黑群自动更新 ssl 证书
贴上自己写的自动更新 ssl 证书脚本,以便帮助有需要的人。 ps:
- 这个脚本工作于我的 dsm6.2 ,如果是 dsm7 ,你可能需要更改下证书存放路径和服务重启方式(自己找找相关信息,思路是一样的)
- 由于运营商封 80 端口,所以不能使用 http challenge ,只能使用 dns challeng 。这个脚本使用的是 acme.sh 的 cloudflare 的 api ,如果要改成其它提供商如阿里云,请参考 acme.sh 相关文档,切换应该也很简单
#!/bin/bash
# Automatically update certs for Synology DSM6
# 1. Migrate your domain to Cloudflare, and create an A type record.
# 2. Generate a token with zone view authority and dns edit authority.
# 3. Install acme.sh on DSM6, no need crontabs: ./acme.sh --install --force -m my@example.com
# 4. Put this script into user defined task scheduler, executes per one month or two.
# 5. Make sure this script will be exectuted once immediately by your schedule task, or just execute it once mannually.
# Modify these as your own.
# See https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials
export CF_Account_ID="xxx"
export CF_Zone_ID="xxx"
export CF_Token="xxx"
DOMAIN_RECORD='example.com'
ACME_HOME=$HOME/.acme.sh
ACME_SH=$ACME_HOME/acme.sh
if ! command -v "$ACME_SH" &>/dev/null; then
echo "Please install acme.sh."
exit 1
fi
DOMAIN_CERT_HOME="$ACME_HOME/$DOMAIN_RECORD"
TARGET_DIRS=(
"/usr/syno/etc/certificate/_archive/$(head -n1 /usr/syno/etc/certificate/_archive/DEFAULT | xargs echo -n)"
'/usr/syno/etc/certificate/system/default'
'/usr/syno/etc/certificate/smbftpd/ftpd'
'/usr/local/etc/certificate/CardDAVServer/carddav'
'/usr/local/etc/certificate/SynologyDrive/SynologyDrive'
'/usr/local/etc/certificate/WebDAVServer/webdav'
)
issue_or_renew() {
cert_issued=0
domains=()
while IFS='' read -r line; do domains+=("$line"); done < <($ACME_SH --list | awk '{print $1}')
for domain in "${domains[@]}"; do
if [ "$domain" = "$DOMAIN_RECORD" ]; then
cert_issued=1
break
fi
done
if [ "$cert_issued" -eq 0 ]; then
rm -rf "$DOMAIN_CERT_HOME"
# Issue certs via zerossl, or via letsencrypt you'd have to update ca-certificates on DSM6.
# Since DSM6 does not support ecc, rsa(-k) should be specified, or system default certs will be overridden by DSM6 when reboots.
$ACME_SH --issue --server zerossl --dns dns_cf -d $DOMAIN_RECORD -k 2048
else
$ACME_SH --renew --force -d $DOMAIN_RECORD
fi
}
copy_certs() {
echo "Copying certs...."
for dir in "${TARGET_DIRS[@]}"; do
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.cer" "$dir/cert.pem"
install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.key" "$dir/privkey.pem"
install -m 400 "$DOMAIN_CERT_HOME/fullchain.cer" "$dir/fullchain.pem"
done
echo "Certs copy completed."
}
restart_services() {
echo "Restarting services...."
nginx -s reload
/var/packages/WebDAVServer/scripts/start-stop-status stop
/var/packages/CardDAVServer/scripts/start-stop-status stop
sleep 20
/var/packages/WebDAVServer/scripts/start-stop-status start
/var/packages/CardDAVServer/scripts/start-stop-status start
/var/packages/SynologyDrive/scripts/start-stop-status restart
echo "Services restart completed."
}
echo '--------------------------------------'
issue_or_renew
copy_certs
restart_services