Syncing Lets Encrypt Certificates to AdGuard Home on Synology

February 25, 2026

Synology DSM 7 can automatically obtain and renew Let’s Encrypt certificates, which is great. The problem is that other services running on the NAS, like AdGuard Home in Docker, don’t have access to those certificates. You’d have to manually copy them every time after renewal.

I wrote a small script that checks whether the certificates have changed, and if so, copies them to the AdGuard Home configuration directory and restarts the container.

#!/bin/bash
set -e

CERT_DIR="/usr/syno/etc/certificate/_archive/XXXXXX"
DEST="/volume1/docker/dns/adguardhome/config/certs"
LOG="/var/log/adguard-cert-update.log"

mkdir -p "$DEST"

if ! cmp -s "$CERT_DIR/fullchain.pem" "$DEST/fullchain.pem" || \
   ! cmp -s "$CERT_DIR/privkey.pem" "$DEST/privkey.pem"; then

    cp "$CERT_DIR/fullchain.pem" "$DEST/"
    cp "$CERT_DIR/privkey.pem" "$DEST/"
    chmod 644 "$DEST/fullchain.pem"
    chmod 600 "$DEST/privkey.pem"

    docker restart dns-adguardhome

    echo "$(date): Certificates updated and AdGuard Home restarted." >> "$LOG"
else
    echo "$(date): Certificates unchanged, no action taken." >> "$LOG"
fi

exit 0

CERT_DIR points to where DSM stores the certificate. Each certificate gets its own subdirectory under /usr/syno/etc/certificate/_archive/ with a random name. You can find yours by checking which directory contains the certificate for your domain.

The script uses cmp to compare the current certificates against the previously copied versions. Only when something has changed are the new files copied, the correct permissions set, and the AdGuard Home container restarted. Everything is logged so you can verify it works.

Finding your certificate directory

SSH into your Synology and inspect the archive:

ls /usr/syno/etc/certificate/_archive/

Each subdirectory contains fullchain.pem, privkey.pem, and other files. Check the INFO file in each directory to find which one belongs to your domain:

cat /usr/syno/etc/certificate/_archive/*/INFO

Scheduling

In DSM, go to Control Panel > Task Scheduler and create a new Triggered Task > User-defined script. Set it to run as root at boot, or create a scheduled task that runs daily. Paste the path to the script as the command.

Alternatively, add a cron job via SSH:

echo "0 3 * * * /path/to/sync-certs.sh" >> /etc/crontab

Configure AdGuard Home

In AdGuard Home’s settings, go to Encryption and set the certificate and key paths to:

  • Certificate: /opt/adguardhome/certs/fullchain.pem
  • Private key: /opt/adguardhome/certs/privkey.pem

Make sure the certs directory on the host is mounted into the container at the expected path.