Can't add LE cert from Synology NAS (Max reached)

Help Aide (en français)
1

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais : Yes

Mon nom de domaine est : fb.nmdm.fr

J’ai exécuté cette commande : No command executed. Just used Synology DSM GUI

Elle a produit cette sortie : The maximum number of certificate requests has been reached for this domain name.

Mon serveur Web est (inclure la version) : 4.2.1-0492 of Web Station package in Synology DSM

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : DSM 7.2-64570 Update 1 (latest)

Mon hébergeur, le cas échéant, est : Myself. The certificate is to be associated to my NAS.

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : Yes

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : No

2

Hi,

Here is some information to complete:

I renewed all my certificates from my NAS on 2023.06.01 (June, 1st). I always used the same mail address.

I unfortunately delete my fb.nmdm.fr certificate. And I can't recreate it since more than a week.
But if I correctly read, I'm far away from the limit of 50 certificates by week, no ?

3

Sometimes Synology NAS issues this error by mistake. But, in your case you have gotten too many certs in past week. You are allowed 5 certs per week using the same domain name. (see link here)

You should learn why you are getting so many certs. You should only need to get one every 60 days or so. Maybe this article will help (link here)

Here is a list of your recent certs

image
image1917×942 283 KB

4 Likes
4

Clearly, I was over the limit. I'll do my best in the future.

But I've got so many certs to have something clean: coupled with a reverse proxy, il allows me to address each service with a simple [service].nmdm.fr.

I know that another solution is:

Didi I make the wrong choice ?

5

I don't see any problem using a different cert for several different domain names.

The problem is you are replacing perfectly good certs too often.

4 Likes
6

You could use one wildcard certificate to handle this.

3 Likes
7

One thing to note is that Synology NAS only supports wildcards when using subdomains of its ddns domain in the PSL. In this case it is a custom domain name.

Perhaps using a different ACME client could work but I don't know Synology well enough to say. Thought it worth pointing out anyway

Look for section that includes this:

  • Wildcard certificates are only supported for Synology DDNS.
4 Likes
8

Nice catch!

4 Likes
9

Then that is another good reason to put the NAS behind a reverse proxy.

3 Likes
10

I'm still waiting 2 or 3 days before attempting to add my certificate...

11

I don't know why you would have to wait any longer. You have gotten 2 certs in the past week so are not rate limited by Let's Encrypt.

You might have to ask Synology about the reason for this error. As I noted earlier, sometimes they issue this error for reasons not related to Let's Encrypt.

4 Likes
12

You got a cert just a few hours ago. At least that much looks good now

3 Likes
13

Hi Mike,
Indeed, I did a test around noon and it logically succeeded, because of the few attempts.
Anyway, hats off to the follow-up :+1: :smiley:
Thanks for all.

2 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.