Certificate suddenly not auto-renewing on Synology NAS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: krang.myds.me

I ran this command: /usr/syno/sbin/syno-letsencrypt renew-all

It produced this output: Nothing

My web server is (include version): Not sure

The operating system my web server runs on is (include version): DSM 6.2-23739 Update 2

My hosting provider, if applicable, is: Synology (I assume)

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I hope the above is correct.

I’m running a Synology DS116 single bay NAS drive and for probably the past year, or more, I’ve had a task set up on the 1st of each month to auto-renew my certificate.

This has worked for as far back as i can remember. I think I had one problem months ago but I manually ran the above command to renew the certificate and it worked fine so I just left it and forgot about it.

Tried to log in to my control panel today only for chrome to tell me the site was ‘not secure’, but i went and logged in anyway to find out that the certificate hadn’t renewed.and had expired.

“Ok” I thought, and I went and I clicked on the script in the task scheduler to just manually run it but it didn’t do anything - the site was still saying it was ‘not secure’.

Used Putty to log in directly and manually run the script on the command line - it ran with no errors but it still hadn’t renewed the certificate. I even rebooted the NAS and cleared the cookies and cache for the last 24 hours through chrome but still nothing.

Is there something i’m missing ? Thanks.

Hi,

Can you please try to run the command /usr/syno/sbin/syno-letsencrypt renew-all & share us the output?
Now the “secure” version of your site is not loading for me… (error : ERR_SSL_PROTOCOL_ERROR Invalid Response)

Thank you

hi,

i’ve run the command manually via putty and there is no output to speak of - I just assumed it renews the certificate and that was that.

#edit

ok, i’ve just passed the -vv debug argument to the command and got this …

DEBUG: Issuer name of certificate. [Let’s Encrypt]->[/usr/syno/etc/certificate/_archive/sP0YM1/cert.pem]

Hi @ClemFandango

isn’t there a better log?

You have a lot of certificates

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:a3JhbmcubXlkcy5tZTp0cnVlOmZhbHNlOjpFQUU9&cert_search=include_expired:true;include_subdomains:false;domain:krang.myds.me&lu=cert_search_cert

first from 08.10.2016, but the last … expired.

https://krang.myds.me:5001/

Perhaps you have an older syno-letsencrypt - version which needs an update.

Would those entries not correspond to the times I’ve run the auto renew script though ?

I’ve checked for an update to the DSM software and it’s currently up to date at the moment so I would also assume that that means the syno-letsencrypt script is also up to date.

The “-vv” option is the only option you can pass to it for any kind of debugging output i’m afraid - I appreciate this probably doesn’t help much. I’ve searched around and some people seem to suggest that if the certificate has expired, the only solution is to re-create a whole new one.

There

Isn’t it possible to create a new certificate?

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate

looks good.

yes, i will try this at some point today and hopefully the auto-renew script will work on the new one

#edit

Just done this - created the new certificate and set it as default. I’ve removed the expired one as well.

Imported the cert.pem file into chrome, restarted and it’s now correctly coming up as ‘secure’ with the https url for the domain so it all looks good for now.

if i could bother you with one final question, what’s the best way to handle the renewal ?

I’ve got port 80 open on my router as required, so would that be enough ?. Or should i still look to run the auto-renewal script on a regular basis ?

Thankyou for all your help so far

Yep, happy to see, now

https://krang.myds.me:5001/

works.

That should be enough. From the link:

Certificates issued by Let's Encrypt are valid for 90 days. Before the certificates expire, DSM will automatically renew such certificates after successful domain validation. Please make sure your Synology NAS and router have port 80 open for certificate renewal.

If such an integrated solution exists, it's the better choice.

That’s great to know, thankyou.

I’ll remove the task from the scheduler then for automatic renewal so hopefully we’ll be ok after santa visits

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.