Can't get a cert on Synology NAS

wwolf · August 10, 2020, 6:02am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wwolfden.cppexpert.net

I ran this command: Pressed a button in Synology DSM (Get a Certificate from Let’s Encrypt)

It produced this output: Failed to connect to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): nginx/1.16.1, but it is Synology, so who knows

The operating system my web server runs on is (include version): DSM 6…2.3-25426 Update 2

My hosting provider, if applicable, is: me? (Verizon FIOS for connection)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no per se, but DSM is kind of a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): nothing starting with cert on the path. find from root down finds nothing starting with certbot.

rg305 · August 10, 2020, 6:30am

Ensure the NAS has outbound access to https://acme-v02.api.letsencrypt.org/
[and access to global DNS]

wwolf · August 10, 2020, 6:32am

Ping works, wget works.

root@wolfden:~# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=60 time=4.22 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=60 time=4.70 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=60 time=4.39 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.222/4.441/4.705/0.213 ms
root@wolfden:~# wget ping acme-v02.api.letsencrypt.org
--2020-08-10 02:32:38--  http://ping/
Resolving ping... failed: No address associated with hostname.
wget: unable to resolve host address 'ping'
--2020-08-10 02:32:38--  http://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://acme-v02.api.letsencrypt.org/ [following]
--2020-08-10 02:32:38--  https://acme-v02.api.letsencrypt.org/
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2174 (2.1K) [text/html]
Saving to: 'index.html'

index.html                            100%[=======================================================================>]   2.12K  --.-KB/s    in 0s

2020-08-10 02:32:39 (240 MB/s) - 'index.html' saved [2174/2174]

FINISHED --2020-08-10 02:32:39--
Total wall clock time: 0.6s
Downloaded: 1 files, 2.1K in 0s (240 MB/s)

rg305 · August 10, 2020, 6:34am

Is that from the NAS itself?

wwolf · August 10, 2020, 6:35am

Yes, the NAS. ssh and sudo -i.

rg305 · August 10, 2020, 6:37am

Try it with TLS:
curl -Iki https://acme-v02.api.letsencrypt.org/
or
wget https://acme-v02.api.letsencrypt.org/

wwolf · August 10, 2020, 6:38am

That works too.

root@wolfden:~# wget https://acme-v02.api.letsencrypt.org/
--2020-08-10 02:37:32--  https://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2174 (2.1K) [text/html]
Saving to: 'index.html'

index.html                            100%[=======================================================================>]   2.12K  --.-KB/s    in 0s

2020-08-10 02:37:33 (200 MB/s) - 'index.html' saved [2174/2174]

rg305 · August 10, 2020, 6:40am

hmm…

Does the NAS have IPv4 and IPv6?

wwolf · August 10, 2020, 6:44am

I have no IPv6 configures as the “world leader” ISP Verizon (FIOS) has no IPv6. It still shows some link local stuff I think:

root@wolfden:~# ifconfig | grep inet6
          inet6 addr: fe80::42:a3ff:feff:7/64 Scope:Link
          inet6 addr: fe80::306f:f1ff:fe4b:476a/64 Scope:Link
          inet6 addr: fe80::cf:71ff:feae:de1c/64 Scope:Link
          inet6 addr: fe80::f45c:b4ff:febd:10d3/64 Scope:Link
          inet6 addr: fe80::211:32ff:fe5e:4565/64 Scope:Link
          inet6 addr: ::1/128 Scope:Host

rg305 · August 10, 2020, 6:45am

Try it with TLS and IPv6:
curl -6Iki https://acme-v02.api.letsencrypt.org/
or
wget -6 https://acme-v02.api.letsencrypt.org/

wwolf · August 10, 2020, 6:46am

Should not work as there is no IPv6. Aaaand it does not work. Are we guessing or there is a point?

root@wolfden:~# wget -6 https://acme-v02.api.letsencrypt.org/
--2020-08-10 02:46:21--  https://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|2606:4700:60:0:f53d:5624:85c7:3a2c|:443... failed: Network is unreachable.

rg305 · August 10, 2020, 6:47am

My point is:
If the program “thinks” your system has IPv6, it might want to connect via IPv6.
Which you have shown clearly that it won’t be able to use IPv6 to do so.

Perhaps there is an LE log file in there somewhere we can look at as well (for more clues).

rg305 · August 10, 2020, 6:53am

https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_network_lan

wwolf · August 10, 2020, 6:56am

I put the thing to off. I have no clue when it went back to auto. Probably with some DSM update.

rg305 · August 10, 2020, 6:57am

Aaaaah…
Your welcome?
Apology accepted?
Oh wait!
You were NEVER wrong.
Just… anxious

Anywho… did it resolve the problem?
Are you able to get a cert?

wwolf · August 10, 2020, 6:59am

??? You need to chill. Nowhere did I say I was not wrong. If I knew what the hell I was doing I would not be begging for help here. IPv6 is off. Same error.

Unfortunately, it still does not work with IPv6 off. Exact same error message. I will reboot the thing as ifconfig reports the same lines after turning it off.

rg305 · August 10, 2020, 7:00am

You need to realize I don’t get paid to help.
So be nice or find your own answers.

FYI I am very chill

rg305 · August 10, 2020, 7:02am

despite my perceived arrogance and short fuse - I am trying to help [for free]

And, so far, the best lead is the IPv6 “problem”.

rg305 · August 10, 2020, 7:05am

So does it do what you ask?
“NO IPV6”

Show the full IFCONFIG output,

wwolf · August 10, 2020, 7:05am

OK. I am not exactly sure where did I demanded that you help or how am I supposed to know if you get paid or not. I am not exactly sure what triggered your morose bit on, but if you don’t want to help, just don’t. I mean I only do what you do (with no payment) since 1988, so I know that one can get unappreciated. Sometimes for the right reasons, sometimes for the wrong one. I remember 4 times getting upset when people demanded stuff for free. Like weeks of work. The 4 times was 2 guys. 2-2. And they were absolutely livid and had no clue what they were doing wrong.