SSL wildcard certificate extension

1. Go to the email where it is requested to complete the configuration process, click on the link

2. Go into DSM > Control Panel > Security > Certificate > Right click the certificate and click on renew

3. Download the archive.zip containing the CSR (the one you need) and a private key. Open server.csr. Copy the text

4. On the website paste the CSR and go through the menu. Choose admin@domain.com to send the emails to

5. Approve the request and a new email will be send with the certificate

6. Open command line and paste the certificate into server.crt

7. Test for the issuer to find the intermediate: openssl x509 -in server.crt -text -noout | grep -E "Issuer:|CA Issuers"

        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R6 AlphaSSL CA 2025
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsgccr6alphasslca2025.crt

8. Download if needed: curl -O http://secure.globalsign.com/cacert/gsgccr6alphasslca2025.crt

9. Convert:

openssl x509 -inform DER -in gsgccr6alphasslca2025.crt -out intermediate_pem.crt

cat server.crt intermediate_pem.crt > fullchain.crt

10. Verify:
openssl verify -untrusted fullchain.crt server.crt

server.crt: OK

11. Install the new certificate by adding a new certificate in DSM (and choose to replace the *.domain.com)

Important:

-Use intermediate_pem.crt as intermediate, otherwise use fullchain.crt

-If needed, just install a new one and delete the old one afterwards

12. Make new certificate default one

13. Go to Dropbox and place the new files there

Update wildcard certificate on Unifi Controller as Docker container & for Plex

root@server:/volume1/docker/unifi/data# cd /usr/syno/etc/certificate/_archive

root@server:/usr/syno/etc/certificate/_archive# ls -lrt

total 20

drwx------ 2 root root 4096 Mar 18 16:12 dCjJGL

-rwx------ 1 root root 1904 May 11 09:38 SERVICES

drwx------ 2 root root 4096 May 18 10:20 uE4Pkn

-rw------- 1 root root    7 May 18 10:21 DEFAULT

-rw------- 1 root root 2552 May 18 10:28 INFO

root@server:/usr/syno/etc/certificate/_archive# cd dCjJGL/

root@server:/usr/syno/etc/certificate/_archive/dCjJGL# ls -l

total 52

-r-------- 1 root root 1890 Mar 18 16:12 cert.pem

-r-------- 1 root root 1801 Mar 18 16:12 chain.pem

-r-------- 1 root root 1390 Mar 18 16:12 ECC-cert.pem

-r-------- 1 root root 1566 Mar 18 16:12 ECC-chain.pem

-r-------- 1 root root 2958 Mar 18 16:12 ECC-fullchain.pem

-r-------- 1 root root  241 Mar 18 16:12 ECC-privkey.pem

-r-------- 1 root root 3693 Mar 18 16:12 fullchain.pem

-r-------- 1 root root 1704 Mar 18 16:12 privkey.pem

-r-------- 1 root root  262 Mar 18 16:12 renew.json

-r-------- 1 root root 1890 Mar 18 16:12 RSA-cert.pem

-r-------- 1 root root 1801 Mar 18 16:12 RSA-chain.pem

-r-------- 1 root root 3693 Mar 18 16:12 RSA-fullchain.pem

-r-------- 1 root root 1704 Mar 18 16:12 RSA-privkey.pem

root@server:/usr/syno/etc/certificate/_archive/uE4Pkn# openssl x509 -in cert.pem -noout -ext subjectAltName -subject | grep -E "Subject:|DNS:"

    DNS:*.domain.com, DNS:domain.com

root@server:/usr/syno/etc/certificate/_archive/dCjJGL# openssl pkcs12 -export \

>   -in cert.pem \

>   -inkey privkey.pem \

>   -certfile chain.pem \

>   -out unifi.p12 \

>   -name unifi \

> ls -lrt^C

root@server:/usr/syno/etc/certificate/_archive/dCjJGL# ls -l

total 60

-r-------- 1 root root 1890 Mar 18 16:12 cert.pem

-r-------- 1 root root 1801 Mar 18 16:12 chain.pem

-r-------- 1 root root 1390 Mar 18 16:12 ECC-cert.pem

-r-------- 1 root root 1566 Mar 18 16:12 ECC-chain.pem

-r-------- 1 root root 2958 Mar 18 16:12 ECC-fullchain.pem

-r-------- 1 root root  241 Mar 18 16:12 ECC-privkey.pem

-r-------- 1 root root 3693 Mar 18 16:12 fullchain.pem

-r-------- 1 root root 1704 Mar 18 16:12 privkey.pem

-r-------- 1 root root  262 Mar 18 16:12 renew.json

-r-------- 1 root root 1890 Mar 18 16:12 RSA-cert.pem

-r-------- 1 root root 1801 Mar 18 16:12 RSA-chain.pem

-r-------- 1 root root 3693 Mar 18 16:12 RSA-fullchain.pem

-r-------- 1 root root 1704 Mar 18 16:12 RSA-privkey.pem

-rw------- 1 root root 4344 May 18 22:01 unifi.p12

root@server:/usr/syno/etc/certificate/_archive/dCjJGL# mv unifi.p12 /volume1/docker/unifi/data/ && cd /volume1/docker/unifi/data/

root@server:/volume1/docker/unifi/data# ls -l

total 228

drwxr-xr-x+ 3 admin users   4096 Mar  6 15:53 backup

drwxr-xr-x+ 4 admin users  40960 May 18 22:01 db

-rwxr-xr-x+ 1 root  root   35879 May 18 09:41 firmware.json

-rwxr-xr-x+ 1 admin users   6502 May 11 09:39 keystore

-rwxr-xr-x+ 1 admin users   2742 Aug 28  2023 keystore-2023-08-28.bak

-rwxr-xr-x+ 1 root  root    6502 May 18 21:57 keystore-2026-05-18.bak

-rwxr-xr-x+ 1 admin users   1424 May 18 21:40 model_lifecycles.json

-rwxr-xr-x+ 1 admin users      0 Oct 17  2023 system_env

-rwxr-xr-x+ 1 root  root    1394 May 11 09:40 system.properties

-rwxr-xr-x+ 1 root  root    1394 May 11 09:40 system.properties.bk

-rwxr-xr-x+ 1 root  root  110245 May 15 17:41 uidb.json

-rw-------  1 root  root    4344 May 18 22:01 unifi.p12

root@server:/volume1/docker/unifi/data# docker exec -it unifi keytool -importkeystore \

>   -srckeystore /unifi/data/unifi.p12 \

>   -srcstoretype PKCS12 \

>   -srcstorepass aircontrolenterprise \

>   -destkeystore /unifi/data/keystore \

>   -deststoretype JKS \

>   -deststorepass aircontrolenterprise \

>   -alias unifi

Importing keystore /unifi/data/unifi.p12 to /unifi/data/keystore...

Existing entry alias unifi exists, overwrite? [no]:  yes

root@server:/volume1/docker/unifi/data#

Plex (password = plex)

root@server:/usr/syno/etc/certificate/_archive/uE4Pkn# openssl pkcs12 -export -out /volume1/PlexMediaServer/plex_wildcard.pfx \

> -inkey privkey.pem \

> -in cert.pem \

> -certfile chain.pem \

> -certpbe AES-256-CBC \

> -keypbe AES-256-CBC \

> -macalg SHA256

Enter Export Password:

Verifying - Enter Export Password:

 

Update Home Assistant docker installation

In order to safely update your docker container in a Synology NAS. I assume you manage your docker containers via docker-compose

1. List the running containers
   

   docker ps

2. Go to the docker folder
   

   cd /volume1/docker

3. Copy the configuration (if needed)
   

   cp -rp ha /volume2/backups/ha-bak.25.x

4. Stop the container
   

   docker stop homeassistant

5. Make a backup
   

   docker commit homeassistant homeassistant-backup:version-25.x

6. Pull the latest image
   

   docker pull ghcr.io/home-assistant/home-assistant:stable

   
   or if you want a specific version
   

   docker pull ghcr.io/home-assistant/home-assistant:2024.11.3

7. Remove the container
   

   docker rm homeassistant

8. If you have a specific version to use, edit the version of the image in the docker-compose file to the downloaded one (2024.11.3, default is stable)
   

   vi docker-compose.yaml

9. Start up the new container
   

   docker-compose --verbose up -d homeassistant

Checklist afterwards:

• Check if configuration is loaded correctly:
  

  docker exec homeassistant python -m homeassistant --script check_config --config /config

• Check for version: Settings > About
• Check for logs: Settings > System > Logs
• Update HACS plugins if needed

For a full recovery of a container:

1. Stop and Remove the Current Container:
   

   docker stop homeassistant

   
   

   docker rm homeassistant

2. Run a New Container from the Backup Image (or edit your docker-compose.yaml and start with docker-compose):
   

   docker run -d --name homeassistant \ --restart=unless-stopped \ -v /volume1/docker/ha:/config \ -e TZ=Europe/Paris \ --net=host \ homeassistant-backup:version-24.11

Home Assistant button with automation on your dashboard and state not always on

If you want to add a button to your dashboard that will trigger an automation once clicked, but you don't like the fact that by default the state will be always on, you can add an additional input_boolean. Below are the steps how to do this.

To define an input_boolean in Home Assistant, you can add it to your configuration.yaml file. Here’s how to do it:

1. Open your configuration.yaml file in Home Assistant.

2. Add the Input Boolean definition under the input_boolean section. If the section doesn’t exist yet, you can create it.

   yaml
   input_boolean:
     rain_water_pump_button:
       name: Rain Water Pump Button
       initial: off
   

   • rain_water_pump_button: This is the entity ID for your input boolean.
   • name: This is the name that will appear in the UI.
   • initial: Setting this to off means the button will be off each time Home Assistant restarts.

3. Save the Configuration and Restart Home Assistant:

   • After saving your changes, go to Settings > System > Restart to apply the new configuration.

4. Create a Combined Automation: This automation will:

   • Turn the rain_water_pump_button “on” for 2 seconds to confirm the button press.
   • Trigger switch.rain_water_pump for 3 minutes, then turn it off.

   yaml
   alias: Enable Rain Water Pump for 3 Minutes
   trigger:
     - platform: state
       entity_id: input_boolean.rain_water_pump_button
       to: 'on'
   action:
     - delay: "00:00:02"  # Keep button "on" for 2 seconds
     - service: input_boolean.turn_off
       target:
         entity_id: input_boolean.rain_water_pump_button
     - service: switch.turn_on
       target:
         entity_id: switch.rain_water_pump
     - delay: "00:03:00"  # 3 minutes delay for the pump
     - service: switch.turn_off
       target:
         entity_id: switch.rain_water_pump
   mode: single
   

5. Update the Dashboard Button: Here’s the updated configuration for the dashboard button to trigger the input_boolean instead of the automation directly. This way, pressing the button will activate the whole process:

   yaml
   type: entity-button
   entity: input_boolean.rain_water_pump_button
   icon: mdi:av-timer
   show_name: true
   show_icon: true
   show_state: true
   icon_height: 25px
   tap_action:
     action: toggle
   

With this setup:

• The dashboard button will change to "on" for 2 seconds when pressed.
• The input_boolean state change triggers the switch.rain_water_pump to turn on for 3 minutes and then turn off automatically.

Connect to Fluvius smart energy meter via P1 and publish data via MQTT broker to Home Assistant

I created a python script that runs as a service to read out the Fluvius energy meter via the P1 port to USB on a Raspberry Pi. See installation notes here: https://github.com/smartathome/fluvius2mqtt/tree/main

The output into Home Assistant looks like this:

Install SBFSpot to read out SMA Sunny Boy data and make data available over MQTT for Home Assistant

I want to read out a SMA Sunny Boy data and make it available via MQTT to Home Assistant. Installation of SBFSpot on a Rasberry Pi is really easy. The tool to be used for this is SBFSpot. The SMA procotol used is proprietary and happens over 502/tcp.

1. Install command line:
   

   curl -s https://raw.githubusercontent.com/sbfspot/sbfspot-config/master/sbfspot-config | sudo bash

2. Follow the configuration tutorial and setup wizard
3. Edit the configuration file for MQTT:
   

   sudo vi cd /usr/local/bin/sbfspot.3/SBFspot.cfg

   to change the MQTT configuration and set the following MQTT_Data:
   

   MQTT_Data=Timestamp,SunRise,SunSet,InvSerial,InvName,InvSwVer,InvTime,InvStatus,InvTemperature,InvGridRelay,EToday,ETotal,PACTot,UDC1,UDC2,IDC1,IDC2,PDC1,PDC2,GridFreq

4. Test:
   

   /usr/local/bin/sbfspot.3/SBFspot -v -finq -nocsv -mqtt

5. Note the SMA inverter serial for adding to your Home Assistant configuration
   x
6. Configure Home Assistant and add these sensors to your configuration.yaml. Remember to replace the SERIAL with the actual serial number from your inverter.
   
   
7. 
   

Advanced installation of a Raspberry Pi with Raspbian Bullseye

When installing a Raspberry Pi, I have a checklist of steps I take each time to ensure my Raspberry Pi's are (mostly) configured in the same way. They have the same way to backup their data, use the same user configurations (ntp, syslog, sendmail...) and have the same security provisioning. We will also introduce logs into memory with Log2Ram, to avoid too much SD card writing/wearing, which will eventually break your RPi. Feel free to comment on any step that is documented here. Some steps might be optional or unnecessary in your case.

1. Do the physical installation, plugin the network and HDMI cables (except the power cable of course) and screw your RPi into a cover or box.
2. Prepare SD card on Mac with Raspberry Pi Imager
3. Plugin the SD card into your RPi and now also plugin the power cable. Boot your RPi for the first time now. Create a user with password for using later. (e.g. user:pi, password:raspberry)
4. When booted, you'll be provided with a prompt to login for the first time. Mind the QWERTY keyboard layout.
5. Run the setup tool
   

   sudo raspi-config

6. Configure the setup tool
1. Set the hostname (1 System Options > S4 Hostname)
2. Expand Filesystem (6 Advanced Options > A1 Expand file system)
3. Change Timezone, set Keyboard Layout (if needed) and change Wifi Country (5 Localization Options > L2 Change Timezone, L3 Change Keyboard Layout, L4 Change Wi-fi Country)
4. Enable SSH (3 Interfacing Options > I2 SSH)
5. Press 'Finish' and Reboot
7. After reboot, login again via SSH and change your user password:
   passwd
8. Generate a SSH key-gen pair, which is more robust than the default one.
   

   ssh-keygen -o -a 100 -t ed25519

9. Change the root password
   

   sudo passwd root

10. Set the ETH0 IP address to a fixed IP. I hardly ever use the Wifi module in a Raspberry Pi
    

    sudo vi /etc/network/interfaces
    

    Add at the end of the file the following:
    

    # Added by user on 2023-XX-XX
    auto eth0
    iface eth0 inet static
            address 192.168.0.240/24
            network 192.168.0.0
            broadcast 192.168.0.255
            gateway 192.168.0.1
            dns-nameservers 192.168.0.1 8.8.8.8
    # End of Addition

    sudo systemctl restart networking.service

    And test with
    

    ip add show

    Reboot your RPi again (or do it later if you plan to reboot anyway)
    
11. Check for updates & upgrades for Bullseye, but first become root. Don't forget to reboot if kernel patches were installed.
    

    sudo -i
    apt-get update -y && apt-get upgrade -y

12. Fix a common issue with Syslog flooding your logs
    

    sudo sed -i '/# The named pipe \/dev\/xconsole/,$d' /etc/rsyslog.conf
    sudo service rsyslog restart

13. Alternatively, you could also install Syslog-NG
    

    sudo apt-get install -y syslog-ng

14. Install Git
    

    sudo apt-get install -y git dirmngr

15. Install Log2Ram as this will allow us to keep logs in memory and reduce the SD card writing significantly. From time to time, the logs are still made persistent to disk.
    

    cd /home/pi
    git clone https://github.com/azlux/log2ram.git
    cd log2ram
    chmod +x install.sh
    sudo ./install.sh
    Change the log size value to 128M
    sudo vi /etc/log2ram.conf

    Reboot
16. Install Sendmail and configure to work with a local mail relay server, or alternatively Gmail.
    

    sudo apt-get install -y sendmail mailutils sendmail-bin
    sudo mkdir -m 700 /etc/mail/authinfo/
    sudo cd /etc/mail/authinfo/

    Create a Sendmail authentication file:
    

    sudo vi sendmail-auth

    And paste the following info:
    

    AuthInfo: "U:root" "I:YOUR LOGIN" "P:YOUR PASSWORD"

    Save and exit vi. Next do the makemap:
    

    sudo makemap hash sendmail-auth < sendmail-auth
    sudo chmod 400 sendmail-auth

    Change the Sendmail configuration now
    

    sudo vi /etc/mail/sendmail.mc
    Add the following below right above first "MAILER_DEFINITIONS" line:
    # Added by yourname on 2018-XX-XX
    define(`SMART_HOST',`[192.168.Y.XX]')dnl
    define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
    define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
    define(`confAUTH_OPTIONS', `A p')dnl
    TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    FEATURE(`authinfo',`hash -o /etc/mail/authinfo/sendmail-auth.db')dnl
    # End of Addition

    Apply the changes to the configuration and restart Sendmail:
    

    sudo make -C /etc/mail
    sudo /etc/init.d/sendmail reload

    Test if you can send an email to yourself:
    

    echo "Just testing my Sendmail email relay" | mail -s "Sendmail email relay" you@here.com

17. Setup NTP sync
    

    sudo apt-get install -y ntp ntpdate
    sudo vi /etc/ntp.conf

    And replace the XX with your country code
    

    0.XX.pool.ntp.org
    sudo /etc/init.d/ntp stop

    And query to see NTP being in sync
    

    sudo ntpd -gq
    sudo /etc/init.d/ntp start
    sudo ntpd -pn

18. Setup SNMP
    

    sudo apt-get install snmp snmpd
    sudo vi /etc/snmp/snmpd.conf

    And put the following configuration lines
    

    agentAddress udp:161
    rocommunity public 192.168.X.0/24

    Restart your SNMP daemon
    

    sudo /etc/init.d/snmpd restart

    And test on your local machine
    

    snmpwalk -Os -c public -v 1 localhost

19. Setup NFS backup share, install a backup tool, rsnapshot and configure
    Fix rpcbind issue (Make yourself root first)
    

    su -
    cat >/etc/systemd/system/nfs-common.service <<\EOF
    [Unit]
    Description=NFS Common daemons
    Wants=remote-fs-pre.target
    DefaultDependencies=no
    
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/etc/init.d/nfs-common start
    ExecStop=/etc/init.d/nfs-common stop
    
    [Install]
    WantedBy=sysinit.target
    EOF

    
    

    cat >/etc/systemd/system/rpcbind.service <<\EOF
    [Unit]
    Description=RPC bind portmap service
    After=systemd-tmpfiles-setup.service
    Wants=remote-fs-pre.target
    Before=remote-fs-pre.target
    DefaultDependencies=no
    
    [Service]
    ExecStart=/sbin/rpcbind -f -w
    KillMode=process
    Restart=on-failure
    
    [Install]
    WantedBy=sysinit.target
    Alias=portmap
    EOF

    
    

    cat >/etc/tmpfiles.d/rpcbind.conf <<\EOF
    #Type Path        Mode UID  GID  Age Argument
    d     /run/rpcbind 0755 root root - -
    f     /run/rpcbind/rpcbind.xdr 0600 root root - -
    f     /run/rpcbind/portmap.xdr 0600 root root - -
    EOF
    
    systemctl enable rpcbind.service
    systemctl enable nfs-common 

    Install raspiBackup  (from this website)
    

    sudo mkdir -p /backup 

    Avoid accidental file storage, when folder is not mounted
    And put the following configuration lines
    

    sudo chattr +i /backup
    sudo vi /etc/fstab 

    And add
    

    server.yourdomain.com:/volume1/backups/host.yourdomain.com/backup      nfs     rsize=8912,wsize=8912,timeo=14     0       0
    sudo mount /backup

    Now install the raspiBackup tool
    

    curl -s https://raw.githubusercontent.com/framps/raspiBackup/master/installation/install.sh | sudo bash

    Go through the configuration tool, later on you can go back to it via: raspiBackupInstallUI.sh
    -Backup versions: smart strategy
    -Backup to tar
    -No compression
    -Backup mode standard
    -Email notification set
    Uncomment the crontab (backup will run every Sunday at 5am):
    sudo vi /etc/cron.d/raspiBackup 
    And finally test
    sudo raspiBackup

20. Generate an SSH keypair for easy login
    ssh-keygen
    ssh-copy-id -p 22 admin@server.yourdomain.com 
    Log into your server, make yourself root and copy the public key into the raspberry

    cat /root/.ssh/id_rsa.pub | ssh user@hhost.yourdomain.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" 

    Test if it's working by using:

    ssh user@host.yourdomain.com 

21. Setup unattended upgrade based on this tutorial
    sudo apt update
    sudo apt install unattended-upgrades 
    Configure unattended upgrades and uncomment:

    sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
    
    "origin=Debian,codename=${distro_codename}-updates";
    "origin=Debian,codename=${distro_codename}-proposed-updates";
    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; 

    And uncomment:
    

    Unattended-Upgrade::Remove-Unused-Dependencies "false";

    Now enable Automatic Updates (and press Yes)
    

    sudo dpkg-reconfigure --priority=low unattended-upgrades

    To view the unattended upgrades:
    sudo systemctl status unattended-upgrades.service
    -