytes (default: 10000000)
-h, -help
documentation
- As noted above, using some flags will update other global variables since some of them rely upon each other.
- The random alphanumeric Let's Encrypt certificate folder will automatically be located by the script (provided that the Let's Encrypt directory is correct). However, if you have multiple certificate folders, then you'll need to use the
-lef
or-letsencryptfolder
flag followed by the folder name (for example:-lef 0rOTRe
or-letsencryptfolder 0rOTRe
). - If you've already set up a cron job using this script, but decide to add or change any of the custom flag options afterward, then you'll need to add the
-ac
or-addcron
flag alongside any other specified custom flag options, so that a new cron job will be added to reflect the changes (old cron jobs will automatically be removed).
If the script works well when you manually run it, then you can automate it by using crontab.
More information on what a cron is can be found here: Crontab Manual
More information on how to configure a cron job can be found here: Simplified how to add a job to crontab
Simply add the following flag to implement a preconfigured job:
./vSC.sh -ac [OPTIONS]
Including this flag will add the following job to /etc/crontab:
#minute hour mday month wday who command
30 1 * * 1 root /usr/syno/etc/certificate/_archive/RANDOM_ALPHANUMERIC_STRING/vSC.sh
(The above will read as follows: "Every month, on every Monday within that month, at 1:30 in the morning, run the following command: path/to/script/vSC.sh as a root user"):
Edit the script:
nano /usr/syno/etc/certificate/_archive/RANDOM_ALPHANUMERIC_STRING/vSC.sh
And only update the following script variables:
gCronMin=30 # 0-59 minutes
gCronHr=1 # 0-23 hours (0 = 12:00am ... 23:59 = 11:59pm)
gCronDay=* # 1-31 days (1st ... 31st)
gCronMon=* # 1-12 month (1 = January ... 12 = December)
gCronWkday=1 # 0-7 weekday (Sunday = 0/7, Monday = 1, Tuesday = 2, ... Saturday = 6)
Please note that asterisks are wildcards, where they'll repeat the command every minute/hour/day/etc unless specified -- with the exception that gCronWkday
overwrites gCronDay
.
5-10
or blocked parameters 5, 10
or an asterisk *
, will work as expected. However, special strings utilizing the @
short syntax aren't supported in this script.
To save the script changes:
- press
ctrl + o
(this prompts to save the script) - press
y
, thenenter
(this confirms saving the script) - press
ctrl + x
(this exits out of the nano editor)
Then run the following command to create/update the cron job:
./vSC.sh -ac [OPTIONS]