Skip to content

Instantly share code, notes, and snippets.

@troyfontaine

troyfontaine/README.md

Forked from bergelfs/README.md
Last active January 22, 2026 07:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save troyfontaine/9febcc69f632330b3d462a2e14c57aa1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save troyfontaine/9febcc69f632330b3d462a2e14c57aa1 to your computer and use it in GitHub Desktop.
Download ZIP
certbot-dns-cloudflare on Asustor NAS running ADM 5
Raw
README.md

This will configure an Asustor NAS running ADM 5 to use a letsencrypt issued certificate without exposing the NAS to the internet (by using DNS Challenge instead of using port forwarding). To accomplish this, we need to use certbot with DNS-01 challenge to Cloudflare. To perform this task, you must SSH into the NAS.

  1. Elevate the terminal to root
sudo su
  1. Setup the required directories
mkdir -p /volume1/system/letsencrypt
chown root:root /volume1/system/letsencrypt
chmod 700 /volume1/system/letsencrypt
mkdir -p /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy
chown root:root /volume0/usr/builtin/etc/certificate/letsencrypt -R
chmod 700 /volume0/usr/builtin/etc/certificate/letsencrypt/ -R
  1. Set up the Cloudflare credentials
touch /volume1/system/letsencrypt/cloudflare.ini
chmod 600 /volume1/system/letsencrypt/cloudflare.ini

Add the Cloudflare API key based on the instructions found at the link below: https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

  1. Copy the other scripts in this gist (install.sh and adm-deploy.sh) to the /volume1/system/letsencrypt directory, you can use the vi text editor.

  2. Run install.sh to setup pip and certbot-dns-cloudflare.

cd /volume1/system/letsencrypt
sh install.sh
  1. Link the adm-deploy script to function as a letsencrypt deploy hook so that once a renewal occurs, the system will automatically replace the existing certificate and restart the lighttpd web server.
ln -s /volume1/system/letsencrypt/adm-deploy.sh /volume0/usr/builtin/etc/certificate/letsencrypt/renewal-hooks/deploy/
  1. Generate the host certificate, ensure that you replace the nas.mydomain.com with the actual hostname for your NAS!
certbot certonly --config-dir=/volume0/usr/builtin/etc/letsencrypt \
  --dns-cloudflare --dns-cloudflare-credentials /volume1/system/letsencrypt/cloudflare.ini \
  --preferred-challenges dns-01 \
  -d nas.mydomain.com
  1. Add renewal tasks to crontab (you can find them here: /var/spool/cron/crontabs/root or execute the command crontab -e)
@reboot /volume1/system/letsencrypt/install.sh && /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/certificate/letsencrypt renew
0 6 * * * /usr/bin/certbot --config-dir=/volume0/usr/builtin/etc/certificate/letsencrypt renew
Raw
adm-deploy.sh
#!/usr/bin/env bash
MY_NAS_HOSTNAME="nas.domain.com"
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/certificate/letsencrypt/live/${MY_NAS_HOSTNAME} # letsencrypt certificate
TARGET=/volume0/usr/etc/lighttpd # ADM lighttpd web server ssl cert target directory
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/lighttpd.pem
cp -Lfv $SOURCE/lighttpd.pem $TARGET/lighttpd.pem
/etc/init.d/S41lighttpd restart
Raw
install.sh
#!/bin/sh
python3 -m ensurepip
python3 -m pip install --upgrade pip
python3 -m pip -V
pip3 install certbot-dns-cloudflare
ln -s /volume1/.@plugins/AppCentral/python3/bin/certbot /usr/bin/certbot
Raw
reverseproxy-deploy.sh
#!/usr/bin/env bash
# Optional script for renewing the certificate for Nginx
MY_NAS_HOSTNAME="nas.domain.com"
# Asustor NAS Let's Encrypt certificate renewal deploy shell script.
# Place in this directory to run on successful renwal:
# /volume0/usr/builtin/etc/letsencrypt/renewal-hooks/deploy
# Certbot docs: https://certbot.eff.org/docs/using.html
SOURCE=/volume0/usr/builtin/etc/certificate/letsencrypt/live/${MY_NAS_HOSTNAME} # letsencrypt certificate
TARGET=/volume0/usr/builtin/etc/certificate
cat $SOURCE/privkey.pem $SOURCE/cert.pem > $SOURCE/ssl.pem
cp -Lfv $SOURCE/cert.pem $TARGET/ssl.crt
cp -Lfv $SOURCE/privkey.pem $TARGET/ssl.key
cp -Lfv $SOURCE/ssl.pem $TARGET/ssl.pem
pkill nginx
sleep 1
/volume0/usr/builtin/sbin/nginx -c /volume0/usr/builtin/etc/nginx_reverse_proxy/nginx.conf
@papukj
Copy link

papukj commented Sep 7, 2025

Thanks for the great guide. Just to highlight that there's a small mistake in step 7. The config-dir should be /volume0/usr/builtin/etc/certificate/letsencrypt and not /volume0/usr/builtin/etc/letsencrypt

@frasermclean
Copy link

frasermclean commented Jan 22, 2026

Any way to make the cert appear under the NAS UI cert manager?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment