Skip to main content
Apply for Free SSL Certificates

1. Introduction

The Synology - NAS type deployment node is used to automatically deploy SSL certificates applied for in CertOne to Synology NAS (Control Panel - Security - Certificate).


2. Usage

To use the Synology - NAS type deployment node, you need to use our official container image certone/certone-synology to achieve automatic certificate deployment.
This image is built based on the nodejs official stable image node:18-alpine with certificate automatic renewal service added. It needs to be used with Synology's "Container Manager" package or docker.


1. Pull Image

Pull the container image by searching for "certone/certone-synology" in Synology's "Container Manager" registry, or use docker command to pull the image:

 # Docker Hub 
 docker pull certone/certone-synology

2. Use Image

If starting the container through Synology's "Container Manager" package, you need to create a new project in "Container Manager - Projects" and configure docker-compose.yml, example as follows:

version: '3.9'
services:
    certone:
        image: certone/certone-synology
        container_name: certone
        restart: always
        network_mode: host
        environment:
            - PUSH_NODE_ID=push-53ejqm8p60gd7no9
            - PUSH_NODE_TOKEN=6b2440b1e3f180a3c9453f9d7766a565
            - SYNO_USERNAME=certone
            - SYNO_PASSWORD=1h^.Uih2-8hAf9wt.0ekjZa^2s%@t33d

Or start through docker command:

docker run -d --restart always \
    --network host \
    -e PUSH_NODE_ID="push-53ejqm8p60gd7no9" \
    -e PUSH_NODE_TOKEN="6b2440b1e3f180a3c9453f9d7766a565" \
    -e SYNO_USERNAME="certone" \
    -e SYNO_PASSWORD="1h^.Uih2-8hAf9wt.0ekjZa^2s%@t33d" \
    --name certone \
    certone/certone-synology

You need to set the following environment variables for the container:

  • PUSH_NODE_ID: Must be set, the deployment node ID generated by the system after the deployment node is created. Deployment node IDs all start with push, example: push-53ejqm8p60gd7no9
  • PUSH_NODE_TOKEN: Must be set, the 32-bit token generated by clicking the generate button when creating the deployment node, example: 6b2440b1e3f180a3c9453f9d7766a565
  • SYNO_SCHEME: Protocol of Synology management panel URL: http, https, used for Synology API calls, default value is http, generally use default value
  • SYNO_HOSTNAME: Domain or IP of Synology management panel URL, used for Synology API calls, default value is 127.0.0.1, generally use default value. If you need to change, please ensure the configured domain or IP can be accessed within the container, otherwise it will cause Synology API call failure and certificate deployment failure
  • SYNO_PORT: Port number of Synology management panel URL, used for Synology API calls, default value is 5000, generally use default value
  • SYNO_USERNAME: Must be set, Synology NAS user account
    • Since certificate automatic deployment needs to use API to upload certificates to Synology system, and only administrators have permission to upload certificates in Synology system, this user account must be in the administrators group, and two-factor authentication cannot be enabled
    • It is recommended to create a dedicated user account for certificate automatic deployment, and set a complex password of 16 characters or more for this user account
    • It is recommended to disable all folder read-write permissions and all application access permissions for this account to improve NAS data security
    • CertOne only uses Synology NAS user account within the instance where the deployment node container is located. User account information will not be transmitted through the network, please use with confidence
  • SYNO_PASSWORD: Must be set, Synology NAS user password, it is recommended to use a complex password of 16 characters or more
  • SYNO_AS_DEFAULT: Whether to set certificate as default certificate, default value is false, i.e., not set as default certificate. If you need to set as default certificate, set this value to true, and it is recommended that this deployment node only bind one certificate, otherwise multiple certificates setting as default certificate will cause mutual overwriting, only the last one will take effect

Note the docker container network mode (network_mode) setting:

  • If the container is deployed on Synology NAS and SYNO_HOSTNAME is not set, the default Synology NAS API call address is: http://127.0.0.1:5000, then the container network mode network_mode must be set to host mode, otherwise it cannot call Synology API through http://127.0.0.1:5000, which will cause certificate deployment failure
  • If the container is not deployed on Synology NAS, or the container network mode network_mode is not set to host mode, then please modify according to actual situation: SYNO_SCHEME, SYNO_HOSTNAME, SYNO_PORT, ensure that Synology NAS API can be accessed through the configured protocol (SYNO_SCHEME), domain or IP (SYNO_HOSTNAME), port (SYNO_PORT) within the container instance, otherwise it will cause certificate deployment failure

3. FAQ

1. After container starts, certificate is not deployed successfully

When encountering this situation, check the following points in order:

  • Please check in CertOne whether the deployment node has been bound to the certificate. Deployment nodes can only automatically pull corresponding certificates after being bound to certificates
  • Please check whether the environment variables PUSH_NODE_ID and PUSH_NODE_TOKEN in the container are set correctly and effective. You can use the following commands to check:
# certone in the command below is the container name, replace with your actual container name
# The command below will open the shell execution environment in the container to execute echo command to check environment variables
docker exec -it certone sh

# Execute the following two commands in the opened container shell execution environment to check whether the environment variables exist in the container and are consistent with those in CertOne
# If the execution results of the following two commands are empty or inconsistent with those in CertOne, the environment variables are not effective or set incorrectly. Please check whether these two environment variables are correctly set in the container startup command or docker-compose.yml file
echo $PUSH_NODE_ID
echo $PUSH_NODE_TOKEN
  • Please check whether the configured SYNO_SCHEME, SYNO_HOSTNAME, SYNO_PORT are correct. You can check whether the configured Synology API address (${SYNO_SCHEME}://${SYNO_HOSTNAME}:${SYNO_PORT}) can be accessed normally through curl in the container

If all three items above are correct and the problem still exists, you can check container logs to locate the problem: 

# certone in the command below is the container name, replace with your actual container name
docker logs certone
1
CertOne
Automated SSL for every domain
Get Free SSL Certificate
TRUSTED AUTOMATED CERT MANAGEMENT
Issue, renew, and deploy SSL in one click.
Zero-touch certificate lifecycle across all your clouds, CDNs, and clusters.
LetsEncrypt · Sectigo
Auto deploy to Nginx · CDN · Kubernetes · Docker · Synology