Synology Support Broken with 3.0.7 - Unable to auth - Works fine with 3.0.6

[war59312]

Synology 2 Factor Support Broken? - Unable to auth - Worked 1 Month Ago

This worked fine a month ago. Made sure correct SYNO_Device_ID is set and it is, Can see it in the URL requested.

---

Debug log

acme.sh --deploy --insecure -d mydomain.com --deploy-hook synology_dsm --debug 2
[Mon Jul 31 09:36:40 EDT 2023] Lets find script dir.
[Mon Jul 31 09:36:40 EDT 2023] _SCRIPT_='/usr/local/share/acme.sh/acme.sh'
[Mon Jul 31 09:36:40 EDT 2023] _script='/usr/local/share/acme.sh/acme.sh'
[Mon Jul 31 09:36:40 EDT 2023] _script_home='/usr/local/share/acme.sh'
[Mon Jul 31 09:36:40 EDT 2023] Using config home:/usr/local/share/acme.sh
[Mon Jul 31 09:36:40 EDT 2023] LE_WORKING_DIR='/usr/local/share/acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Mon Jul 31 09:36:40 EDT 2023] Running cmd: deploy
[Mon Jul 31 09:36:40 EDT 2023] Using config home:/usr/local/share/acme.sh
[Mon Jul 31 09:36:40 EDT 2023] default_acme_server
[Mon Jul 31 09:36:40 EDT 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon Jul 31 09:36:40 EDT 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Mon Jul 31 09:36:40 EDT 2023] _ACME_SERVER_PATH='v2/DV90'
[Mon Jul 31 09:36:40 EDT 2023] DOMAIN_PATH='/usr/local/share/acme.sh/mydomain.com'
[Mon Jul 31 09:36:40 EDT 2023] DOMAIN_CONF='/usr/local/share/acme.sh/mydomain.com/mydomain.com.conf'
[Mon Jul 31 09:36:40 EDT 2023] _deployApi='/usr/local/share/acme.sh/deploy/synology_dsm.sh'
[Mon Jul 31 09:36:40 EDT 2023] _cdomain='mydomain.com'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Username='Cert'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Password='[hidden](please add '--output-insecure' to see this value)'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Create
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Device_Name
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Device_ID='[hidden](please add '--output-insecure' to see this value)'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Scheme='https'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Hostname='localhost'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Port='2053'
[Mon Jul 31 09:36:40 EDT 2023] SYNO_Certificate='nas.mydomain.com'
[Mon Jul 31 09:36:40 EDT 2023] _base_url='https://localhost:2053'
[Mon Jul 31 09:36:40 EDT 2023] Getting API version
[Mon Jul 31 09:36:40 EDT 2023] GET
[Mon Jul 31 09:36:40 EDT 2023] url='https://localhost:2053/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Mon Jul 31 09:36:40 EDT 2023] timeout=
[Mon Jul 31 09:36:40 EDT 2023] _CURL='curl --silent --dump-header /usr/local/share/acme.sh/http.header  -L  --trace-ascii /tmp/tmp.qU7Axm2GR2  -g  --insecure  '
[Mon Jul 31 09:36:41 EDT 2023] ret='0'
[Mon Jul 31 09:36:41 EDT 2023] Logging into localhost:2053
[Mon Jul 31 09:36:41 EDT 2023] GET
[Mon Jul 31 09:36:41 EDT 2023] url='https://localhost:2053/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&format=sid&account=accountt&passwd=passwd&enable_syno_token=yes&device_name=&device_id=device_id'
[Mon Jul 31 09:36:41 EDT 2023] timeout=
[Mon Jul 31 09:36:41 EDT 2023] _CURL='curl --silent --dump-header /usr/local/share/acme.sh/http.header  -L  --trace-ascii /tmp/tmp.JnYY0sYGxd  -g  --insecure  '
[Mon Jul 31 09:36:41 EDT 2023] ret='0'
[Mon Jul 31 09:36:41 EDT 2023] Session ID
[Mon Jul 31 09:36:41 EDT 2023] SynoToken
[Mon Jul 31 09:36:41 EDT 2023] Unable to authenticate to https://localhost:2053 - check your username & password.
[Mon Jul 31 09:36:41 EDT 2023] If two-factor authentication is enabled for the user, set SYNO_Device_ID.
[Mon Jul 31 09:36:41 EDT 2023] Error deploy for domain:mydomain.com
[Mon Jul 31 09:36:41 EDT 2023] Deploy error.

Edit: Hell, even if I turn off 2 factor for the account I still get the same error. So for sure, something has broken. See in an email it was last successful back on July 10 with version 3.0.6. See now on version 3.0.7.

Edit 2: Confirmed, 3.0.7 breaks it. Went back to 3.0.6 and success.

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[war59312]

Confirmed, 3.0.7 breaks it. Went back to 3.0.6 and success.

EditL Well, see something else changed as well with wildcard.

As per #4621

Below will work when using a wildcard cert:

acme.sh --issue --dns dns_cf --server letsencrypt -k 2048 -d *.domain.com

Notice the -k 2048 that makes it work. No more a ecc cert.

[Eagle3386]

@war59312
First of all, your current debug log shows your admin user's password in plaintext - you should redact this immediately & change it ASAP.

Secondly, if

acme.sh --issue --dns dns_cf --server letsencrypt -k 2048 -d *.domain.com

works, but not with --ecc -k ec-256, then it's not a fault of the updated deploy hook, but with DSM and/or your general config/setup.
That's because the deploy hook doesn't even care which certificate type (ECC or old RSA) is used - it just deploys the certificate to DSM via its API.

Thirdly, there's no value for SYNO_Device_Name set, not even the default CertRenewal - that won't work.

Additionally, I suggest you to clean your configuration from lines regarding deployment, i.e. those with _DID, _SECRET & _Device_ in it & then configure deployment from scratch according to the updated wiki page.

Lastly, there's no point in using https, localhost & then inverting security by using --insecure.
In fact, there's no TLS encryption at all, because there's simply no certificate for localhost, hence no encryption is used - ever!

[Eagle3386]

Just noticed, the OP is using ZeroSSL - which seems to be broken, at least according to #4723.
That might as well cause problems which in turn caused the deploy hook to fail.

[war59312]

Thanks. Yeah this was just a quick example log.

Indeed, not calling to localhost, using real IP. Cleaned log. Thanks. Not real passwords anyways.

Just know the behavior of this is different between versions 3.0.6 and 3.0.7. Works as expected in version 3.0.6.

[Eagle3386]

Using real IP is still not much better. Use a domain name as that's what LE certificates are issued for.

Also, why are you still on DSM 6 instead of 7?

[war59312]

RGR, confirms works either way (FQDN vs IP) with 3.0.6; Thanks.

As for why DSM 6, it's an older DS1815+ that still works great. Don't fix what ant broke.

[Eagle3386]

As for why DSM 6, it's an older DS1815+ that still works great. Don't fix what ant broke.

Nope, wrong! Each & every person has to fix what's broken or outdated if it improves security - which is the case here as there's even DSM 7.2 available for your "old" DS1815+: https://www.synology.com/de-de/releaseNote/DSM?model=DS1815%2B

Among many things, this brings an updated Nginx as well as OpenSSL which both finally support ECC-based certificates - which alone is enough to force you to upgrade. Right. Now.

At least that's my point of view & I designed the new hook for security, not laziness.

[war59312]

Now that Synonology made it easy to upgrade. Now 7.1 appears as an upgrade option within the web console.

I went ahead and upgraded. Looking good.

Either way, sadly support is near the end... Note 7.2 is not supported.

For the following models, DSM 7.1 will be the last upgradable version. ... DS1815+

[Eagle3386]

At least 7.1 is supported, hence you've got Nginx with OCSP as well as OpenSSL with ECC support & therefore can switch to an ECC-based certificate for improved security with less resources consumed upon each HTTPS request.

And last, but not least: the deployment script should work flawlessly for you now, too! 🥳

[war59312]

I'll give it a shot, thanks.

[Eagle3386]

Thanks, @war59312!
As a kind hint: Please report any issue in #2727 as that's the deployment hook's "official" bug issue. 😉

[SiuKam]

Recently got a problem when deploy to DSM 6.2.3-25426 Update 3.
In my case, the syno webapi indicate to use the api of "auth.cgi", as follows:

[Thu Sep  7 13:17:57 CST 2023] response='{"data":{"SYNO.API.Auth":{"maxVersion":6,"minVersion":1,"path":"auth.cgi"}},"success":true}'

While the acme.sh decided to use the api of "entry.cgi", as follows:

[Thu Sep  7 13:19:24 CST 2023] url='http://***:***/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&format=sid&account=***&passwd=***&otp_code=***&enable_syno_token=yes&enable_device_token=yes&device_name=CertRenewal'

And get a error code of 102, which accordin to Synology Knowledge Center refers to The requested API does not exist.
Hope to get help.
And the full debug log as follows:

acme.sh --deploy --deploy-hook synology_dsm -d xxx.xx --debug 3
[Thu Sep  7 13:17:56 CST 2023] readlink exists=0
[Thu Sep  7 13:17:56 CST 2023] dirname exists=0
[Thu Sep  7 13:17:56 CST 2023] Lets find script dir.
[Thu Sep  7 13:17:56 CST 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Thu Sep  7 13:17:56 CST 2023] _script='/root/.acme.sh/acme.sh'
[Thu Sep  7 13:17:56 CST 2023] _script_home='/root/.acme.sh'
[Thu Sep  7 13:17:56 CST 2023] Using default home:/root/.acme.sh
[Thu Sep  7 13:17:56 CST 2023] Using config home:/acme.sh
[Thu Sep  7 13:17:56 CST 2023] ACCOUNT_CONF_PATH='/acme.sh/account.conf'
[Thu Sep  7 13:17:56 CST 2023] OK
[Thu Sep  7 13:17:56 CST 2023] 1:AUTO_UPGRADE='1'
[Thu Sep  7 13:17:56 CST 2023] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Thu Sep  7 13:17:56 CST 2023] Running cmd: deploy
[Thu Sep  7 13:17:56 CST 2023] Using config home:/acme.sh
[Thu Sep  7 13:17:56 CST 2023] ACCOUNT_CONF_PATH='/acme.sh/account.conf'
[Thu Sep  7 13:17:56 CST 2023] default_acme_server
[Thu Sep  7 13:17:56 CST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Sep  7 13:17:56 CST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Thu Sep  7 13:17:56 CST 2023] _ACME_SERVER_PATH='v2/DV90'
[Thu Sep  7 13:17:56 CST 2023] CA_CONF='/acme.sh/ca/acme.zerossl.com/v2/DV90/ca.conf'
[Thu Sep  7 13:17:56 CST 2023] The domain 'xxx.xx' seems to have a ECC cert already, lets use ecc cert.
[Thu Sep  7 13:17:56 CST 2023] DOMAIN_PATH='/acme.sh/xxx.xx_ecc'
[Thu Sep  7 13:17:56 CST 2023] DOMAIN_CONF='/acme.sh/xxx.xx_ecc/xxx.xx.conf'
[Thu Sep  7 13:17:56 CST 2023] OK
[Thu Sep  7 13:17:56 CST 2023] 16:Le_DeployHook='synology_dsm,'
[Thu Sep  7 13:17:56 CST 2023] _deployApi='/root/.acme.sh/deploy/synology_dsm.sh'
[Thu Sep  7 13:17:56 CST 2023] synology_dsm_deploy exists=0
[Thu Sep  7 13:17:56 CST 2023] _cdomain='xxx.xx'
[Thu Sep  7 13:17:56 CST 2023] SYNO_Username='xxx'
[Thu Sep  7 13:17:56 CST 2023] SYNO_Password='[hidden](please add '--output-insecure' to see this value)'
[Thu Sep  7 13:17:56 CST 2023] SYNO_Create
[Thu Sep  7 13:17:56 CST 2023] SYNO_Device_Name
[Thu Sep  7 13:17:56 CST 2023] SYNO_Device_ID='[hidden](please add '--output-insecure' to see this value)'
[Thu Sep  7 13:17:56 CST 2023] OK
[Thu Sep  7 13:17:56 CST 2023] 17:SAVED_SYNO_Scheme='http'
[Thu Sep  7 13:17:56 CST 2023] OK
[Thu Sep  7 13:17:56 CST 2023] 18:SAVED_SYNO_Hostname='xxx'
[Thu Sep  7 13:17:56 CST 2023] OK
[Thu Sep  7 13:17:56 CST 2023] 19:SAVED_SYNO_Port='xxx'
[Thu Sep  7 13:17:57 CST 2023] SYNO_Scheme='http'
[Thu Sep  7 13:17:57 CST 2023] SYNO_Hostname='xxx'
[Thu Sep  7 13:17:57 CST 2023] SYNO_Port='xxx'
[Thu Sep  7 13:17:57 CST 2023] SYNO_Certificate
[Thu Sep  7 13:17:57 CST 2023] _base_url='http://xxx:xxx'
[Thu Sep  7 13:17:57 CST 2023] Getting API version
[Thu Sep  7 13:17:57 CST 2023] GET
[Thu Sep  7 13:17:57 CST 2023] url='http://xxx:xxx/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Thu Sep  7 13:17:57 CST 2023] timeout=
[Thu Sep  7 13:17:57 CST 2023] curl exists=0
[Thu Sep  7 13:17:57 CST 2023] mktemp exists=0
[Thu Sep  7 13:17:57 CST 2023] wget exists=0
[Thu Sep  7 13:17:57 CST 2023] _CURL='curl --silent --dump-header /acme.sh/http.header  -L  --trace-ascii /tmp/tmp.VBTp2ix2AP  -g '
[Thu Sep  7 13:17:57 CST 2023] ret='0'
[Thu Sep  7 13:17:57 CST 2023] response='{"data":{"SYNO.API.Auth":{"maxVersion":6,"minVersion":1,"path":"auth.cgi"}},"success":true}'
[Thu Sep  7 13:17:57 CST 2023] api_version='6'
[Thu Sep  7 13:17:57 CST 2023] Logging into xxx:xxx
[Thu Sep  7 13:17:57 CST 2023] od exists=0
[Thu Sep  7 13:17:57 CST 2023] _url_encode
[Thu Sep  7 13:17:57 CST 2023] _hex_str=' 67 61 6e'
[Thu Sep  7 13:17:57 CST 2023] od exists=0
[Thu Sep  7 13:17:57 CST 2023] _url_encode
[Thu Sep  7 13:17:57 CST 2023] _hex_str=' 73 5a 2e 58 72 50 2a 32 6e 71 47 33'
Enter OTP code for user 'gan': 555026
Enter device name or leave empty for default (CertRenewal):
[Thu Sep  7 13:19:24 CST 2023] GET
[Thu Sep  7 13:19:24 CST 2023] url='http://xxx:xxx/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&format=sid&account=xxx&passwd=xxx&otp_code=xxx&enable_syno_token=yes&enable_device_token=yes&device_name=CertRenewal'
[Thu Sep  7 13:19:24 CST 2023] timeout=
[Thu Sep  7 13:19:24 CST 2023] curl exists=0
[Thu Sep  7 13:19:24 CST 2023] mktemp exists=0
[Thu Sep  7 13:19:24 CST 2023] wget exists=0
[Thu Sep  7 13:19:24 CST 2023] _CURL='curl --silent --dump-header /acme.sh/http.header  -L  --trace-ascii /tmp/tmp.PW67fLUFdj  -g '
[Thu Sep  7 13:19:24 CST 2023] ret='0'
[Thu Sep  7 13:19:24 CST 2023] response='{"error":{"code":102},"success":false}'
[Thu Sep  7 13:19:24 CST 2023] SYNO_Device_ID='[hidden](please add '--output-insecure' to see this value)'
[Thu Sep  7 13:19:24 CST 2023] Session ID
[Thu Sep  7 13:19:24 CST 2023] SynoToken
[Thu Sep  7 13:19:24 CST 2023] Unable to authenticate to http://xxx:xxx - check your username & password.
[Thu Sep  7 13:19:24 CST 2023] If two-factor authentication is enabled for the user, set SYNO_Device_ID.
[Thu Sep  7 13:19:24 CST 2023] Error deploy for domain:xxx.xx
[Thu Sep  7 13:19:24 CST 2023] Deploy error.

[Eagle3386]

Update to latest version which fixes this or if not yet released, fix the script yourself by changing entry.cgi back to auth.cgi.

Besides, update to latest DSM, i.e. 7.x where the problem wouldn't even occur.
DSM 6.x is already legacy & heading for the dead end, so you're forced to update/upgrade soon anyway.

@war59312 Please, can you close this issue as your original issue was fixed a while ago, yet people are still abusing it for reporting already fixed bugs?

[war59312]

Upgrade to the latest build or use 3.0.6.

[nillebor]

Acme.sh 3.0.7 (latest) (Docker Version) works without problems on the DiskStation.
I have set it up on several devices (1513+, 218+, 220+ and 720+). Please check your Synology-user-password for acme. This is very critical with special characters like "$". For testing, just use a simple password for testing and reports whether it works.
Other characters *, #, &, !, %, ^, @ works here fine! I use a very strong password with 2FA with an extra user for acme.

[dark-m0de]

@nillebor - I was trying to get the 3.0.7 running with 2FA on DSM 7.2 and I'm also having an issue.

Can you please clarify which DSM version you are using?

[dark-m0de]

Here is some debug 3 log (even before asking for otp). It seems that the script on my synology already fails to get the api version:

[Sat Nov 18 02:15:20 UTC 2023] Getting API version
[Sat Nov 18 02:15:20 UTC 2023] GET
[Sat Nov 18 02:15:20 UTC 2023] url='https://FQDN:5001/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Sat Nov 18 02:15:20 UTC 2023] timeout=
[Sat Nov 18 02:15:20 UTC 2023] curl exists=0
[Sat Nov 18 02:15:20 UTC 2023] mktemp exists=0
[Sat Nov 18 02:15:20 UTC 2023] wget exists=0
[Sat Nov 18 02:15:20 UTC 2023] _CURL='curl --silent --dump-header /acme.sh/http.header  -L  --trace-ascii /tmp/tmp.w7g50fgTkp  -g '
[Sat Nov 18 02:15:20 UTC 2023] ret='0'
[Sat Nov 18 02:15:20 UTC 2023] response='<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-align:center}h1{color:#06C;font-size:25px;line-height:60px;margin-top:56px}img{margin-top:40px}
</style>
</head>
<body>
<img src="data:image/jpg;base64 ... >
<h1 id="a"></h1>
<hr>
<p>&copy; 2023 <a href="http://www.synology.com">Synology Inc.</a></p>
</body>
<script type ="text/javascript">
/* Copyright (c) 2023 Synology Inc. All rights reserved. */

(function(){var a={en:"Sorry, the page you are looking for is not found.",zh:"\u62b1\u6b49\uff0c\u60a8\u6240\u6307\u5b9a\u7684\u9875\u9762\u4e0d\u5b58\u5728\u3002",it:"La pagina richiesta non \u00e8 stata trovata.","zh-HK":"\u62b1\u6b49\uff0c\u60a8\u6240\u6307\u5b9a\u7684\u9801\u9762\u4e0d\u5b58\u5728\u3002",cs:"Hledan\u00e1 str\u00e1nka nebyla nalezena.",es:"Lo sentimos, no se encuentra la p\u00e1gina que est\u00e1 buscando.",ru:"\u0418\u0437\u0432\u0438\u043d\u0438\u0442\u0435, \u0438\u0441\u043a\u043e\u043c\u0430\u044f \u0432\u0430\u043c\u0438 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d\u0430.",nl:"Sorry, de pagina die u zoekt kan niet weergegeven worden.",pt:"Desculpe, a p\u00e1gina que procura n\u00e3o foi encontrada.",no:"Beklager, siden du leter etter finnes ikke.",nb:"Beklager, siden du leter etter finnes ikke.",tr:"\u00dczg\u00fcn\u00fcz, arad\u0131\u011f\u0131n\u0131z sayfa bulunamad\u0131.",pl:"Przepraszamy, nie znaleziono strony, kt\u00f3rej szukasz.",fr:"D\u00e9sol\u00e9, la page que vous recherchez est introuvable.",de:"Es tut uns Leid, die von Ihnen gesuchte Seite konnte nicht gefunden werden.",da:"Desv\u00e6rre, den side, du leder efter, kunne ikke findes.","pt-BR":"Desculpe, a p\u00e1gina que procura n\u00e3o foi encontrada.","zh-MO":"\u62b1\u6b49\uff0c\u60a8\u6240\u6307\u5b9a\u7684\u9801\u9762\u4e0d\u5b58\u5728\u3002",hu:"Eln\u00e9z\u00e9st, a keresett oldal nem tal\u00e1lhat\u00f3.",ja:"\u7533\u3057\u8a33\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u635c\u3057\u3066\u3044\u308b\u30da\u30fc\u30b8\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093",nn:"Beklager, siden du leter etter finnes ikke.","zh-TW":"\u62b1\u6b49\uff0c\u60a8\u6240\u6307\u5b9a\u7684\u9801\u9762\u4e0d\u5b58\u5728\u3002",ko:"\uc8c4\uc1a1\ud569\ub2c8\ub2e4. \ucc3e\uace0\uc790 \ud558\ub294 \ud398\uc774\uc9c0\ub97c \ubc1c\uacac\ud558\uc9c0 \ubabb\ud588\uc2b5\ub2c8\ub2e4.",sv:"Sidan du s\u00f6ker hittades inte."};var b=window.navigator.browserLanguage||window.navigator.language;if(-1==["zh-TW","zh-MO","zh-HK","pt-BR"].indexOf(b)){b=b.split("-",1)}document.getElementById("a").innerHTML=a[b]||a.en})();
</script>
</html>'

[nillebor]

I have several DiskStation in use and in maintenance.
All have the latest system installed and, depending on the type, DSM 7.1.1 or DSM 7.2.1.
The import works with and without SSL and with and without 2FA.
A separate admin account is set up on each DiskStation, where all apps and folders are excluded. Is installed acme.sh in Docker and even exports the certificate to an external DiskStation over the Internet.

The whole thing has been working for a long time.

Pay attention to the special characters and use a simple password for testing.

[dark-m0de]

Thank you very much for the detailed response! This was giving me confidence and I did another round.

Two key findings:

• I added an extra_hosts: entry to the compose.yaml to prevent any kind of dns resolution issues
• When I manually opened one of the failing curl GET requests, I realized that my synology was showing an reverse proxy error page on port 5001. And it actually worked when I switched SYNO_Port to 443.

Not sure what the difference to my other Diskstations is (except DSM 7.2). However, now it works fine.

[nillebor]

I don't know your compose. You may want to publish them. Alternatively, I always install the containers easily via SSH or the task scheduler.

I don't understand your problem. Try the same diskstation on the acme.sh is the certificate installed to install? Have you adapted the firewall for Docker? Have you set a (sub)domain for the login page? Do you use the standard ports? do you use macvlan (i hope no), bridge or host?

[dark-m0de]

Well, I'm actually using a macvlan for a few other services. I run the container on the very same synology that needs the certificate. And I enabled a custom domain. (I far as I know I did the same on my previous synology).

Here is my config for acme - compose.yaml inside the acme project:

services:
  acme:
    container_name: acme
    image: neilpang/acme.sh:latest
    command: daemon
    volumes:
      - './acme.sh:/acme.sh'
    restart: unless-stopped
    extra_hosts:
      - "fqdn-of-my-synology:192.168.x.y"

And inside the acme.sh folder of my acme project, I have an account.conf file with this content:

AUTO_UPGRADE='1'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
CF_Token='token'
CF_Account_ID='id'
CF_Zone_ID='id'
SYNO_Username='adminuserforcert'
SYNO_Password='password'
SYNO_Hostname='fqdn-of-my-synology'
SYNO_Scheme='https'
SYNO_Port='443'
SYNO_Certificate='*.my.domain'

As said: It now works since I changed the SYNO_Port.

An improvement that I could see is to get a specific error message if the webapi call fails. Because right now the error just says "username or password incorrect". And therefore, I invested a few hours and needed to go into --debug 3 until I realized that.

[dark-m0de]

P.S.: And just to be complete, I used the following commands to initialize everything:

sudo docker exec -it acme sh opens a shell to the container

acme.sh --set-default-ca --server letsencrypt sets the default ca to letsencrypt

acme.sh --issue --dns dns_cf -d *.my.domain to generate the cert

acme.sh --deploy --deploy-hook synology_dsm -d *.my.domain to deploy it

and finally a monthly scheduled job with docker exec acme acme.sh --renew -d *.my.domain to do the renew

[nillebor]

Are you Ghost108 in German Synology Forum?
Macvlan is shit. I have acme.sh as installed in the instructions.

I have acme.sh installed in host mode and does not need to enter an address in local. By default, an attempt is made to connect to "localhost". But this only works in host mode and is a feature of docker.

If you are using a DNS_Server like Adguard, Pi-Hole or Synology, you just have to set up a rewrite. You don't have to create an extra host. If the DiskStation issues the certificate itself, i.e. internally, it also works via port 5001. Oh, you have either specified a reverse proxy entry or the domain under the login data.

Even if things are going well for you now, I see potential for improvement.

You can simply and conveniently place the entries in the shell directly in the container via the Container Manager or Docker (old App).

if it works for you, it's good.

[dark-m0de]

No, I don't know any Ghost108.

You are right. I use the reverse proxy feature as well, because I run some services (like influxdb, grafana and some IoT stuff) on an internal network and expose their UI via SSL secured reverse proxy.

For the sake of repeatability, I like to work with docker compose (even in the old docker app). However, thanks for the hint with the deamon. I'll have a look into that.

EDIT: And, yes.. I also run a pihole instance.

[nillebor]

Forget about the deamon. that's the same with me.
Just enter as network: host and delete the address. Then your own device with "localhost" will be used automatically.

My task (task scheduler/SSH) looks like this:

docker run -d --name acme.sh \
-v /volume1/docker/acme.sh:/acme.sh \
--net=host \
--restart always \
neilpang/acme.sh:latest daemon

in the compose you can add this here:
network_mode: host

services:
  acme:
    container_name: acme
    image: neilpang/acme.sh:latest
    command: daemon
    network_mode: host
    volumes:
      - './acme.sh:/acme.sh'
    restart: unless-stopped

or (with static folder)

services:
  acme:
    container_name: acme
    image: neilpang/acme.sh:latest
    command: daemon
    network_mode: host
    volumes:
      - '/volume1/docker/acme.sh:/acme.sh'
    restart: unless-stopped

[nillebor]

account.conf;

CF_Token='token'
CF_Account_ID='id'
CF_Zone_ID='id'
SYNO_Username='adminuserforcert'
SYNO_Password='password'
SYNO_Hostname='fqdn-of-my-synology' # optional, delete for "localhost"
SYNO_Scheme='https' # optional not really required for importing into the same device
SYNO_Port='5001' # optinal weh change Scheme or Port
SYNO_Certificate='*.my.domain' # optional delete for emptiy and replace synolgy certificate or for more than one certificates!

so it's enough for the minimum (same Device) "host-mode":

CF_Token='token'
CF_Account_ID='id'
CF_Zone_ID='id'
SYNO_Username='adminuserforcert'
SYNO_Password='password'

for all values that are not set, the preset values are used: https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm

Edit: Please use an extra admin user and revoke the rights for apps and folders. The import works anyway.

[dark-m0de]

simplified the config as proposed and it works. Thank you @nillebor !