Hi
I'm using Synology automation after my LE renewal.
Its not working anymore (The deployment piece)
I see that version 3.0.7 of Acme.sh changed the behaviour, and not the DeviceID (to bypass the 2FA) is created part of the script. While the Opensense adoption of it ask for device ID in the configuration.
What I've found:
* Device ID is not being send part of the request anymore
* New method should ask you for token on first run and update it in config file
* I've tried to add the device id manually to the config at /var/etc/acme-client/home/domain.com.conf however it fails
* I've tried to run acme.sh command manually with user root - I get
[Sun Dec 10 12:24:18 IST 2023] The deploy hook synology_dsm is not found.
* I've tried so su - acme and run this, and I get error that certificate it missing
probably because of permission issue to that user ?
$ ls -al /var/etc/acme-client/home/domain.com.conf
ls: /var/etc/acme-client/home/domain.com.conf: Permission denied
All per documentation here :
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#20-deploy-the-certificate-to-synology-dsm
Any idea how to solve this ?
Temp resultion if someone will look for it
add Device name and change the DID to Device_ID
root@opn:~ # cat /var/etc/acme-client/home/domain.com/domain.com.conf | grep SYNO_Device
SAVED_SYNO_Device_ID='did cookie content'
SAVED_SYNO_Device_Name='CertRenewal'
Also unable to deploy certificate to a Synology with 2fa enabled.
When running
acme.sh --home /var/etc/acme-client/home --deploy --deploy-hook synology_dsm -d "*.domain.com"
I am unable to authenticate against my Synology nas.
Is there way to run the automation settings in the CLI ?
Digging further is see that the config file isnt changed at all after modifying the device ID in the gui.
I have 2 certificates, the domain.conf of 1 has a device_id and device_name but with a wrong id.
The other domain doesnt have the device_id and device_name set.
Any updates on this? I've tried to manually edit the config and still can't getting it to work. I'm hoping a first-party update is on the way? In the meantime, is there a way to downgrade to the working version or any other methods to get my Synology SSL certs updated in the meantime?
Good news! Looks like the fix is out in Acme Client 3.20! 🎉
https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr
Fixed:
* fix 2FA support in Synology automation (#3627)
I've seen that update but have no clue how to use that.
I've tried putting the initial OTP instead of password and run automation, then change back to the password, it didn't work.
Found a way, while I'm sure its not the best way to do so
Run this command from CLI
acme.sh --deploy --cert-home /var/etc/acme-client/home/ --home /var/db/acme/.acme.sh/deploy --deploy-hook synology_dsm -d <<FQDN>> --debug 2
It should prompt you for OTP, and that's it
Hi all! n00b question, I hope this is still relatively on topic.
How do I get the "device id" and "device name"? It is also unclear if "device" refers to the Synology or OPNsense.
If someone can point me to documentation or a tutorial that would be very helpful. I have done a bunch of googling however I don't think I know enough to even type the correct phrase into google. I feel like there should be something in the Acme Automations for Synology help text to help users to find this information.
Thanks!
This still isn't working for me. It's maddening. I've tried everything I can think of.
I am on Acme Plugin 4.1. I am running Synology DSM 7.2.1-69057 Update 5.
I have OTP enabled and got the Device ID (did) from the cookie in an Incognito window. I set the Device Name to 'CertRenewal" (I just made that up. Not sure if/where I am supposed to get that value or if I just set it to whatever I want.)
I even tried setting up a user WITHOUT an OTP and it still won't authenticate to Synology.
The cert is properly generated in Acme, but the only thing not working is deploying it to my Synology.
For the record, I use a custom domain and custom port for my synology, if that matters.
Does anyone have any other things I could try? Here is what the logs say.
Screenshot: https://share.jacobgraf.com/TtTMcBmwLjVT9kqL0Fcl
I have the same problems. A user is created in the admin group in DSM, WITHOUT 2FA but also WITHOUT any authorisation (SMB/NFS etc.), but the automation causes a crash in OpnSense. Since the crash also occurs when I push a deploy to my Proxmox, it's more likely the plugin itself, right?
Does anyone have any idea how to solve this or whether it works at all and I'm just making a mistake? I also have a separate port in the DSM (not 5001).
Thanks for your tips and help ;)
Translated with DeepL.com (free version)