Can't get a cert on Synology NAS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wwolfden.cppexpert.net

I ran this command: Pressed a button in Synology DSM (Get a Certificate from Let’s Encrypt)

It produced this output: Failed to connect to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): nginx/1.16.1, but it is Synology, so who knows

The operating system my web server runs on is (include version): DSM 6…2.3-25426 Update 2

My hosting provider, if applicable, is: me? (Verizon FIOS for connection)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no per se, but DSM is kind of a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): nothing starting with cert on the path. find from root down finds nothing starting with certbot.

2

Ensure the NAS has outbound access to https://acme-v02.api.letsencrypt.org/
[and access to global DNS]

3

Ping works, wget works.

root@wolfden:~# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=60 time=4.22 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=60 time=4.70 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=60 time=4.39 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.222/4.441/4.705/0.213 ms
root@wolfden:~# wget ping acme-v02.api.letsencrypt.org
--2020-08-10 02:32:38--  http://ping/
Resolving ping... failed: No address associated with hostname.
wget: unable to resolve host address 'ping'
--2020-08-10 02:32:38--  http://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://acme-v02.api.letsencrypt.org/ [following]
--2020-08-10 02:32:38--  https://acme-v02.api.letsencrypt.org/
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2174 (2.1K) [text/html]
Saving to: 'index.html'

index.html                            100%[=======================================================================>]   2.12K  --.-KB/s    in 0s

2020-08-10 02:32:39 (240 MB/s) - 'index.html' saved [2174/2174]

FINISHED --2020-08-10 02:32:39--
Total wall clock time: 0.6s
Downloaded: 1 files, 2.1K in 0s (240 MB/s)
4

Is that from the NAS itself?

5

Yes, the NAS. ssh and sudo -i.

6

Try it with TLS:
curl -Iki https://acme-v02.api.letsencrypt.org/
or
wget https://acme-v02.api.letsencrypt.org/

7

That works too.

root@wolfden:~# wget https://acme-v02.api.letsencrypt.org/
--2020-08-10 02:37:32--  https://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2174 (2.1K) [text/html]
Saving to: 'index.html'

index.html                            100%[=======================================================================>]   2.12K  --.-KB/s    in 0s

2020-08-10 02:37:33 (200 MB/s) - 'index.html' saved [2174/2174]
8

hmm…

Does the NAS have IPv4 and IPv6?

9

I have no IPv6 configures as the “world leader” ISP Verizon (FIOS) has no IPv6. It still shows some link local stuff I think:

root@wolfden:~# ifconfig | grep inet6
          inet6 addr: fe80::42:a3ff:feff:7/64 Scope:Link
          inet6 addr: fe80::306f:f1ff:fe4b:476a/64 Scope:Link
          inet6 addr: fe80::cf:71ff:feae:de1c/64 Scope:Link
          inet6 addr: fe80::f45c:b4ff:febd:10d3/64 Scope:Link
          inet6 addr: fe80::211:32ff:fe5e:4565/64 Scope:Link
          inet6 addr: ::1/128 Scope:Host
10

Try it with TLS and IPv6:
curl -6Iki https://acme-v02.api.letsencrypt.org/
or
wget -6 https://acme-v02.api.letsencrypt.org/

11

Should not work as there is no IPv6. Aaaand it does not work. Are we guessing or there is a point?

root@wolfden:~# wget -6 https://acme-v02.api.letsencrypt.org/
--2020-08-10 02:46:21--  https://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org... 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org|2606:4700:60:0:f53d:5624:85c7:3a2c|:443... failed: Network is unreachable.
12

My point is:
If the program “thinks” your system has IPv6, it might want to connect via IPv6.
Which you have shown clearly that it won’t be able to use IPv6 to do so.

Perhaps there is an LE log file in there somewhere we can look at as well (for more clues).

13

https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_network_lan

image
image977×391 32.7 KB

14

I put the thing to off. I have no clue when it went back to auto. Probably with some DSM update. :frowning:

15

Aaaaah…
Your welcome?
Apology accepted?
Oh wait!
You were NEVER wrong.
Just… anxious

Anywho… did it resolve the problem?
Are you able to get a cert?

16

??? You need to chill. Nowhere did I say I was not wrong. If I knew what the hell I was doing I would not be begging for help here. IPv6 is off. Same error.

Unfortunately, it still does not work with IPv6 off. Exact same error message. I will reboot the thing as ifconfig reports the same lines after turning it off.

17

You need to realize I don’t get paid to help.
So be nice or find your own answers.

FYI I am very chill

18

despite my perceived arrogance and short fuse - I am trying to help [for free]

And, so far, the best lead is the IPv6 “problem”.

1 Like
19

So does it do what you ask?
“NO IPV6”

Show the full IFCONFIG output,

20

OK. I am not exactly sure where did I demanded that you help or how am I supposed to know if you get paid or not. I am not exactly sure what triggered your morose bit on, but if you don’t want to help, just don’t. I mean I only do what you do (with no payment) since 1988, so I know that one can get unappreciated. Sometimes for the right reasons, sometimes for the wrong one. I remember 4 times getting upset when people demanded stuff for free. Like weeks of work. The 4 times was 2 guys. 2-2. And they were absolutely livid and had no clue what they were doing wrong.