The goal is to configure Asustor NAS to use letsencrypt certificate without exposing it to the internet.  
To achieve this we use certbot with DNS-01 challenge to Cloudflare.

1. Run install.sh to install pip and certbot-dns-cloudflare. 

2. Setup cloudflare secret.
```shell
mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini
```
Add the Cloudflare API key in this file:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

3. Place adm-deploy.sh in /volume0/usr/builtin/etc/letsencrypt/renew-hooks

4. Generate certificate.
```shell
certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com
```

5. Add renew to crontab:
```shell
echo "0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew" | tee -a /var/spool/cron/crontabs/root
```