How To Use The DiskStation’s SSL Certificate For Syncthing
Things you need to have working first:
- In DSM, you need to have an admin account configured. I assume it is called
admin. - You need access to the DiskStation via SSH. This is only possible for an admin user. Make sure you can log in from your desktop / laptop computer:
ssh admin@MySynoString.synology.xxand you know the password. If you’re not using the command line, try logging in with the PuTTY application for example. - Root access is required for the
adminuser. In the SSH connection, try runningsudo lsand enter your password again.
Once these prerequisites are met, you can log in to the DiskStation through SSH and create the updating script:
-
Find your Syncthing’s API key in the Web GUI under Actions → Settings.
-
Enter the command
cat > syncthing-install-cert.sh. -
Paste the following content, replacing the API key with your own value from the first step:
SYSTEM_CERT_DIR=/usr/syno/etc/certificate/system/default SYNCTHING_CONF_DIR=/usr/local/syncthing/var SYNCTHING_USER=sc-syncthing SYNCTHING_GROUP=syncthing API_KEY=InsertYourAPIKeyHere sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/cert.pem ${SYNCTHING_CONF_DIR}/https-cert.pem sudo cp -v --preserve=timestamps ${SYSTEM_CERT_DIR}/privkey.pem ${SYNCTHING_CONF_DIR}/https-key.pem sudo chmod 664 ${SYNCTHING_CONF_DIR}/https-cert.pem sudo chmod 600 ${SYNCTHING_CONF_DIR}/https-key.pem sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-cert.pem sudo chown ${SYNCTHING_USER}:${SYNCTHING_GROUP} ${SYNCTHING_CONF_DIR}/https-key.pem sudo ls -al ${SYNCTHING_CONF_DIR} curl -k -X POST -H "X-API-Key: ${API_KEY}" https://localhost:8384/rest/system/restart -
Hit
Ctrl-Dto finish and write the content to the script. -
Make the script executable and restrict permissions:
chmod 700 syncthing-install-cert.sh -
Try it out:
./syncthing-install-cert.sh
It should output something like this:
‘/usr/syno/etc/certificate/system/default/cert.pem’ -> ‘/usr/local/syncthing/var/https-cert.pem’
‘/usr/syno/etc/certificate/system/default/privkey.pem’ -> ‘/usr/local/syncthing/var/https-key.pem’
total 2200
drwx------ 3 sc-syncthing syncthing 4096 Sep 16 01:20 .
drwxr-xr-x 5 sc-syncthing syncthing 4096 Jul 7 13:41 ..
-rw-rw-r-- 1 sc-syncthing syncthing 619 Jan 1 2019 cert.pem
-rw------- 1 sc-syncthing syncthing 55110 Mar 24 2021 config.xml
-rw------- 1 sc-syncthing syncthing 264 Aug 16 23:08 csrftokens.txt
-rw-rw-r-- 1 sc-syncthing syncthing 1915 Aug 16 23:07 https-cert.pem
-rw------- 1 sc-syncthing syncthing 1675 Aug 16 23:07 https-key.pem
drwxr-xr-x 2 sc-syncthing syncthing 4096 Oct 8 08:03 index-v0.14.0.db
-rw------- 1 sc-syncthing syncthing 288 Jan 1 2019 key.pem
-rw-r--r-- 1 sc-syncthing syncthing 261 Aug 2 2019 options.conf
-rw-r--r-- 1 sc-syncthing syncthing 832 Aug 2 2020 syncthing_install.log
-rw-r--r-- 1 sc-syncthing syncthing 2142587 Oct 11 16:00 syncthing.log
-rw-r--r-- 1 sc-syncthing syncthing 5 Sep 16 01:20 syncthing.pid
{"ok": "restarting"}
In the file listing you can verify the modification date of the https-*.pem files. The last line is Syncthing’s response to the request to restart itself.
When you have it working once, you just need to repeat the last step no. 6 every time the system default certificate is replaced. I assume you already have that part figured out. It’s not really hard to get a certificate from Let’s Encrypt using the DSM Control Panel, once you have configured external access in your router / firewall.
Feel free to ask if you are having trouble with these instructions.