Certificate renewal Synology NAS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gjknas.com

I ran this command: n/a

It produced this output:n/a

My web server is (include version): WebDav on Synology DSM 7.0

The operating system my web server runs on is (include version):WebDav Synology DSM 7.0

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): i don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Synology Control Pane/Certficate DSM 7.0
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): The client runs on Win 10 64 bit Pro

2 Likes

1st time here, Please bear with me.
The LAN on my network resides behind a Peplink Max Transit CAT-18 cellular router/modem. I've already encountered issues with carrier grade NAT & suspect that to be the issue here.
I recently upgraded Snyology's DSM on my NAS to 7.0. Prior to the upgrade, all was well. Either as a result of the upgrade or coincidentally my gjknas.com certificate shows as expired. When I try to renew it, I get the message about forwarding ports & correct configuration etc., etc. How do I enable Let's Encrypt get past the carrier grade NAT issue with cellular providers to renew my certificate? I realize this is probably a Synology application issue, but, more & more users are going to be using cellular & there must be a work around.
Thanks in advance for any help/

2 Likes

Welcome to the community @lemondrop9344

It would help just to clarify some things and cover background.

Your gjknas.com site is sending a self-signed cert that expired in Oct 2018
See here

I see no history of you ever having a Let's Encrypt cert
And no history of an LE cert for any other names shown in your self-signed cert
See here and here

I do not understand your concern with Carrier NAT. The IP for gjknas.com is readily accessible to the public. Can you explain your concerns?

I also do not understand your concerns about port forwarding and the like. I get normal responses from requests to gjknas.com from Apache

Going forward:

If your self-signed cert was satisfactory perhaps you just need to make a new one

You could also start using certs from Let's Encrypt. You cannot "renew" your self-signed cert with one from LE - you start fresh. Below is a recent page from Synology about doing that. If you have more specific questions about LE let us know.

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

You might find this useful:

3 Likes

Thank you for your response & help.

I’m confident I did not explain my issue correctly & I apologize for that.

Let me go at this again.

I live & travel full time in a RV. In order to have reliable/dependable internet connectivity I use cellular data plans provide by AT&T & Verizon. I use a Peplink Max Transit CAT-18 cellular modem/router as the backbone of the LAN in the RV. Both AT&T & Verizon utilize CGNAT.

GJKNAS.com is a domain name I own through GoDaddy. If I ping this domain it returns & IP address of 160.153.96.97 (assuming I typed that in correctly). I do not have a website, that is just a domain I own & used it when I initially installed the Synology NAS sometime ago. There is no deliberate internet linkage of any kind between the GoDaddy domain & the LAN on my RV.

From the PC I am sitting at in the RV, I utilize ‘what is my IP’ & it returns an IP of 174.247.7.142. A ‘whois’ of this IP will reveal the domain is Verizon.com. When I ping this IP, I get the following results:

Synolgy’s Disk Management System (as outlined in your referenced reading material) provided a method with their DMS prior to 7.0 to somehow attain a new SSL from Let’s Encrypt. With DSM 7.0, Let’s Encrypt can’t get to my public IP address (174

247.7.142) to obtain a new SSL certificate. On the surface, I suspect Synology did not consider users with cellular providers using CGNAT. It’s only an issue with an expired SSL or requesting a new SSL from Let’s Encrypt I’m in a Catch 22 situation right now. I don’t have a valid SSL certificate & I can’t get one from Let’s Encrypt because of CGNAT.

I have tried to get a new SSL as outlined in the Synology attachment, it times out due to the CGNAT issue.

Again, I apologize if I have not explained this with the precise technical terminology.

George K

2 Likes

Griffin,

Thank you for your response. I am providing some information I sent to another respondent which, hopefully better explains my issue.

Thank you for your response & help.

I’m confident I did not explain my issue correctly & I apologize for that.

Let me go at this again.

I live & travel full time in a RV. In order to have reliable/dependable internet connectivity I use cellular data plans provide by AT&T & Verizon. I use a Peplink Max Transit CAT-18 cellular modem/router as the backbone of the LAN in the RV. Both AT&T & Verizon utilize CGNAT.

GJKNAS.com is a domain name I own through GoDaddy. If I ping this domain it returns & IP address of 160.153.96.97 (assuming I typed that in correctly). I do not have a website, that is just a domain I own & used it when I initially installed the Synology NAS sometime ago. There is no deliberate internet linkage of any kind between the GoDaddy domain & the LAN on my RV.

From the PC I am sitting at in the RV, I utilize ‘what is my IP’ & it returns an IP of 174.247.7.142. A ‘whois’ of this IP will reveal the domain is Verizon.com. When I ping this IP, I get the following results:

Synolgy’s Disk Management System (as outlined in your referenced reading material) provided a method with their DMS prior to 7.0 to somehow attain a new SSL from Let’s Encrypt. With DSM 7.0, Let’s Encrypt can’t get to my public IP address (174

247.7.142) to obtain a new SSL certificate. On the surface, I suspect Synology did not consider users with cellular providers using CGNAT. It’s only an issue with an expired SSL or requesting a new SSL from Let’s Encrypt I’m in a Catch 22 situation right now. I don’t have a valid SSL certificate & I can’t get one from Let’s Encrypt because of CGNAT.

I have tried to get a new SSL as outlined in the Synology attachment, it times out due to the CGNAT issue.

Again, I apologize if I have not explained this with the precise technical terminology.

George K

2 Likes

OK, that explanation helps.

So, what domain name are you trying to get a certificate for?

2 Likes

Mike,

As an FYI…..

I have also been working with Synology tech support. They seem to agree the issue is with CGNAT if I try to obtain the certificate via the Synology process.

The existing configuration on the NAS is looking for a certificate for gjknas.com. I used that only because I have that domain name thru GoDaddy.

I have tried using gjkjrnas.direct.quickconnect.to which is reflected in the screen capture below. It did not work.

George K

1 Like

So, I understand you are now trying to get a cert for domain name gjkjrnas.direct.quickconnect.to

You must have a working HTTP site (port 80) to obtain a cert using the HTTP challenge. That domain cannot be reached via http. See:

The Let's Encrypt server must see that you control the domain name you are requesting a cert for. It does this through the public DNS and internet.

Typically, failures like this are caused by a firewall block, incorrect port forwarding or in some cases the ISP may block access using that port (eg some do not allow hosting http sites with their service). There may be other causes.

In any event, if you do an HTTP challenge the LE server will chase the DNS IP for that domain name to a server and expect a specific response. No response, no cert.

2 Likes

Mike,

I appreciate you trying to help. Somehow I am not able to effectively communicate the issue is associated with CGNAT (Carrier Grade Network Address Translation) & I’m looking for a way to get around it. If that is not possible with Lets Encrypt, I need to look at other possible solutions. I’ve attached a high level description from Wikipedia that address CGNAT.

I’ve made some notes In red on your reply in attempt to clarify the issue.

Carrier-grade NAT

From Wikipedia, the free encyclopedia

Jump to navigation Jump to search

image001.png

Carrier-grade NAT

Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of Network address translation (NAT) for use in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end sites. This shifts the NAT function and configuration thereof from the customer premises to the Internet service provider network (though "conventional" NAT on the customer premises will often be used additionally).

Carrier-grade NAT is often used for mitigating IPv4 address exhaustion.[1]

1 Like

The simplest way to overcome CGNAT is to avoid HTTP-01 authentication; Use DNS-01 authentication.
That requires the use of an ACME client that has a DNS plugin that can update the DNS zone.
That requires the DNS Service Provider (DSP) supports updates via API.

This, of course, will only get you a cert.
If you plan on using that cert to serve content to anyone on the Internet...
You will have to get much more creative; As there no way for the Internet to reach your IP (behind the CGNAT).

4 Likes

I don't see any red notes. Not important.

I heartily agree with Rudy's latest comment.

Do you have a fixed IPv6 address? Can it be addressed from the public internet? Let's Encrypt server will prefer the IPv6 address if an AAAA record is in the DNS (update: for an http challenge).

Of course, any other clients will need to prefer IPv6 too if you want them to reach you that way. And, this assumes your ISP allows http inbound to your device.

2 Likes

Rudy,

You have pretty much confirmed what I’ve already discovered through trial & error. I would not say there is ‘no way’ for the Internet to get to my LAN via the internet (maybe semantics) behind the CGNAT, but, it certainly appears it’s not going to happen with the utility provided by Synology within their DSM.

I will explore other alternatives to get the NAS working.

Thanks to all for your help.

2 Likes