Can´t renew certificate

Hi can´t renew the certificate. Until now the certificate renews automatically. i use a synology DS114 with DSM 6.1.
I use the AVM Fritzbox DYNDNS Service. If i report this is the result. I covered my original Domain for security.

Startzeit: Tue, 13 Jun 2017 15:47:29 GMT
Stoppzeit: Tue, 13 Jun 2017 15:47:30 GMT
Aktueller Status: 0
Standardausgabe/Fehler:
DEBUG: Issuer name of certificate. [Let’s Encrypt]->[/usr/syno/etc/certificate/_archive/eQmDlw/cert.pem]
DEBUG: start to renew [/usr/syno/etc/certificate/_archive/eQmDlw].
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: szUserAgent: [synology_armada370_114 DSM6.1-15101 Update 4 (DDNS)]
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Curl Reply: [200] Header: [HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: 1i229oHQ5DT7BIoh9nFFPnN8hlyDh8WjLPAyhDSfK0g
Replay-Nonce: asjaQGfBGLkzHZD7BDjiNUeGg77fTRYI4TI9MHKNRy8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 13 Jun 2017 13:47:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 13 Jun 2017 13:47:30 GMT
Connection: keep-alive

] Body: [{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”
}]
DEBUG: strat to do new-authz for blabla.myfritz.net
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post JWS value: {
“identifier” : {
“type” : “dns”,
“value” : “blabla.myfritz.net”
},
“resource” : “new-authz”
}

DEBUG: szUserAgent: [synology_armada370_114 DSM6.1-15101 Update 4 (DDNS)]
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post value: {
“header” : {
“alg” : “RS256”,
“jwk” : {
“e” : “AQAB”,
“kty” : “RSA”,
“n” : “yE_EXElfkyPe8QV5ewRlHyEgR-nqQwqt7WR12SHPgO-wTO0lKZ3RsSAQ_hUSWmfHCX9vUkjwGVNqsx1cXbNDtOL4QFm4N jCPs8Y59XzvhmYe3kG6Eo_ZHsUZEbBtkiVSe7KfCCFoxCKM-dcqGufXErk6hnrcocWyv44mQfVaGpwU52wIrFkkyi1ceK-6fiU0qmb-Xyn67DQRNOKwVEg9zvpAHRg4LjhF6x-HcJTV1YPqsB0W0xRVQ2LoT9Kg8QqknICAGVaz2Q7lDDVZaHrB3 Th8wx7MBCJestDFVCbyMzUImqZ8uWXWqJLrsyo7AfJnSleZ4-O_QdafOOqxF22Rzw”
}
},
“payload” : “eyJpZGVudGlmaWVyIjp7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6I nk4ZTkxa3l0eTNybHVuZmEubXlmcml0ei5uZXQifSwicmVzb3V yY2UiOiJuZXctYXV0aHoifQo”,
“protected” : “eyJub25jZSI6ImFzamFRR2ZCR0xrekhaRDdCRGppTlVlR2c3N 2ZUUllJNFRJOU1IS05SeTgifQo”,
“signature” : “UIpBYRxSKZirSD0J4qVjXpGbCS4B96-oDiFS_WSRHZ7t-T5UF9N7BS5S3Y4Jen_AqXyweeKMjFVn7eWnFa9u0yUythSHz92 QdY1YawcM1AffekXKoAxQYxRa7ADPbijWZCzOUwdEGn2TUq1TU c3jc-76pQ1_-kcM_ywre6K8rDMYWt7fAp5N4mgVbvI-Drz5xNfVKwdCMxCDmuZRPMYP_4f8v6RuCMotSv03ILyw9h4AXk 4dY9p3han7YuQQOgRR_nXE2szEwbo96Lpicd1NgWjP5U-WgfbXoIwG9Uhd5HlHytYNj7fCvNp_Vj8fUqwRyz0A7EMe12GSx sDQUJw6SQ”
}

DEBUG: Curl Reply: [429] Header: [HTTP/1.1 429 Unknown
Server: nginx
Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: m3WN-7eweqOnaw5wKz8j7qXWH4roAajZ_bT9ysoxI7o
Boulder-Requester: 2772864
Replay-Nonce: bvdRCq94ZEmOBBMKIx29Sk5p_AQ_pnAJMfEU_i6LgK0
Expires: Tue, 13 Jun 2017 13:47:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 13 Jun 2017 13:47:30 GMT
Connection: close

] Body: [{
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new authz :: Too many invalid authorizations recently.”,
“status”: 429
}]
DEBUG: Not synology DDNS.
DEBUG: DNS challenge failed, reason: {“error”:108,“file”:“challenge.cpp”,“msg”:“Not synology DDNS.”}

DEBUG: Normal challenge failed, reason: {“error”:200,“file”:“client.cpp”,“msg”:“new_aut hz: unexpect httpcode.”}

Hi @rici,

This is not the useful error message about why this is failing because this error message simply says that you’ve been trying too often with a broken configuration.

Could you wait a bit and try again, and then show us the more specific error? Or do you have older logs that will show the underlying reason?

Does your Fritzbox have an IPv6 address, by any chance?

Hi,
today i tried it again and got the following message :

] Body: [{
“type”: “urn:acme:error:unauthorized”,
“detail”: “Error creating new cert :: authorizations for these names not found or expired: xxx.myfritz.net”,
“status”: 403
}]

I’m still wondering if your Fritzbox has an IPv6 address.

Are all of these errors coming from your Synology client? You might end up needing to ask Synology for help with that if there isn’t something straightforward to fix in the Fritzbox.

yes, my fritzbox has an ipv6 adress. this was the problem, but why ?

A few weeks ago Let’s Encrypt switched to prefer IPv6 to IPv4 for validation purposes when both are offered. This has exposed a lot of incompatibilities and bugs because a lot of people advertise an IPv6 address yet can’t properly receive incoming connections on it.

It’s likely that there’s a bug either in the Fritzbox or in the Synology client that means that it can’t support Let’s Encrypt validations over IPv6. I don’t know exactly what that bug would be, but it’s been very typical of other people’s experiences with validations over IPv6, unfortunately. It would be great to let them know about this in the hope that they can fix it for everyone.

It looks like you have to set up port forwarding for IPv6 separately from IPv4 on many fritzbox models.

If you Google fritzbox <model #> IPv6 port forwarding you’ll find instructions on how to set that up. (It seems to vary by model or I would just link one.) Just forward the same ports to your Synology box as you do over IPv4 and things should start working again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.