Certificate request keeps failing on Synology NAS

My domain is:
www.lumiballs.be
I ran this command:
No commands, i am using the synology control panel/security/certificate/"create a certificate" function

It produced this output:
Let's Encrypt is unablle to validate this domain name. Please make sure your DiskStation and router have port 80 open to Let's Encrypt domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS to keep your DiskStation secure.

My web server is (include version): Synology DS418

The operating system my web server runs on is (include version): DSM 7.2.2-72806 Update 3

My hosting provider, if applicable, is: Combell

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

It states that the port is not open but if i use canyouseeme.org, both port 80 and 443 are open.
Last sunday or monday i did manage to get a certificate according to the synology control panel but when i visited the website, it still showed the "unsafe connection" prompt.

I have tried many things but nothing seems to work..
any help or advice?

Thanks in advance
Sven

Go to https://letsdebug.net/

Type your domain, and choose HTTP-01 and run

And then try again at DSM

2 Likes

I see you have gotten several certs for your www subdomain recently. Looks like 4 separate successful requests. The most recent requests get an RSA and ECDSA cert each time you request a cert. Which is fine but can lead to reaching rate limits more quickly.

But, requests to that domain use a self-signed Synology cert. This is some sort of default and not any of the certs you recently got.

You are better off asking about this on the Synology forum. There is clearly something wrong with its configuration.

Your recent certs:

See details of the failed HTTPS response: SSL Checker

3 Likes

Thank you for pointing me to this website, it seems that the Telenet ISP modem has a built in firewall that seems to block the traffic, if i disable both, i got the ALL OK message on the debugger.
The certificate did work now.

So i applied an IPV6 filter on port 80 and 443 to enable the firewalls again, but it does not work,

i guess i will turn off the firewall each time i have to renew the certification.

Thanks a lot for the help.

1 Like

Just curious ... how did you get the earlier certs for your www subdomain if the Telnet modem firewall was blocking access?

1 Like

I have no clue to be honest. I requested the cert multiple times using either lumiballs.be and then i entered www.lumiballs.be.

My networking knowledge is also not sufficient to know what i am exactly doing. I would also assume that if the 80 and 443 ports are being blocked that i also cant acces the website, what i could and can.

i have the ports open on ipv4 and on ipv6, but the cert keeps failing if i dont uncheck both firewalls...

I also managed to get the website signed externally by choosing the letsencrypt cert on all synology services, FTPS, Synology Drive Server, Synology Storage Console Server and System Default. it now dhows up as a "safe" website

1 Like

Do you know why your DNS has different IP addresses for your two domain names?

Your registered domain name has just an A record (no IPv6 AAAA record)

dig +noall +answer A lumiballs.be
lumiballs.be.           300     IN      A       217.19.237.54

But, www has both using a CNAME to a synology domain name. And, the IPv4 A address is not the same as lumiballs.be.

dig +noall +answer A www.lumiballs.be
www.lumiballs.be.       300     IN      CNAME   lumiballs.synology.me.
lumiballs.synology.me.  240     IN      A       78.20.57.72

dig +noall +answer AAAA www.lumiballs.be
www.lumiballs.be.       235     IN      CNAME   lumiballs.synology.me.
lumiballs.synology.me.  240     IN      AAAA    2a02:1812:1c1e:300:9209:d0ff:fe16:a9e7

Mixing IP addresses like that is not technically wrong. It is just unusual and even more so to then combine the two domain names on the same cert. And, given what I see below I think there are still problems with your network config. Possibly related to this mix of DNS addresses

Here are the possible connection types. Only 1 of 3 works

# IPv4 HTTPS to lumiballs fails
curl -i4 -m5 https://lumiballs.be
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

# IPv4 HTTPS to www works
curl -i4 -m5 https://www.lumiballs.be
HTTP/2 200
server: nginx
content-length: 765

# IPv6 HTTPS to www fails
curl -i6 -m5 https://www.lumiballs.be
curl: (28) Failed to connect to www.lumiballs.be port 443 after 2502 ms: 
Connection timed out
2 Likes

This is the current DNS setting on the domain name provider:

I suspect it is because the A record is actually a web forward as i can not enter the DDNS in the A-record as it only accepts numbers, i think. It provides me an error of unvalid IP adress if i type the synology.me link.

Here more screens from the config:

Maybe i have to add lumiballs.be to the CNAME-record too?

The AAAA-Record(IPv6) is empty

DNS rules do not allow CNAME for the registered name.

At lumiballs it is empty but since your www domain CNAMEs there is an AAAA record at that synology domain name.

Yes, you may want to switch the web forward off and instead use the same IP address as the CNAME synology does. I don't know how you'd keep that up to date with your DDNS though.

The web forward does not work well anyway. HTTPS requests to your registered name fail as I showed above. Maybe just quit using that domain name and use www always. You still need to fix the AAAA record for that though.

2 Likes

Possibly not what you're looking for but Synology devices have HTTPS enabled when the QuickConnect service is enabled.

Would that work for you if you're simply looking to secure your access or could it even be interfering with your setup?