Renewal of LetsEncrypt certificates on Synology after a move

After exporting all my certificates from an old NAS to a new one, I realized that they were not renewed automatically anymore. Trying to renew them manually via the DMS UI (Control Panel > Security > Certificate), a zip file with a CSR file (Certificate Signing Request) and a Key file, was downloaded. I had no idea how to proceed with these, so I investigated why the automatic renewal was not working as on the old NAS. The reason was the lack of “renew.json” file on the new NAS.

Click to Read More

Before starting, I strongly advice to export all the certificates, one by one, using the DSM UI  (Control Panel > Security > Certificate) !!!

Connected on the NAS via SSH, I tried first to renew the certificates with the command: /usr/syno/sbin/syno-letsencrypt renew-all

Looking into /var/log/messages, I noticed that syno-letsencrypt was complaining about a missing renew.json file :

syno-letsencrypt[19750]: syno-letsencrypt.cpp:489 can not find renew.json. [No such file or directory][/usr/syno/etc/certificate/_archive/XXXXXX]

NB.: To get more details, the verbose version of the renewal can be useful: /usr/syno/sbin/syno-letsencrypt renew-all -vv

On Synology, there is one folder /usr/syno/etc/certificate/_archive/XXXXXX per certificate, where XXXXXX is the ID of the certificate. It is assumed to contain these files: cert.pem, chain.pem, fullchain.pem, privkey.pem and renew.json. And indeed, there was no file renew.json, in the folder XXXXXX

So, on the old NAS, I looked for the folder AAAAAA containing the same certificate as in XXXXXX (once imported on another NAS, the certificate gets a new unique ID ). Check the file /usr/syno/etc/certificate/_archive/INFO to identify the ID of the certificate.

Once the folder AAAAAA identified, read the file renew.json which looks like this:

"account" : "/usr/syno/etc/letsencrypt/account/BBBBBB/",
"domains" : "<your domain>",
"server" : "",
"version" : 2

BBBBBB is the folder containing your letsencrypt user account, stored in the file /usr/syno/etc/letsencrypt/account/BBBBBB/info.json (Notice: there can be several accounts if you used different contact emails for your various certificates).

Look on the new NAS for the folder ZZZZZZ equivalent to BBBBBB (comparing the info.json files).

Once AAAAAA and BBBBBB determined, I did create a file /usr/syno/etc/certificate/_archive/XXXXXX/renew.json on the new NAS, containing:

"account" : "/usr/syno/etc/letsencrypt/account/ZZZZZZ/",
"domains" : "<your domain>",
"server" : "",
"version" : 2

And finally, I could run successfully the renewal: /usr/syno/sbin/syno-letsencrypt renew-all -vv

To update only one certificate (for testing purpose, it’s safer than renew-all), use the folder name XXXXX of the certificate : /usr/syno/sbin/syno-letsencrypt renew -c XXXXXX -vv

Here attached, find a script created by ChatGPT to help in generating the renew.json files (Copy and run it into /usr/syno/etc/certificate/_archive/)







Leave a Reply

Your email address will not be published. Required fields are marked *