看见 hostloc 上有人求黑群怎么自动更新 ssl 证书

没有 hostloc 帐号，所以不能回复，贴上自己写的自动更新 ssl 证书脚本，以便帮助有需要的人。 ps：

这个脚本工作于我的 dsm6.2 ，如果是 dsm7 ，你可能需要更改下证书存放路径和服务重启方式（自己找找相关信息，思路是一样的）
由于运营商封 80 端口，所以不能使用 http challenge ，只能使用 dns challeng 。这个脚本使用的是 acme.sh 的 cloudflare 的 api ，如果要改成其它提供商如阿里云，请参考 acme.sh 相关文档，切换应该也很简单

#!/bin/bash

# Automatically update certs for Synology DSM6
# 1. Migrate your domain to Cloudflare, and create an A type record.
# 2. Generate a token with zone view authority and dns edit authority.
# 3. Install acme.sh on DSM6, no need crontabs: ./acme.sh --install --force -m my@example.com
# 4. Put this script into user defined task scheduler, executes per one month or two.
# 5. Make sure this script will be exectuted once immediately by your schedule task, or just execute it once mannually.

# Modify these as your own.
# See https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials
export CF_Account_ID="xxx"
export CF_Zone_ID="xxx"
export CF_Token="xxx"
DOMAIN_RECORD='example.com'

ACME_HOME=$HOME/.acme.sh
ACME_SH=$ACME_HOME/acme.sh

if ! command -v "$ACME_SH" &>/dev/null; then
    echo "Please install acme.sh."
    exit 1
fi

DOMAIN_CERT_HOME="$ACME_HOME/$DOMAIN_RECORD"

TARGET_DIRS=(
    "/usr/syno/etc/certificate/_archive/$(head -n1 /usr/syno/etc/certificate/_archive/DEFAULT | xargs echo -n)"
    '/usr/syno/etc/certificate/system/default'
    '/usr/syno/etc/certificate/smbftpd/ftpd'
    '/usr/local/etc/certificate/CardDAVServer/carddav'
    '/usr/local/etc/certificate/SynologyDrive/SynologyDrive'
    '/usr/local/etc/certificate/WebDAVServer/webdav'
)

issue_or_renew() {
    cert_issued=0
    domains=()
    while IFS='' read -r line; do domains+=("$line"); done < <($ACME_SH --list | awk '{print $1}')
    for domain in "${domains[@]}"; do
        if [ "$domain" = "$DOMAIN_RECORD" ]; then
            cert_issued=1
            break
        fi
    done
    if [ "$cert_issued" -eq 0 ]; then
        rm -rf "$DOMAIN_CERT_HOME"
        # Issue certs via zerossl, or via letsencrypt you'd have to update ca-certificates on DSM6.
        # Since DSM6 does not support ecc, rsa(-k) should be specified, or system default certs will be overridden by DSM6 when reboots.
        $ACME_SH --issue --server zerossl --dns dns_cf -d $DOMAIN_RECORD -k 2048
    else
        $ACME_SH --renew --force -d $DOMAIN_RECORD
    fi
}
copy_certs() {
    echo "Copying certs...."
    for dir in "${TARGET_DIRS[@]}"; do
        install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.cer" "$dir/cert.pem"
        install -m 400 "$DOMAIN_CERT_HOME/$DOMAIN_RECORD.key" "$dir/privkey.pem"
        install -m 400 "$DOMAIN_CERT_HOME/fullchain.cer" "$dir/fullchain.pem"
    done
    echo "Certs copy completed."
}

restart_services() {
    echo "Restarting services...."
    nginx -s reload
    /var/packages/WebDAVServer/scripts/start-stop-status stop
    /var/packages/CardDAVServer/scripts/start-stop-status stop
    sleep 20
    /var/packages/WebDAVServer/scripts/start-stop-status start
    /var/packages/CardDAVServer/scripts/start-stop-status start
    /var/packages/SynologyDrive/scripts/start-stop-status restart
    echo "Services restart completed."
}

echo '--------------------------------------'
issue_or_renew
copy_certs
restart_services

skiy

253 天前

用 acme.sh 别名方式续签，域名在不同的 DNS 都可以集中到一个
https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode#1-first-set-domain-cname

用 acme.sh 自带的 --install-cert 命令行，可以直接安装到不同的目录
用 acme.sh 自带的 --reloadcmd 命令行，可以在证书更新后执行相关命令或脚本（只需要封装一下 restart_services 这个就行）
https://github.com/acmesh-official/acme.sh/wiki/Using-pre-hook-post-hook-renew-hook-reloadcmd
```bash
# 比如
acme.sh --install-cert --ecc -d a.com --key-file /usr/local/nginx/conf/ssl/a.com.key --fullchain-file /usr/local/nginx/conf/ssl/a.com.fullchain.cer --reloadcmd "systemctl reload nginx"
```

还可以加个续签通知：
https://github.com/acmesh-official/acme.sh/wiki/notify