Certificate for domain forwarding to DDNS

zeeto · September 15, 2017, 8:18pm

My domain is: zeeto.me & zeeto.synology.me

I ran this command: N/A

It produced this output: Failed to connect to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): Apache HTTP Server 2.2

The operating system my web server runs on is (include version): Linux?

My hosting provider, if applicable, is: GoDaddy & Synology DDNS

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hello,

I successfully managed to register certificate for my domain name zeeto_me which is hosted with GoDaddy and is set to forward (301) with masking to my DDNS zeeto_synology_me.
However, some time ago it failed to renew and I’m trying to register the certificate from scratch.

To register the certificate I use Synology DSM, which has GUI and registering the certificate is as simple as providing:
Domain name: zeeto.me
Email: my email address
Subject Alternative Name: where I tried: www.zeeto.me;zeeto.synology.me;test.zeeto.me;
as well as without www.zeeto.me;

The domain name zeeto_me apart from being forwarded to zeeto_synology_me (I can’t use A record as I don’t have static IP, thus I’m using synology.me DDNS) has the C NAME record ‘test’ with the value of ‘zeeto.synology.me’.

The Synology Support guys, advised, that there is something wrong with the setup of the domain zeeto_me, as registering the domain name zeeto_synology_me on its own went through without any problems.

They sent me this from the log:
2017-08-16T04:18:07+01:00 nas synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[26506]: certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [200][new_authz: unexpect httpcode.]
2017-08-16T04:20:01+01:00 nas synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[27423]: certificate.cpp:957 syno-letsencrypt failed. 102 [Invalid response from http://zeeto.me/.well-known/acme-challenge/EgdcqE-

I tried looking up this forum and came to suggestion, to create a Hello World html file in /.well-known/acme-challenge/test
folder to see if it is accessible from internet.
Here comes a weird part, I can’t access the empty html file here:
http://zeeto.me/.well-known/acme-challenge/test
but when I created a folder on my server replacing one random character of the bit ‘/acme-challenge’, I can access it no problem, so for example http://zeeto.me/.well-known/acme-challenga/test is accessible.

Another suggestion from Synology Tech Support was that when they ping the domain name zeeto_me it shows different IP than zeeto_synology_me…
I checked and the IP of zeeto_me is GoDaddy’s server IP, but the domain name is forwarded to my synology.me DDNS.

As mentioned before, originally I managed to create certificate, but for some reason I can’t now - I don’t think I changed anything within my configuration since I successfully registered certificate.

Port 80 is accessible on my Synology.

Sorry for long post, I tried to put all the information I think may be vital.

Thanks

sahsanu · September 16, 2017, 12:15am

Hi @zeeto,

You are not really forwarding zeeto.me to zeeto.synology.me, what you are doing is creating a web page on GoDaddy side with an ugly iframe which is pointing to zeeto.synology.me.

$ curl -ikL http://zeeto.me/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 15 Sep 2017 23:55:53 GMT
Content-Length: 385
Age: 1
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
  <title>zeeto.me</title>

</head>
<frameset rows="100%,*" border="0">
  <frame src="http://zeeto.synology.me/.well-known/acme-challenge/test" frameborder="0" />
  <frame frameborder="0" noresize />
</frameset>

<!-- pageok -->
<!-- 07 -->
<!-- -->
</html>

Let's Encrypt won't follow this "redirection" so you should create a real redirection or maybe it will be easier for you to create a CNAME record for your domain/subdomains pointing to zeeto.synology.me so, asking for the ip of your domain zeeto.me you will get the ip of zeeto.synology.me and Let's Encrypt could reach your server to validate the domain.

Example output of dig if you create a CNAME for zeeto.me pointing to zeeto.synology.me

$ dig zeeto.me

; <<>> DiG 9.11.1 <<>> zeeto.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35521
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zeeto.me.             IN      A

;; ANSWER SECTION:
zeeto.me.            300     IN      CNAME   zeeto.synology.me.
zeeto.synology.me.   1800    IN      A       86.156.21.163

;; Query time: 30 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 16 02:06:28 CEST 2017
;; MSG SIZE  rcvd: 72

You already have a CNAME record for www.zeeto.me pointing to zeeto.me so it shouldn't be hard to add a new CNAME for zeeto.me .

Cheers,
sahsanu

system · October 16, 2017, 12:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.