In my home environment, I was already using letsencrypt certs on my local webserver. I also have a QNAP NAS device that I wanted to use the cert on. Since letsencrypt certs have such a short valid period, it would be highly inconvenient to update the certs via the web UI by hand every time they expired.
My webserver is exposed to the internet, which makes it easier to just group in the NAS’s domain name with the certs that get renewed from the webserver due to the way letsencrypt renewals work.
After a bit of research, I found a way to remotely update the certs on the QNAP device via scp and ssh. The script below is what I came up with for my own use. With minor modifications, I hope that others may find it useful as well. In order to use it, you need to already have the server it runs on (not your NAS device itself) setup for letsencrypt and have already registered a cert. It will not update the NAS by default if the cert isn’t within 48 hours of expiration. You can override this by passing the –force option. It still won’t renew the cert, but it will restart the local httpd and update the NAS device’s cert. You should only normally need to do this the first time. I symlinked it into /etc/cron.daily so that it is completely hands off.