Overview
This project documents the complete procedure for issuing and automatically renewing Let’s Encrypt wildcard certificates on a Synology NAS using acme.sh with Cloudflare DNS-01 validation. No inbound ports (80 or 443) need to be exposed. The ACME challenge is fulfilled entirely through the Cloudflare DNS API, and renewed certificates are automatically deployed to DSM.
Tech Stack
- acme.sh: ACME protocol client for certificate issuance and renewal
- Cloudflare DNS API: DNS-01 challenge validation without inbound port exposure
- Let’s Encrypt: Free TLS certificate authority
- Synology DSM: Target deployment platform
- Shell (Bash): Automation scripts
Key Features
- DNS-01 challenge validation with no inbound ports required
- Wildcard certificate (
*.your-domain.com) covering all subdomains in one issuance
- acme.sh cron-based automatic renewal before expiry
- Automatic certificate deployment to DSM with service reload after renewal
- Cloudflare API Token scoped to minimum required permissions (Zone DNS Edit only)
Quick Start
-
Install acme.sh
curl https://get.acme.sh | sh
-
Configure the Cloudflare API Token
export CF_Token="your_cloudflare_api_token"
export CF_Account_ID="your_account_id"
-
Issue the wildcard certificate
acme.sh --issue \
--dns dns_cf \
-d "your-domain.com" \
-d "*.your-domain.com"
-
Deploy the certificate to DSM
acme.sh --deploy \
-d "your-domain.com" \
--deploy-hook synology_dsm
Scope the Cloudflare API Token to the minimum required permissions: DNS:Edit on the target zone only. Do not use the Global API Key.
Links
