For several domains I got certificates with my Synology NAS (DSM 7) from Let's Encrypt, except my domain architektur.weide.biz. It seems to be blocked.
I had a certificate but it ran out. I tried to renew it first, then I deleted it and wanted to create a new one, but I failed.
What can I do?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2 Likes
After you answer the questions above...
It seems like the HTTP site redirects to a non-existent site:
curl -Ii architektur.weide.biz/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 31 Dec 2021 15:18:29 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Keep-Alive: timeout=20
Location: https://architektur.weide.biz/.well-known/acme-challenge/Test_File-1234
Strict-Transport-Security: max-age=15768000
curl -Ii https://architektur.weide.biz/.well-known/acme-challenge/Test_File-1234
curl: (60) SSL certificate problem: unable to get local issuer certificate
So, it might be that there is no such site at all.
You need to review the vhost configs and ensure the name "architektur.weide.biz" is being served.
As shown by:
echo | openssl s_client -connect architektur.weide.biz:443 -servername architektur.weide.biz | head
depth=0 C = TW, L = Taipel, O = Synology Inc., CN = synology
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = TW, L = Taipel, O = Synology Inc., CN = synology
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000005)
---
Certificate chain
0 s:C = TW, L = Taipel, O = Synology Inc., CN = synology
i:C = TW, L = Taipel, O = Synology Inc., CN = Synology Inc. CA
---
Yet all points to that name:
curl -Ii http://weide.biz/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 31 Dec 2021 15:25:25 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Keep-Alive: timeout=20
Location: https://weide.biz/
Strict-Transport-Security: max-age=15768000
curl -Ii https://weide.biz/
HTTP/2 302
server: nginx
date: Fri, 31 Dec 2021 15:25:31 GMT
content-type: text/html; charset=UTF-8
location: https://architektur.weide.biz
link: <https://architektur.weide.biz/wp-json/>; rel="https://api.w.org/"
strict-transport-security: max-age=15768000
[to a site that doesn't exist]
1 Like
The site does exists and it's reachable but actually with an incorrect certificate for architektur2.weide.biz. I think I reached a rate limit by Let's Encrypt because of too many tries to renew or to create a new one.
The questions above I cannot reply to completly.
I didn't run any command on a command line. I choosed to renew and then to create a new certificate within the System Control of Synology Disk Station Manager (DSM, v7.0.1) > Security > Certificates.
The failure output was something like "server didn't answer".
I've got my own web server on this NAS. If it's really neccessary I can login in to a root shell on my NAS.
I solved it! 
Meanwhile I got the certificate again and the site runs properly.
There was a conf-file for nginx in the folder "sites-enabled" because of url-routing with WordPress. It caused a issue with the renewing of the certificate. I had to delete this conf-file. I put the settings for WordPress in the vhost.conf-file. Hopefully they are not removed by the Synology-System itself.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.