Certificate request with Synology with subdomains


#1

My domain is:

edtric.synology.me (Synology DDNS to my NAS drive behind a router/firewall)
rhobotika.com (Domain is registered with GoDaddy but hosted on Bigcommerce)
gitlab.rhobotika.com (Subdomain with GoDaddy A Record forwarding to edtric.synology.me)
nas.rhobotika.com (Subdomain with GoDaddy A Record forwarding to edtric.synology.me)

I ran this command:
I used the Synology Security Center and the Letsencrypty certificate UI to request certificate for
edtric.synology.me (DDNS) (Certificate granted and able to secure connect)

Repeated for rhobotika.com domains but got:
“Failed to Connect to Let’s Encrypt. Please make sure the domain name is valid.”

It produced this output using:

I ran this command to view/log the /var/log/messages file
more /var/log/messages |grep encrypt > ~/letsencrypt.msg:

I have a log I can share but forum would not let me paste (log has many URLs repeated so it exceeded 20 links) or upload attachment as a new user but basically I cannot get certificates for rhobotika.com and corresponding subdomains.

My web server is (include version):

I think Synology uses NGINX as the web server. This is the output from the shell for nginx -v

nginx version: nginx/1.12.1

The operating system my web server runs on is (include version):
DSM 6.1.4-15217 Update 5

I" can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Disk Station web UI


#2

Hi @edtriccorp,

I’m not sure this forwarding is doing what you expect.

$ host gitlab.rhobotika.com
gitlab.rhobotika.com has address 184.168.221.14
$ host edtric.synology.me
edtric.synology.me has address 23.242.8.204
edtric.synology.me has IPv6 address 2605:e000:849d:800::1

These are different servers with different IP addreses. If you mean for them to be the same server, the DNS isn’t set up properly. If you mean for the 184.168.221.14 server to be doing HTTP forwarding to the other server, that HTTP forwarding apparently isn’t set up.


#3

Hi @schoen,

My intention is to eventually have each of the subdomains point to my NAS drive. Then probably use a reverse proxy on the NAS to forward to services on the NAS. I am unsure if it is relevant but I am forwarding with masking i.e. the user will never see edtric.synology.me in the URL bar.

For example: gitlab.rhobotika.com will forward to edtric.synology.me which will then forward to a GitLab docker container running on the NAS behind NGINX with load balancing.

I have control of the DNS. Let me review your findings and run some more tests. I really appreciate the fast response. That is awesome!


#4

I just spoke with Godaddy. They suggested waiting a full 48 hours for full DNS propagation/resolution to take place. The subdomains were just added today. If they do not resolve to the same IP in 48 hours they will investigate on their end. I will revisit this topic after my findings.


#5

OK. I got this partially resolved. Basically the GoDaddy Web UI mistakenly creates an A record instead of a CNAME which is what I needed because I do not control the DDNS IP address. I still cannot create a certificate however. I suspect I know what the problem is but I am unsure what is the best way to approach the solution. My main domain is registered with GoDaddy but the site is hosted on Bigcommerce yet I am attempting to request/create a security certificate for my NAS i.e. the main domain IP would resolve inconsistently with the subdomains and DDNS IPs. Advice on the most efficient approach would be highly appreciated.


#6

Hi @schoen ,

ping -4 edtric.synology.me
PING edtric.synology.me (23.242.8.204) 56(84) bytes of data.

ping -4 nas.rhobotika.com
PING edtric.synology.me (23.242.8.204) 56(84) bytes of data.

ping -4 gitlab.rhobotika.com
PING edtric.synology.me (23.242.8.204) 56(84) bytes of data.

Above is the ping output showing that all the domains now resolve to the same IP. Here is a screen shot from the NAS UI:

Port 80 is open on my router until I get the certificate approved.

Unsure where to go from here?

Thanks,

Wess


#7

Well, I agree that you’ve cleaned up the DNS records in terms of making them point at the same place.

The immediate problem now is that your IPv6 connectivity doesn’t work. There could be many reasons for this, but your device is not reachable over IPv6. You still need to diagnose this and get IPv6 working, or else remove the DNS AAAA record.


#8

@schoen … interesting… I have obtained a Letsencrypty certificate for edtric.synology.me not too long ago.

Here is a screen shot:

Also I do not have AAAA records in DNS. I am using a CNAME to point each of nas.rhobotika.com and gitlab.rhobotika.com to edtric.synology.me.


#9

Hmmm, I guess something was working then that’s not working now (or the client you were using might be using the DNS-01 method instead of the HTTP-01 method—are you using the same software and interface to try to obtain the current certificates that you used to obtain the previous one?).

Sure, but edtric.synology.me itself does have an AAAA record, and the CNAME is interpreted as pointing to that record as well and so that IPv6 address will be used in trying to validate control over the rhobotika names.


#10

I am using (working from) the Synology Disk Station Manager (DSM) web UI for my NAS. It is the only one I have so I believe the answer is “Yes”.

I do not have control of the Synology assigned DDNS. Would it make sense for me to change my CNAMES to AAAA records for the gitlab and nas subdomains?

@schoen : I just realized that AAAA record is not an option. I do not have or control the IP address of the DDNS provided by Synology. AAAA requires a specific IP address to point to.


#11

If you have IPv6 connectivity, a firewall is probably blocking the ports inbound to the Synology device.

With IPv4, each device on your network shares an IPv4 address, and a port forward is required to connect a port of that IP address to a particular host on your network. Setting a port forward on your router automatically opens the port in the router’s IPv4 firewall.

But with IPv6, each device on your network has its own IPv6 address. There is no need to forward ports to make them accessible externally. However, to protect the devices on your network, your router still firewalls off inbound IPv6 connections for all the IPv6 hosts on your network

So instead of port forwarding like with IPv4, for IPv6 you just need to open the port in your router’s firewall.

Your router may have an “IPv6 Firewall” configuration screen, or it may have a single “Firewall” configuration screen that supports both IPv4 and IPv6. Either way, you should be able to use it to open ports 80 and 443 for your Synology device’s IPv6 address.

If you’re not sure how to do this, please share the brand and model of router you are using. Some have poor or confusing IPv6 capabilities…


#12

OK. Thanks to all the hints and help you guys provided I got this resolved. It is a bit tricky so I will do my best to share what had to be done.

The Synology LAN interfaces have IPV4 and IPV6 options. I was using LAN1 (NIC) interface and it had IPV6 enabled to “Auto”. I needed to disable this from the Network settings within the control panel.


#13

To add insult to injury even after disabling the IPV6 option from the LAN1 interface the IPV6 address stays bound to the DDNS via Synology service. You would think you can just delete the IPV6 address but you will just get an “invalid setting” error. You must reboot or restart the services if you are a command line guru. It is just easier to reboot.


#14

After rebooting the NAS drive the IPV6 address is released. I could then get my certificate!


#15

You can verify if DDNS is bound to your NAS by visiting your online Synology account.

Now the question is can I go back and support IPV6? Or is the certificate agnostic of this?


#16

That sounds like a pretty subtle problem! If you have any kind of channel to Synology, maybe you could somehow suggest that they could make this a little clearer.

Thanks for sharing your solution here… it may be helpful to other Synology users!


#17

Could have not done it without you guys. You gave me the bread crumb trails! I will submit to Synology via support. Hopefully, I can cross link to here to make life easy.

Thanks again guys!


#18

This is KEY information that belongs in some expert system. Thanks edtriccorp!


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.