Certbot

Let’s Encrypt’s certbot will be the first application we install. It replaces Asustor’s default integrated certbot, which supports only HTTP validation.

Cappysan’s repackaged certbot supports HTTP validation as well as DNS-based challenge validation.

Installing this package is only required if you plan on using your own domain with Let’s Encrypt SSL generation. If using a self-signed certificate, or Asustor’s builtin certificate, or using a commercial certificate, then this step is not needed.

Note

Having proper SSL support isn’t strictly necessary, but having a valid SSL configuration is more enjoyable than having to either add one SSL exception per website in the browser, or having to change every configuration to allow insecure connections.

Warning

All parts of this Asustor Home Lab tutorial is based on the fact that SSL is configured and used.

Installation

Certbot Configuration

In the /share/Configuration/certbot directory, or its equivalent locally mounted location, or via the File Explorer, perform the following steps:

  • Edit domains.conf to specify the domain names to be validated. The file contains a comma-separated list of domains, without spaces. Wildcard domains are supported when using DNS-based validation.

Note

Using a wildcard, such as *.example.com, is recommended.

  • Edit provider.conf and enter the name of the DNS provider (for example, ovh, route53, etc.). This setting determines which DNS plugin configuration is used when constructing the Certbot command line. Accepted values correspond to the DNS provider component of the plugins listed in Certbot’s list of DNS plugins. If you use a custom value that does not correspond to a supported DNS provider, you must create a command-line configuration file.

  • Edit the credentials.conf file, or the file corresponding to the selected provider (for example, ovh.conf for the OVH plugin), creating it if necessary. Each file contains comments indicating where to find additional documentation for that provider.

  • Optionally, create a cmdline.conf file to override the DNS-specific Certbot command line. This file is required when using a non-standard provider.

  • Restart Certbot, either through the Asustor web interface or via SSH using the following command: /share/Configuration/certbot/start-stop.sh restart

Note

Certbot log messages can be found in System Information / Logs.

Warning

Because of a bug in the Asustor software, the NAS must have been rebooted at least once since install for syslog messages to be logged.

SSL Configuration

Once certbot runs without error and are installed, the SSL certificates will be copied to /usr/builtin/etc/certificate/. The Asustore builtin certificates stay located in /usr/builtin/etc/certificate/ssl_default.

In order to install the certificates:

  • Retrieve the certificates zip file from the certbot folder in the Configuration folder and unzip it.

../../_images/certbot-01.jpg

  • Add the certificates to the certificate manager:

../../_images/certbot-02.jpg ../../_images/certbot-03.jpg ../../_images/certbot-04.jpg ../../_images/certbot-05.jpg

From now on, the certificates will be renewed automatically.