Cannot Issue Cert - Site Looks Good Though

Hi,

Specifics are below, but here is the background info on my problem:

• I just got a Wordpress site setup on my Synology NAS and verified that it works.
• I connected my domain to it by using a CNAME entry that points to my DDNS on my NAS since I have a dynamic IP.
• From there, I waited for propagation. I verified on https://www.whatsmydns.net/
• Next, I pinged my site, which is successful and returns the correct public IP address of my NAS.
• Next, I ran letsdebug.net, which shows a status of All OK.
• I went into my Synology NAS to issue my certificate, but every time it returns an error that says, "Invalid Domain. Please make sure this domain can be resolved into a public IP address."

I have kind of lost my mind trying to think of what else to try. The error makes no sense to me, as the domain does resolve to a public IP just find. I have not had issues getting a certificate on my NAS before.

My domain is: www.northwesttechservices.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Synology NAS Web Station

The operating system my web server runs on is (include version): Synology DSM 7.2+

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): ? Not sure what this means

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ?

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ?

Ok, I just had a thought here. When I pinged my site, I pinged www.northwesttechservices.com, which is good. BUT, if I ping northwesttechservices.com, the ping does not go through. I realize that www is technically a subdomain of the address without the www, but I think the issue is that if I try to ping or even go to northwesttechservices.com, it is not good, so the cert cannot be issued.

If this is true, what else do I need to do to make northwesttechservices.com reach my web server? Is this just another domain entry? I thought a CNAME was all I needed....

Both names resolve to the same IP:

Address:  172.92.96.190
Aliases:  www.northwesttechservices.com

Name:    northwesttechservices.com
Address:  172.92.96.190

PING doesn't use names in the request/reply...
So, both pings are doing the same thing [pinging the same IP].

Got it. So, I guess back to the original question. Why am I not able to issue a cert?

That's an error issued by your Synology. Could you have done the same as this thread?

If not, can you find more detailed log errors in Synology to know which domain name it is complaining about. You haven't gotten to the point of sending a cert request to the Let's Encrypt ACME Server. So something must be wrong on your local system.

Thanks. I'm not entirely sure what that other poster was referring to.

In my domain DNS settings, I was tinkering around with different setups and subdomains, just like the other poster said, but I have deleted everything in my domain DNS settings except for my one CNAME record, which does the following:

Host Name is: WWW
Type is: CNAME
Data is: pointed to my DDNS address for my NAS

That's it.

I think they were talking about a Synology domain name config - not the DNS itself.

Somewhere you probably specify the domain names that you want to get a cert for. I am not an expert at Synology so can't say much more. A synology forum might be best. Or, wait for someone here with personal experience on Synology.

Your system is checking its own config before submitting a cert request to Let's Encrypt. Something with that is failing and so is not yet trying to contact LE. The LE messages are very different. Although, Synology sometimes modifies the actual LE messages I am pretty sure that is not the case here.

Got it. Thanks. I'll tinker in the Synology settings, but maybe someone with more experience in this area can give me a tip as to what I am doing wrong. Thanks again.

Maybe so. But, the Synology forum has many such people

Welcome to the Let's Encrypt Community!

A certificate covering these domain names:

• fortress.myds.me
• *.fortress.myds.me

is being served for these domain names:

• northwesttechservices.com
• www.northwesttechservices.com

That won't work.

This situation is not surprising since:

;QUESTION
www.northwesttechservices.com. IN A
;ANSWER
www.northwesttechservices.com. 14400 IN CNAME fortress.myds.me.
fortress.myds.me. 240 IN A 172.92.96.190

However...

;QUESTION
northwesttechservices.com. IN A
;ANSWER
northwesttechservices.com. 240 IN A 172.92.96.190

This tells me that the server at 172.92.96.190 either does not have a certificate covering northwesttechservices.com or www.northwesttechservices.com OR is not configured to serve said certificate.

Ok, just figured it out. I had to reverse proxy the site in. Then the cert issued immediately.

Thanks!

This works now:

www.northwesttechservices.com

This doesn't:

northwesttechservices.com

The CNAME for www.northwesttechservices.com is doing nothing regarding certificate issuance or service.

I think your NAS has only one domain name associated with it (the www version).

Given this, I would recommend:

• Replacing the CNAME for www.northwesttechservices.com with an A record so that northwesttechservices.com matches northwesttechservices.com AND
• Adding northwesttechservices.com to your NAS OR removing the A record for northwesttechservices.com

You need to reverse proxy northwesttechservices.com as well.

@griffin Thank you very much for the tips. I resolved this problem just a little differently. Since I got the main site with the www working, I went into my DNS settings and created a simple forwarding rule 301 to permanently redirect traffic that hits the url without www to go to www. This way, people will always have to use a secure channel.

I can't do an A record because my IP is dynamic.

Again, thanks for the help and information. I really appreciate it.

A couple of notes.

• Your current certificate for northwesttechservices.com will expire in less than two weeks:

• Your redirect chain isn't secure. It is subject to SSL stripping.

It is this:

http://northwesttechservices.com
301 Moved Permanently
http://www.northwesttechservices.com/
301 Moved Permanently
https://www.northwesttechservices.com/
200 OK

when it should be this:

http://northwesttechservices.com
301 Moved Permanently
https://northwesttechservices.com/
301 Moved Permanently
https://www.northwesttechservices.com/
200 OK

Interesting. How do I go about getting http://www.northwesttechservices.com moved permanently?

When I configured the redirect, there was an option that asked if the forward should go over SSL. I chose this option, which indicates that SSL forwarding is on and that my forward will work for both http and https requests but may take up to 72 hours to apply.

Is it safe to say that I have done what needs to be done and I am waiting for effects to kick in? Or is there something else that I am missing that I need to do?

Edit:
And to your first point, I find this interesting as well, as I don't know where the data is coming from for less than 2 weeks for my certificate, as I issued one cert and it is 2 months...

I don't know if this will help.. so be it.

Please enter a domain: northwesttechservices.com
A records for northwesttechservices.com: ['198.49.23.145', '198.185.159.144', '198.185.159.145', '198.49.23.144']
AAAA records for northwesttechservices.com: No record found
MX records for northwesttechservices.com: No record found
NS records for northwesttechservices.com: ['dns3.p05.nsone.net.', 'dns4.p05.nsone.net.', 'ns01.squarespacedns.com.', 'ns02.squarespacedns.com.', 'ns03.squarespacedns.com.', 'ns04.squarespacedns.com.', 'dns1.p05.nsone.net.', 'dns2.p05.nsone.net.']
CNAME records for northwesttechservices.com: No record found
TXT records for northwesttechservices.com: No record found
SOA records for northwesttechservices.com: ['dns1.p01.nsone.net. hostmaster.nsone.net. 1710609129 43200 7200 1209600 3600']
Please enter a domain: www.northwesttechservices.com
A records for www.northwesttechservices.com: ['172.92.96.190']
AAAA records for www.northwesttechservices.com: No record found
MX records for www.northwesttechservices.com: No record found
NS records for www.northwesttechservices.com: No record found
CNAME records for www.northwesttechservices.com: ['fortress.myds.me.']
TXT records for www.northwesttechservices.com: No record found
SOA records for www.northwesttechservices.com: No record found

I am not a dns expert But I know one.

The issue with your redirects is that you should be redirecting HTTP for the non-www domain name to HTTPS for the non-www domain name THEN redirecting to HTTPS for the www domain name. Always immediately redirect from HTTP to HTTPS of the submitted ("typed") domain name (non-www in your case) then never return to HTTP.

Whatever server at 198.49.23.145, 198.185.159.144, 198.185.159.145, or 198.49.23.144 that is serving the certificate for your non-www domain name (and the redirect to your www domain name) is serving a Let's Encrypt certificate that expires in 13 days that only covers your non-www domain name.

For your non-www domain name:

Got it. Ok, I see what is going on. The redirect channels through my domain's A record IP, so it's their cert.

And, I also think I see what you mean. I went into my reverse proxy and the source is http which kicks it to https now. I think get it.

Thank you very much for taking the time for a detailed response. Much appreciated.