I’m running a Synology Diskstation and have been using a Let’sEncrypt certificate without issue for the past year or more. This morning my email client refused to connect to the MailPlus Server package on the Synology stating that the certificate was revoked. Similarly accessing the web portal on the same machine via a browser results in an error “This organization’s certificate has been revoked”. looking at the certificate control panel on the Synology showed that the expiration date was within 60 days and did not show an issue with the certificate. For good measure I ran the renewal process which was successful and now shows the certificate valid thru 2019-12-30 but devices accessing it still report that it’s revoked. Any thoughts or guidance would be greatly appreciated. -John
That was my suspicion as well. But I’m running the current DSM Version: 6.2.2-24922-3 released 2019-08-21 and all of the other packages are up to date. Is what you are referring to a patch to the current DSM? I looked at the release notes and the only new feature was:
“Updated the protocol of Let’s Encrypt to ACME V2 to enhance the stability of the registration process.”
I will look at the Synology forums as well to see what I can find.
Thanks. The solution that worked for him was to delete the certificate and create a new one. When I do this I now get the message “Maximal certificate requests reached for this domain name”.
Do I assume this error is due to having recently renewed, deleted and attempted to create a new certificate? Will this reset itelf after some period of time or do I need to do something, if so, what would that be?
“Maximal certificate requests reached for this domain name”.
That was very helpful - thank you! As it turns out I was formatting my request incorrectly. Once that was corrected I was able to create my certificate successfully. Once again, thank you for your kind help.
Maybe I’m answering my own question, but in Synology DSM I was creating my Let’s Encrypt certs like this:
What I did before (certificate revoked):
Get a Certificate from Let’s Encrypt
Domain name: home.mydomain.dom
Email: myname@mydomain.dom
Subject Alternative Name: home.mydomain.dom <-- I repeated the Domain name field above
What I did now (created new Let’s Encrypt Certificate):
Get a Certificate from Let’s Encrypt
Domain name: home.mydomain.dom
Email: myname@mydomain.dom
Subject Alternative Name: (leave blank)
I think you’re on the right track. My mistake was I used <mydomain.net> in the domain name field and my FQDN <sub.mydomain.net> as the subject alternate domain. Once I set my FQDN as domain name and did not repeat that as a SAN then it worked fine. Not sure if this process changed in the DSM or I had just forgotten the process from when I had originally set it up.
I know this may be a bit late for your issue, but hopefully it can help others.
I had the same issue you are describing with revoked Letsencrypt certificates on both of by Synology systems. I turned off OCSP queries in Firefox and was ignoring the issue, but was hoping to find an actual fix instead of a workaround. Renewing the certificate did not resolve the issue, but after reading this thread I went in search of the software update @JuergenAuer mentioned and found a 6.2.2 Patch 4 that has resolved the issue for me. It is not showing up in the Update & Restore on the NAS. I had to download the PAT file from Synology and apply it manually. It’s only been out for about for a little over a week. I’m assuming it will eventually appear in the NAS interface, but manually applying it and then renewing my certificate resolved my issue and prevented needing to delete and recreate the certificate.
For those who have not done an update manually before, here’s the steps to find the patch:
Go to Synology website and choose Download Center from under the Support menu.
Choose NAS on the left and search for your NAS model. Click on it when it comes up in the list.
Make sure Operating System is selected at the top, then find DSM 6.2.2 and choose All Downloads on the right.
On the page that comes up, choose criticalupdate -> update_pack -> 24922-4
Find the file that ends in .pat and has the correct model number for your NAS. The .md5 file can be used to validate your download, but is optional.
Once you have the .pat file downloaded you can use the Manual DSM Update process through the Update & Restore module in Control Panel. Just choose that option and select the .pat file you downloaded.
This will require a NAS reboot during the update process.
After updating the NAS to Patch 4, the certificate revoked issue will still exist, but renewing the certificate again through the Security module fixed the issue for me on both systems.
One thing to note, when you renew the certificate the NAS will go through the process and the say “Restarting the web server.” This step hung for me for a long time, I’m assuming because the certificate changed. Reloading the page corrected the issue and now everything is working.