Updating CA root certificate bundle on Synology

I ran into the issue of my Synology NAS not being able to pull from my local Docker registry:

docker: Error response from daemon: Get "https://redacted-local-hostname.net/v2/": x509: certificate has expired or is not yet valid  

Turns out my Synology hasn't been picking up the latest CA root certificates. I could verify that this is the issue by running curl

curl -I https://alexnj.com  
curl: (60) SSL certificate problem: certificate has expired  
More details here: https://curl.haxx.se/docs/sslcerts.html  

Fixing this turned out rather easy. The commands below download the up-to-date root certificates from curl.se, in PEM format. We move it to the place where Synology keeps the CA-certificate bundle, overwriting it. We create a backup of the origin CA-certificate bundle, with a .backup extension, just in case you'd want to revert for any reason.

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup  
wget --no-check-certificate https://curl.se/ca/cacert.pem  
mv cacert.pem /etc/ssl/certs/ca-certificates.crt  

After this, the same curl command started succeeding. However, Docker was still throwing the same error — meaning it didn't pick up the updated root certificates. Solution? Let's try restarting the Synology Docker daemon:

synoservice --restart pkgctl-Docker  

That took care of it. If you run into the same issue with your Synology, hope this helps!

comments powered by Disqus