This site runs best with JavaScript enabled.

Wildcard Let's Encrypt SSL Cert on Synology NAS

How to set up a wildcard cert and auto-renew on Synology NAS

Thanks to this post on I was able to set up a wildcard Let's Encrypt Cert on my Synology NAS.

The problem is I have to manually renew every 3 months which involves setting a new TXT record on my DNS and remembering the steps to renew.

After more research, I found a way to automate the renewal of my wildcard DNS. It does require a DNS server with API access. It turns out there are lots of options on the wiki.

It would be nice if I could use GoDaddy or NameCheap, where I have most of my domains, but this particular domain is hosted with iwantmyname. It looks like there is no support in for iwantmyname, but iwantmyname does have an API for adding a TXT record.

Luckily, has provided a solution to use my own API, so that is what I'll do!

First, let's log into the NAS via ssh and install

1sudo -i
3tar xvf master.tar.gz
5./ --install --nocron --home /usr/local/share/ --accountemail ""

Now we'll create the script that will created our TXT record on iwantmyname. (If you use some other DNS service that is already supported, you can skip this step and replace dns_iwmn with whatever DNS service you are using.)

1touch /usr/local/share/
2chmod +x /usr/local/share/
3vim /usr/local/share/

I added the following to this script:

1#!/usr/bin/env sh
3# Guide:
5#Usage: dns_iwmn_add "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
6dns_iwmn_add() {
7 local fulldomain=$1
8 local txtvalue=$2
9 _info "Using iwantmyname"
10 _debug fulldomain "$fulldomain"
11 _debug txtvalue "$txtvalue"
12 curl -u "$IWMN_EMAIL:$IWMN_PASSWORD" "$fulldomain&type=txt&value=$txtvalue"
15#Usage: fulldomain
16#Remove the txt record after validation.
17dns_iwmn_rm() {
18 local fulldomain=$1
19 _info "Using iwantmyname"
20 _debug fulldomain "$fulldomain"
21 curl -u "$IWMN_EMAIL:$IWMN_PASSWORD" "$fulldomain&type=txt&value=delete"

Now, let's run the following the command to issue the wildcard cert:

1export CERT_DOMAIN="*.mydomain.tld"
2export IWMN_EMAIL=""
3export IWMN_PASSWORD="iwantmyname-password"
4/usr/local/share/ --issue -d $CERT_DOMAIN --dns dns_iwmn \
5 --certpath /usr/syno/etc/certificate/system/default/cert.pem \
6 --keypath /usr/syno/etc/certificate/system/default/privkey.pem \
7 --fullchainpath /usr/syno/etc/certificate/system/default/fullchain.pem \
8 --capath /usr/syno/etc/certificate/system/default/chain.pem \
9 --dnssleep 20 \
10 --config-home "/path/to/save/acmeconfigs/"

Now add the following to /etc/crontab to keep the cert renewed:

10 10 2 * * root /usr/local/share/ --cron --home /path/to/save/acmeconfigs/


Discuss on TwitterEdit post on GitHub

Share article
Dustin Davis

Dustin Davis is a software engineer, people manager, hacker, and entreprenuer. He loves to develop systems and automation. He lives with his wife and five kids in Utah.

Join the Newsletter

Dustin Davis