I have been using an LE cert for years on my domain without issues. It due for renewal this month so I have tried to renew, and create a new one (replacing the expiring one)... both methods fail with error "Invalid Domain'
I know only a little about DNS so I cannot figure out what is going on. I have ran test using the below sites, but interpreting the results is beyond my skills/knowledge level
I ran this command:
New Certificate using Synology DSM's built-in app
It produced this output:
"Invalid Domain"
My web server is (include version): n/a
The operating system my web server runs on is (include version): n/a
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): dont know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n/a
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Synology's DSM built-in app
the SAN list you show is old, from the existing/prior Cert... both JD and pihole do not exist anymore and I removed them from my google NS yesterday / and replaced them with two new ones. All the tests I've done show those old ones are gone and the new ones have replicated
Then I guess I'm out of suggestions...
[I'm not a DSM expert]
Well...
You could try removing those two new names from the SAN and see if it renews.
At least, then we could be more certain about where the problem exists [or doesn't].
pretty sure the issue is not with DSM... there is something LE doesnt like in the DNS for the domain. This only started happening after I moved my NS back for Google from HE.NET (yes, all items are deleted at HE.NET yesterday)
I'm trying to understand how best to secure internal apps/sites that need 'non-local' access to using web and mobile apps (apps use API or user/pw auth -- they all work right now, just not using certs). VPN is not an option.
btw that DSM site requires 2FA so even if you have my user/pw you wont be able to login without my phone, and my fingerprint.. but the other apps need access from family member's mobile apps.
I think (LMK)...
-- request / install the LE cert on proxy server (Synology DSM)
-- in DSM's Reverse Proxy settings, enable port 443 on all external / incoming connections to all apps/sites
-- import LE Cert to the client (since its already on the server).
also, you were correct, the SANs have an issue... a new cert request this morning worked when I removed all the SANs. Do no understand why as all resolve and accessible, its odd.
I wouldn't be worried about the ones that play by the rules.
I would be more worried about the ones that don't...
Sign says "Don't walk on grass"
[but that is just a sign - it stops no one]
Traffic lights "control traffic": When the light turns "red" all cars must stop.
[that's just a light bulb - it doesn't actually stop any cars from continuing through]
Your login page says: "Enter Username, Password, and 2FA"
[but it doesn't do anything about those that can "take the hinges off that door" and enter anyway]
no matter what, I need to get a secure method of access working. right now the SANs are working but not via HTTPS -- the browsers connect but only using HTTP