Basic certificate Synology NAS fails

TheToddMan · October 10, 2020, 7:50pm

Hi guys,

Basically, I can't get Let's Encrypt to create a certificate.

I've done all the right things, port forwarding 80/443/5001 to NAS, HTTPS redirect enabled, URL is pointed to my static IP, which has been tested and works (go to ftp://talentedvoice.net and you will see a login screen).

Time and time again, the Operation fails.

Also, I don't know what to put in for Subject Alternative Name

My domain is: talentedvoice.net

My web server is (include version): Synology DS214

The operating system my web server runs on is (include version): DSM 6.2.2.2-24922 Update 3

My hosting provider, if applicable, is: Registrar is namecheap; I have a static IP and the URL is properly pointed to said IP. Router is configured correctly.

I'm using a control panel to manage my site - See Synology DSM info above

please help......

Thanks

JuergenAuer · October 10, 2020, 8:18pm

Hi @TheToddMan

that was published 2019-08-22.

That may not longer work.

Isn't there an update?

What's the exact error message?

TheToddMan · October 10, 2020, 8:22pm

Checked for updates, says I'm using latest version of DSM.

Error message is: "Operation failed. Please log into DSM and try again."

Again, not sure what to put in for Subject Alternative Name

Your thoughts.

JuergenAuer · October 10, 2020, 8:23pm

Your domain name is required.

TheToddMan · October 10, 2020, 8:23pm

OK..that's what I'm putting in. Still doesn't work

JuergenAuer · October 10, 2020, 8:25pm

That

https://talentedvoice.net/cgi-bin/webif/system-info.sh

doesn't look like a Synology DSM.

Looks like there runs something else.

So Synology can't create a certificate with that domain name.

PS: There answers a

Server: lighttpd/1.4.55

That's not Synology.

TheToddMan · October 10, 2020, 8:27pm

I'm not sure what to say......lol. Do you want me to send you a picture?

It's a Synology.....no question. Would you like to login and have a look for yourself?

JuergenAuer · October 10, 2020, 8:30pm

It's not. Use an online tool to check the answer.

If you want to create a certificate, Letsencrypt must be able to check your domain name.

But that's not possible -> DSM can't create a certificate, that's expected.

Read

TheToddMan · October 10, 2020, 8:31pm

Go here:

talentedvoice.net:5001

Tell me if that not a Synology DSM login page

JuergenAuer · October 10, 2020, 8:34pm

Please read the basics.

Port 80 is required if you want to create a certificate via http validation.

But port 80 is blocked, so your DSM can't use that port to validate the domain name.

PS: Now the check is finished - https://check-your-website.server-daten.de/?q=talentedvoice.net

Port 80 + /.well-known/acme-challenge/random-filename is blocked (DSM can't use it) and has a redirect to port 443 + /. That can't work.

TheToddMan · October 10, 2020, 8:39pm

The redirect has been removed...pls check...

Your were checking it when I was removing the redirect to HTTPS

I can type in the URL into a browser without HTTPS prefix....

talentedvoice.net:5000 would be the Synology DSM login page (where port 5000 in DSM is assigned to HTTP port 80)

If you'd like login credentials to see that it's a Synology DSM, I'd be happy to PM you with the info and you can look for yourself.

goswh · October 10, 2020, 11:27pm

Hi, Todd.

As Juergen mentioned before the Let's Encrypt requires port 80 (HTTP) or port 443 (HTTPS) to work. Meaning port 80 and 443 have to be open on your router for this to work. Some ISPs block these ports. If yours does, no amount of port forwarding will help you.

Does your ISP block ports 80 & 443?

Since the Synology uses 5000 and 5001 on your internal network, you will have to port forward, as you've already done. Since this isn't working,

Before we go further, you're going to need to test the external access by connecting to the Internet via a connection that is NOT on your home network. One way to do this is to connect to your mobile phone using the hotspot function. Be sure the wifi connection of the mobile phone is off.

To test the connection via your home network, you would use http://talentedvoice.net:5000 or https://talentedvoice.net:5001.

From the external connection (mobile phone hotspot, Starbucks wifi, etc.) you'd connect via http://talentedvoice.net/ (port 80) and https://talentedvoice.net/ (Port 443)

If your port forwarding setup is correct, you "should" get a successful result.

You could also try a few other things:

1 - if your router has a DMZ feature, you could assign the IP address of the Synology to the DMZ. If you do this, the Synology will be in the "public" zone outside of your router, as if the NAS was connected directly to the Internet.

doing this means that the port forwarding rules you created won't apply.
you will have to change the default DSM ports to 80 and 443 respectively.

To change DSM ports to 80 for HTTP and 443 for HTTPS by going to Control Panel > General and in the DSM Ports section, change 5000 and 5001 accordingly to 80 & 443.

2 - if you don't have a DMZ feature, I'd still change the DSM ports to 80 & 443, and then update your port forwarding rules to match.

First, test the port changes by connecting to the DSM UI on your local network using HTTP, and HTTPS.
If that works, connect via your phone's hotspot and see if you can connect successfully to your DSM from the Internet. To test this, I'd use both the ISP public IP address as well as the DNS name.

This would verify the "plumbing" to the DSM.

If the DNS name doesn't work when connecting from the Internet, you likely have an issue with the DNS entries with your registrar or your Dynamic DNS service provider.

Once the end to end connectivity is working, we can then focus on the LE certificate issues.

Hope this helps.

//Shawn

Owner of 3 Synology DS1817+ devices, using LE certs, with remote access working externally.

griffin · October 11, 2020, 2:50am

Thank, you, Shawn!

rg305 · October 11, 2020, 6:32am

If the Synology is using 5000 and 5001, then who is using 80?
I get this:

curl -Iki http://talentedvoice.net/.well-known/acme-challenge/test-file-1234
HTTP/1.1 301 Moved Permanently
Location: https://talentedvoice.net:443/
Date: Sun, 30 Aug 2020 03:38:04 GMT
Server: lighttpd/1.4.55

Which is bad for LE for multiple reasons.

Where does the router send port 80?
[it may be to the router itself - that is very bad]

JuergenAuer · October 11, 2020, 6:58am

The redirect isn't relevant, if port 80 is blocked via that

Server: lighttpd/1.4.55

(now, 10 hours later, the same problem).

DSM must be able to use port 80 external.

To check your configuration, use online tools or curl.

Letsencrypt checks your port 80 without login credentials. So something that requires credentials isn't relevant.

TheToddMan · October 11, 2020, 1:38pm

Great info! Thanks so much, Shawn.

I have made a great deal of progress - there were settings in the DSM with respect to DNS that I was not aware of; some bizarre numbers for DNS server - no idea how they got in there.

I set a static DNS server (Google), ran the Setup Router function in DSM and it came back with DNS relay all good.

Went to put in a certificate and now it's trying to connect to Let's Encrypt. It comes back with "Couldn't connect to Let's Encrypt, invalid domain name."

The domain name is valid and I am able to connect to FTP using it (off the home network as you suggested here) on both ports 21 and 22, so all my router settings are working, as well as the A Record for the domain over at namecheap.

To change DSM ports to 80 for HTTP and 443 for HTTPS by going to Control Panel > General and in the DSM Ports section, change 5000 and 5001 accordingly to 80 & 443.

I'm assuming you mean Control Panel>Network>DSM Settings

DSM does not allow me to put in port 80 and 443 respectively - the text fields are highlighted in red and there is no way to save the settings. I think the aforementioned quote is misinformation; these ports are used for DSM management (LAN/WAN access to DSM Login Portal).

Regarding the domain. I should mention that I have entered a single A Record in Advanced DNS at Namecheap which points to my static IP: 174.90.99.74

It should also be mentioned that I am pointing (now) two domains to this IP for FTP server purposes, so I'm not sure if that's creating a conflict with Let's Encrypt.

I'm still unsure as to what info to put in for the Let's Encrypt certificate. As I am only forwarding the domain to the IP for FTP purposes, there is no valid e-mail address for this domain, per se.

So, I'm putting in this:

talentedvoice.net (the domain pointed to my static IP above)
gus@talentedvoice.com (a VALID e-mail address)
mail.talentedvoice.net (I'm guess this is correct...?)

Your thoughts.

griffin · October 11, 2020, 2:20pm

I believe this is what you are asking about:

Enter the following information:

Domain name : Enter the domain you have registered from the domain provider.

Email : Enter the email address used for certificate registration. A notification will be sent to this email access once the certificate is about to expire.

Subject Alternative Name : To allow one certificate to cover multiple domains, enter the other domain names here. For instance, if the entered Domain name is "example.com" and you wish to share the same certificate with your NAS device's another domain "mail.example.com", please enter "mail.example.com" in the Subject Alternative Name field.

Note: The domains entered in the Domain name and Subject Alternative Name fields should have the same external IP address.

This is part of creating the certificate signing request (CSR) that's sent to Let's Encrypt.

The domain name, also known as the common name (CN), is the domain name that will appear at the top of your certificate.

The email address is used by Let's Encrypt to send you status information about your certificate, such as expiration notices.

The subject alternative names (SANs) allow you to add multiple domain names to the same certificate. For your NAS, this might matter if you actually had subdomains defined (e.g. www.talentedvoice.net or mail.talentedvoice.net), which you currently don't. Technically the common name (talentedvoice.net) should be the first SAN listed. I know it seems like duplication, but that's just the standard. If you want to be really technical, the common name field is archaic anyhow and actually not needed at all.

TheToddMan · October 11, 2020, 2:29pm

Thank you, Griffin!

So, here's what I'm going to put in:

talentedvoice.net
gus@talentedvoice.com (for e-mail verification)
talentedvoice.net;toddschick.net (the other URL pointing to my static WAN IP).

Would this be correct?

Update: Used these settings and still getting "Could not connect to Let's Encrypt. Please make sure domain name is valid."

griffin · October 11, 2020, 2:57pm

I believe that you need to separate the SANs with commas and not semicolons.

griffin · October 11, 2020, 3:01pm

Does your NAS have access to the public internet (outgoing port 80) to be able to reach the Let's Encrypt server?