Skip to content

Instantly share code, notes, and snippets.

@telf3

telf3/README.md

Last active July 24, 2025 14:57
Show Gist options
  • Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.
Save telf3/ae1bae681d10ce37ec5645d362fcf9ef to your computer and use it in GitHub Desktop.
Download ZIP
certbot-dns-cloudflare on asustor NAS
Raw
README.md

This will configure an Asustor NAS to use a Let's Encrypt certificate without exposing it to the internet.
To achieve this, we use Certbot with the DNS-01 challenge via Cloudflare.

I'm placing my configuration in /volume1/system. Feel free to change this to whatever location you prefer.

  1. Set up Cloudflare credentials.
mkdir /volume1/system/letsencrypt
touch /volume1/system/letsencrypt/cloudflare.ini
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add your Cloudflare API key to cloudflare.ini as described here:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

  1. Place install.sh and adm-deploy.sh in /volume1/system/letsencrypt

  2. Run install.sh to setup pip and certbot-dns-cloudflare.

  3. Link adm-deploy.sh to letsencrypt deploy hook.

ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy/
  1. Generate the certificate.
    Make sure to change nas.mydomain.com in adm-deploy.sh and in the below command to your FQDN
certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com
  1. Add renew to crontab, run crontab -e as root.
@reboot /volume1/system/letsencrypt/install.sh && /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew
0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/letsencrypt renew
Raw
adm-deploy.sh
#!/usr/bin/env bash
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate
TARGET=/volume0/usr/etc/lighttpd # ADM lighttpd web server ssl cert target directory
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/lighttpd.pem
cp -Lfv $SOURCE/lighttpd.pem $TARGET/lighttpd.pem
/etc/init.d/S41lighttpd restart
Raw
install.sh
#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot
Raw
reverseproxy-deploy.sh
#!/usr/bin/env bash
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/letsencrypt/live/nas.domain.com # letsencrypt certificate
TARGET=/volume0/usr/builtin/etc/certificate
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/ssl.pem
cp -Lfv $SOURCE/cert.pem $TARGET/ssl.crt
cp -Lfv $SOURCE/privkey.pem $TARGET/ssl.key
cp -Lfv $SOURCE/ssl.pem $TARGET/ssl.pem
pkill nginx
sleep 1
/volume0/usr/builtin/sbin/nginx -c /volume0/usr/builtin/etc/nginx_reverse_proxy/nginx.conf
@JigSawFr
Copy link

JigSawFr commented Jan 19, 2025

Working as expected thanks ! :)

To note; the path /volume1/system is not existing on my asustor.
Dropped files to /volume0/usr/builtin/etc/letsencrypt for the moment.

@x86txt
Copy link

x86txt commented Jun 28, 2025

For ADM 5.0, replace /volume0/usr/builtin/etc/letsencrypt/ with /volume0/usr/builtin/etc/certificate/letsencrypt/.

Also, you'll need to create the renewal hooks folder, I just used this commmand:

mkdir -p /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/ && ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment