Skip to content

Instantly share code, notes, and snippets.

@telf3

telf3/README.md

Last active July 24, 2025 14:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.
Download ZIP
certbot-dns-cloudflare on asustor NAS
Raw
adm-deploy.sh
#!/bin/sh
# An asustor NAS Let's Encrypt certificate renewal deploy shell script.
# https://github.com/bebo-dot-dev/asustor-certbot/
# Dependencies:
# A certbot --config-dir/renewal-hooks/deploy directory to host this script
#
# When this shell script is present in the certbot --config-dir/renewal-hooks/deploy, it will be called
# by certbot upon successful renewal only
# This script can be used to automate actions that need to be performed upon post renewal success
# i.e. certificate copy / service restart etc
#
# certbot docs are here: https://certbot.eff.org/docs/using.html
CONFIG_DIR=/volume0/usr/builtin/etc/letsencrypt # the certbot --config-dir
SOURCE_CERT=/live/nas.mydomain.com # a source letsencrypt certificate to perform actions with
ADM_TARGET=/volume0/usr/etc/lighttpd # the ADM lighttpd web server ssl cert target directory
ADM_WEB_SERVICE=/etc/init.d/S41lighttpd # the ADM lighttpd service control script
#create a lighttpd "compatible" cert by combining the private key and the cert together and
#then update the lighttpd ssl cert with that
cat $CONFIG_DIR$SOURCE_CERT/privkey.pem $CONFIG_DIR$SOURCE_CERT/cert.pem > $CONFIG_DIR$SOURCE_CERT/lighttpd.pem
cp -L -f $CONFIG_DIR$SOURCE_CERT/lighttpd.pem $ADM_TARGET/lighttpd.pem
#restart lighttpd
$ADM_WEB_SERVICE restart
Raw
gistfile1.txt
The goal is to configure Asustor NAS to use letsencrypt certificate without exposing it to the internet.
To achieve this we use certbot with DNS-01 challenge to Cloudflare.
1. Run install.sh to install pip and certbot-dns-cloudflare.
2. Setup cloudflare secret.
```shell
mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini
```
Add the Cloudflare API key in this file:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials
3. Place adm-deploy.sh in /volume0/usr/builtin/etc/letsencrypt/renew-hooks
4. Generate certificate.
```shell
certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
--dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
--preferred-challenges dns-01 \
-d nas.mydomain.com
```
5. Add renew to crontab:
```shell
echo "0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew" | tee -a /var/spool/cron/crontabs/root
```
Raw
install.sh
#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot
@JigSawFr
Copy link

JigSawFr commented Jan 19, 2025

Working as expected thanks ! :)

To note; the path /volume1/system is not existing on my asustor.
Dropped files to /volume0/usr/builtin/etc/letsencrypt for the moment.

@x86txt
Copy link

x86txt commented Jun 28, 2025

For ADM 5.0, replace /volume0/usr/builtin/etc/letsencrypt/ with /volume0/usr/builtin/etc/certificate/letsencrypt/.

Also, you'll need to create the renewal hooks folder, I just used this commmand:

mkdir -p /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/ && ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment