Basic certificate Synology NAS fails

I agree with @JuergenAuer that this:

and this:

are quite different.

The latter is a basic access authentication prompt while the former is a Synology login page. Something is clearly amiss here.

1 Like

That's

wrong.

The redirect isn't the problem.

The there running

Server: lighttpd/1.4.55

is the problem, so DSM can't use the port 80 external.

  • To test, use only one domain name
  • You have to stop that other instance, so DSM can use port 80
4 Likes

Fair enough Juergen. I can see that if the lighttpd instance were completely taken out of the way on port 80 so that the nginx instance of Synology were operating on port 80 then the redirect coming from lighttpd would be irrelevant.

FYI:
In English, beginning a response with "that's wrong" (even if it's the truth) will be taken by many as being rude. You're probably just being objective here though, so I won't hold it against you. I often feel that the way you present information seriously detracts from the value of the information.

When I first joined this community, I just thought you were always really angry about something. As time passed, I began to realize that your words are almost constantly being misunderstood and/or misinterpreted. Having read many hundreds of your posts and the replies to them (including the replies from the OP of this very topic), I know for a fact that I'm not wrong about this.

You are without any doubt in my mind amongst the very best of us technologically. If the wording of your responses were as polished as your tech skills, your whole world in this community (and possibly beyond) would be profoundly brighter.

I know how difficult it can be to maintain patience with those around you not being at your level (and their often appearing to be lazy in getting there). I've tutored entire classes of grad students in software simulation who initially could not put two lines of code together if their lives depended on it. Distinguishing lazy from inexperienced can be an art. Know that I'm trying (and I really do believe that I'm getting better), but I'm just not there yet (but I sure want to be).

3 Likes

Hey Griffin,

For what it's worth, I concur. Juergen's first post was enough to make me want to give up on the spot. And yes, I felt he was being somewhat rude with his compositions. Like...

"Don't be an idiot. Can't you see what's wrong? Read this. Everybody knows this..."

I knew he was 100% correct in his observation, but not having his technical skills, he might as well have been talking to me in Chinese.

Indeed, many people come to this forum because they don't have technical skills.

I've been running an FTP server since 2001, way back to the days of Serv-U. I know the basics, for sure....but I am having a problem with this certificate issue and need help.....you know, "layman" help.

3 Likes

If you knew exactly how to do it already, you wouldn't have ever been here and I wouldn't be writing this now. Funny old world! :grin:

We're here to help everyone (who doesn't have evil things in mind).

2 Likes

In regards to the help, my advice (for what it's worth) would be to check which ports are forwarding to where, both in your device and possibly in your router. The answer almost certainly lies there somewhere. You could also use dns validation and skip the http validation entirely.

2 Likes

OK guys...I figured this out....at least, I know what the issue is.

I run a Dual WAN Cisco router, so I'm using Policy Binding for traffic shaping. I wanted to use my fast internet connection for the file server (WAN 2).

So, using Policy Binding, I directed ports 22 and 21 to use WAN 2.

The server and the rest of the machines on the LAN are configured to use WAN1 for HTTP/HTTPS which is not the IP the URL is pointed to.

Juergen, you were 100% correct, but I didn't understand your answer.

Now...I have to figure out how to run this server off WAN 2. And no, I can't assign a LAN IP to use WAN 2 (or 1) can only use PBR marking.

Hmmmm....VLAN maybe? Or perhaps a physical switch and split WAN 2 - the other feed going to another router on a different gateway and configure that to run the server?

Ugh....this question is not for you guys!

Thanks for your help everyone!

4 Likes

Funny world indeed......overall, you guys seem all very nice here :slight_smile:

3 Likes

THAT is what we like to hear. :slightly_smiling_face:

2 Likes

Glad you found a path though. Once you create and can see the following file from outside, you're in business:
http://talentedvoice.net/.well-known/acme-challenge/test

2 Likes

Thanks...I will do that.

Not sure if you guys are located in Canada but...

Happy Thanksgiving! :slight_smile:

3 Likes

I'm out of likes again.

I'm in Denver, Colorado myself. Happy Thanksgiving, regardless!

2 Likes

Denver!

I have piles of clients in Denver I've still yet to meet......if I could just get past that pesky border...LOL.

3 Likes

You're Canadian, right? What border? :grin:

2 Likes

Sadly, the one that's closed :expressionless:

But that of course, is merely a boundary.....a line if you will. It's not like you could build a wall between the US and Canada.....lol

3 Likes

A wall of cheese, perhaps? :cheese: :grinning:

If the wolves don't care about the line, who are we? :wolf:

2 Likes

LOL.

I’ve worked with a number of amazing and technically proficient people from all over the world. I love the directness of the Dutch, German and Danes.

As an American, I too was first put off by the direct, to the point communications when in face to face, written, and virtual meetings.

Overtime, I’ve come to appreciate this type of communications, and actually prefer it over the way that we Americans typically talk about things. Especially technical discussions. I’ve also learned the hard way that different communication styles are needed, depending on the context of the meeting.

Once, in a sales/support call, I used this direct approach, and I was asked never to talk to the client again, even though I had correctly identified and resolved the issue for them.

So, now, I make sure to read the room, and if I’m still unsure, I’ll ask them if the want the direct answer, or the socially acceptable one. My loose calculations peg the responses as 40/60 % in favor of socially acceptable responses here in the US.

Personally, I don’t mind the directness at all. I understand that it’s cultural for the most part, and knowing that allows me too see things in a different perspective.

2 Likes

Happy Canadian Thanksgiving, Todd! My wife is from Winnipeg, and we live in Boise.

2 Likes

I'm not sure if this is too late or i'm missing some points, but i think you are not restricted to use the DSM web UI to issue Let's Encrypt certificates (although it's definitely easiest way).
Since you are using namecheap DNS hosting, you can use acme.sh with DNS authentication and try to use a hook to upload / update certificate using command line.

Warning: Read the code before proceed, i just found this online.

If this method works (I'm hesitant to test it on my synology), you can also use this to get a Let's Encrypt wildcard certificate if you wanted to, which definitely wasn't possible for DSM interface.

P.S. Looks like the hook is merged onto acme.sh codebase, and probably tested by other synology users as well.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.