If you already have Caddy running inside Container Manager (Docker) on your Synology DSM, you can use the TLS key and certificate from Caddy and deploy it to Synology DSM.
That will allow you to
- avoid exposing your Synology DSM directly to the Internet just so you can get a Let’s Encrypt certificate via Synology’s HTTP-01 challenge.
- use your own domain for a wildcard certificate, rather than having to use Synology DDNS domain.
To achieve that, you can use Synology Certificate Deployer (synology-cert-deploy.sh
) which will help you take the existing Caddy certificate and deploy it to Synology DSM.
In my case, I’m using Caddy Web Server with ACME-DNS Provider, but you can easily adjust the script to any provider of your preference. The script requires two settings:
new_key="/path/to/your/privkey.pem"
new_fullchain="/path/to/your/fullchain.pem"
Assuming you have the following Caddy configurations:
docker-compose.yml
:
services:
caddy:
image: timelordx/caddy-dns-acmedns:latest
container_name: caddy
environment:
- PUID=YOUR_UID
- PGID=YOUR_GID
- TZ=YOUR_TZ
volumes:
- /volume1/docker/caddy/etc/caddy:/etc/caddy:ro
- /volume1/docker/caddy/config:/config
- /volume1/docker/caddy/data:/data
- /volume1/docker/caddy/logs:/logs
network_mode: host
restart: unless-stopped
Caddyfile
:
example.com, *.example.com {
tls {
...
}
...
}
you can proceed to configure the synology-cert-deploy.sh
script:
SCRIPT CONFIG
:
new_key='/volume1/docker/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.example.com/wildcard_.example.com.key'
new_fullchain='/volume1/docker/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.example.com/wildcard_.example.com.crt'
With the above configuration, the script will deploy a wildcard TLS certificate *.example.com
from your Caddy server to your Synology DSM.
Ensure you run the script with root privileges (using sudo) to avoid any permission issues during the certificate deployment process. For automated execution, consider setting up the script as a Scheduled Task in Task Scheduler to run as root once a week.
For additional details on setting up Caddy with an ACME-DNS provider, please refer to the following links:
More details about Caddy as a certificate manager: