Can't create certificate for 1 domain on Synology others do work on same NAS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=welzijnsmasseur.nl), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: welzijnsmasseur.nl

I ran this command: Get a certificate via GUI from Synology NAS

It produced this output: Failed to connecto to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): Synology Webstation

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: mijndomein.nl

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know

On the same synology NAS I am running 2 different websites with a certificate from Let’s Encrypt without any problem. Only difference those domains are hosted by a different hosting company.

Hi @baspeels

there is a check of your domain ( https://check-your-website.server-daten.de/?q=welzijnsmasseur.nl ):

There you see the problem.

You have ipv4- and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
welzijnsmasseur.nl A 81.204.230.39
Rhenen/Provincie Utrecht/NL yes 1 0
AAAA 2a00:4e40:1:1::2:20b
Lelystad/Flevoland/NL yes
www.welzijnsmasseur.nl A 81.204.230.39
Rhenen/Provincie Utrecht/NL yes 1 0
AAAA 2a00:4e40:1:1::2:20b
Lelystad/Flevoland/NL yes

But your http + /.well-known/acme-challenge has different answers:

Domainname Http-Status redirect Sec. G
http://welzijnsmasseur.nl/
81.204.230.39 301 https://welzijnsmasseur.nl/ 0.047 A
http://welzijnsmasseur.nl/
2a00:4e40:1:1::2:20b 200 0.047 H
http://www.welzijnsmasseur.nl/
81.204.230.39 200 0.063 H
http://www.welzijnsmasseur.nl/
2a00:4e40:1:1::2:20b 200 0.030 H
https://welzijnsmasseur.nl/
81.204.230.39 200 0.843 N
Certificate error: RemoteCertificateNameMismatch
https://welzijnsmasseur.nl/
2a00:4e40:1:1::2:20b -14 10.014 T
Timeout - The operation has timed out
https://www.welzijnsmasseur.nl/
81.204.230.39 200 0.563 N
Certificate error: RemoteCertificateNameMismatch
https://www.welzijnsmasseur.nl/
2a00:4e40:1:1::2:20b -14 10.016 T
Timeout - The operation has timed out
http://welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.204.230.39 301 https://welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.047 A
Visible Content: 301 Moved Permanently nginx
http://welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a00:4e40:1:1::2:20b 200 0.030
Visible Content:
http://www.welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.204.230.39 404 0.127 A
Not Found
Visible Content: © 2019 Synology Inc.
http://www.welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a00:4e40:1:1::2:20b 200 0.046
Visible Content:
https://welzijnsmasseur.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.017 T
Timeout - The operation has timed out
Visible Content:

http + ipv4 is redirected to https, http + ipv6 not. And ipv6 answers with a http status 200, not the expected status 404 - Not Found.

So

  • remove your ipv6, then create a certificate, then fix your ipv6 (or)
  • fix your ipv6

But Letsencrypt prefers ipv6, so that's critical.

Thanks for pointing me in the right direction, I removed ipv6 settings at domain registrar under dns settings. Recreated the certificate and that worked. I will test it for some days and renew it in a few days. Then I will try to fix the ipv6 settings, but tried to find my ipv6 address, but can’t find it. I used whatsmyip.com

1 Like

whatsmyip shows you the ip address of your local computer.

So if you don't have a configured ipv6, that can't work.

And that service looks wrong.

Your Public IPv4: 162.158.114.98
IPv6: 2a01:238:301b::1229

The ivp6 is correct, the ipv4 is completely wrong.

I get the same thing.

The website’s using Cloudflare, and the IPv4 IPs are Cloudflare IPs. It appears they’re failing to use the X-Forwarded-For header or whatever and reporting Cloudflare’s proxy server IP as “your” IP.

Yep - 162.158.114.98 is Cloudflare Berlin. :wink:

But I’m not Cloudflare and I don’t use it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.