Friday, August 2, 2019

Renew your wildcard certificate on your DSM Webstation and OpenVPN server

Are you having a wildcard (*.yourdomain.com) SSL certificate that is expiring and needs a renewal? Below are the steps to take to renew it on a Synlogy DSM. I also use the certificate for the OpenVPN server on the DSM. So I need to update it twice.

Convention:

  • Certificate: server.crt
  • Private key: server.key
  • Intermediate: ca_bundle.crt
  • Root: ca.crt


Receive a new wildcard certificate

  • Login in DSM https://ip:5001
  • SSH into the DSM
    • cd /usr/syno/etc/packages/VPNCenter/openvpn/keys
  • copy the ca_bundle.crt file
  • In the DSM: Control Panel > Security > Certificate
  • Click on CSR, then renew certificate
  • Select the Country and download CSR and the private key.
  • Go to ssl2buy.com to buy a new wildcard certificate from alphassl.com
  • Enter the CSR (generated by your DSM) and select approval method admin@yourdomain.com
  • Go to your webmail and login with the admin@yourdomain.com account to check for the email to approve your new purchase
  • Click on the approval email request to issue out the certificate (you get an email with the certificate from ssl2buy)
  • Add a new certificate by entering the server.key, server.crt and ca_bundle.crt files in the wizard
  • Click on Edit to set the new certificate as the Default one, then remove the old (inactive) one. The webserver should restart itself now with the new certificate
Tip: The intermediate certificate (in base64 format) from AlphaSSL can be downloaded here


Update the certificates for the OpenVPN server

  • SSH into the DSM and make yourself root
    • sudo -i
cd /usr/syno/etc/packages/VPNCenter/openvpn/keys
  • Make a new folder for the last time you created/renewed your certificate under "history" directory. Move the (old) certificates there to as a backup.
    • mkdir history/YYYY-MM-DD
mv server.* history/YYYY-MM-DD
cp -rp ca* history/YYYY-MM-DD
  • Add the new private key, certificate and intermediate by doing vi server.key ... Do this for the 2 server files mentioned under Convention.
  • Make the files owner readable only
    • chmod 400 server*
chmod 400 ca*
  • Restart the OpenVPN server
    • /var/packages/VPNCenter/target/scripts/openvpn.sh restart


And you should be good to go for another year...
Posted at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)