Cannot issue SSL Certs, Nginx proxy manager on Synology NAS

dpbloom · January 2, 2022, 6:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: home.pittfanatic.com

I ran this command: Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-4" --agree-tos --authenticator webroot --email "letsencrypt@pittgrad.com" --preferred-challenges "dns,http" --domains "home.pittfanatic.com"

It produced this output:

My web server is (include version): NGINX Proxy Manager 2.9.13, NGINX 1.20.1

The operating system my web server runs on is (include version): 4.4.180+ from a synology nas

My hosting provider, if applicable, is: self hosting

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NGINX Proxy Manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Whatever is packaged with Synology DSM 7.0 and using NGINX Proxy Manager

Problem:

I had my subdomain setup and working with cloudflare setup to point to my IP, DDNS is setup and working. Ports 80 and 443 are open and forwarded in my router. For purposes of issuing the SSL Cert from Let's Encrypt, I have the dns proxy function disabled on the A record in question.

I've been able to successfully ping the acme-v02.api.letsencrypt.org url from the nas.

I cannot issue any SSL certs either from within the DSM OS or from within NGINX Proxy Manager. The error I get is a timeout error.

See below.

[1/2/2022] [3:57:24 PM] [Express ] › warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-3" --agree-tos --authenticator webroot --email "letsencrypt@pittgrad.com" --preferred-challenges "dns,http" --domains "home.pittfanatic.com"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f9700857e80>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Have tried everything from reinstalling NGINX Proxy Manager, resetting up my DNS records on cloudflare, resetting up port forwarding, etc.

Thanks for your help.

rg305 · January 2, 2022, 7:35pm

Hi @dpbloom and welcome to the LE community forum

Cloudflare will usually be set to redirect HTTP to HTTPS.
This may throw off the ACME client - if it expects the challenge request as HTTP.

As shown by:

curl -Ii http://home.pittfanatic.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Date: Sun, 02 Jan 2022 19:36:20 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 02 Jan 2022 20:36:20 GMT
Location: https://home.pittfanatic.com/.well-known/acme-challenge/Test_File-1234

dpbloom · January 2, 2022, 7:55pm

I changed the setting on cloudflare to not force HTTPS and still got the same error.

[1/2/2022] [7:49:32 PM] [Express ] › warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --authenticator webroot --email "nginxproxymanager@pittgrad.com" --preferred-challenges "dns,http" --domains "home.pittfanatic.com"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7ff772ee1160>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

MikeMcQ · January 2, 2022, 8:07pm

Can you show the output of this command from where you run certbot:

curl -I https://acme-v02.api.letsencrypt.org/directory

dpbloom · January 2, 2022, 8:48pm

Here's the output:

curl -I https://acme-v02.api.letsencrypt.org/directory

HTTP/2 200
server: nginx
date: Sun, 02 Jan 2022 20:45:15 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0101M_Guld_9gmQ4TWucqsnh0SI-9nmjwFc2N565oz7nwU0
x-frame-options: DENY
strict-transport-security: max-age=604800

MikeMcQ · January 2, 2022, 9:32pm

You have been able to get certs recently. Do you know what you did to get these?
https://crt.sh/?Identity=+home.pittfanatic.com&deduplicate=Y

These were probably issued by Cloudflare. But, just want to confirm.

Right now your site is not responding properly. Note I get a 403 Forbidden and the Server header says Cloudflare (not your server). Previously CF redirected these. If I try the same URL but with https I get a 520 error.

curl -I http://home.pittfanatic.com/.well-known/acme-challenge/Test-123

HTTP/1.1 403 Forbidden
Date: Sun, 02 Jan 2022 21:35:55 GMT
Content-Type: text/html
Connection: keep-alive
vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y8a6DBE6Hk7FhqGmdt237abPAoWzj2mdpJO67GLHFuuPrlBG50fAiah0Ndrt98iIEZLNO%2B8G47%2Fx9F6j81s16BcxbuRqF0N8nIDAfKVJO2PF4Fa%2FN4Igg7y1Gg3%2FCXCB4oPtSaNs6qltPuNrpb1qKyZokw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6c771eb54eb67f72-IAD
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

MikeMcQ · January 2, 2022, 10:28pm

Further to my prior post ... have you considered using a Cloudflare Origin CA cert?

You get the Origin cert from Cloudflare to use https between your server and Cloudflare. The default is for it to expire in 15 years. Cloudflare takes care of updating its cert for https between it and browsers. You would not need to use certbot.

See:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

dpbloom · January 2, 2022, 11:01pm

I also cannot generate a new cert from within Synology DSM either. I've even tried doing so for another separate domain and gave me an error. It's just baffling that this used to work and now I can't get any certs generated regardless of the tool from that NAS, but connectivity seems to be there, at least from the NAS to Letsencrypt.

rg305 · January 3, 2022, 4:42pm

Did you always use CloudFlare?

system · February 2, 2022, 4:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't get a cert on Synology NAS Help	54	5112	September 9, 2020
Somes challenges failed - NGINX proxy manager Help	1	2827	July 21, 2021
SSL certificates on Synology behind double firewall Help	3	2437	February 17, 2021
Using Certbot container on Synlogy NAS Help	1	17	December 13, 2024
Synology, again! Help	5	1407	June 7, 2019

Cannot issue SSL Certs, Nginx proxy manager on Synology NAS

Related topics