Could not renew certificate in Synology NAS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ccs.crs.cuhk.edu.hk

I ran this command: curl -v https://acme-v02.api.letsencrypt.org/directory

It produced this output:

  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.54.0
Accept: /

< HTTP/2 200
< server: nginx
< date: Fri, 22 Apr 2022 06:55:07 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
"MOre7lco3CA": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

My web server is (include version): apache 2.4.43

The operating system my web server runs on is (include version): DSM 6.2.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Hi @jingle, and welcome to the LE community forum :slight_smile:

I would try updating the DSM version first:

2 Likes

Thanks. The Synology NAS is DSM 6.2.4-25556 Update 5 which is the most update one in ver 6.2.4. I could not upgrade to DSM 7.0 due to some reasons.

2 Likes

When I run Let's Debug, the error is connection reset by peer.
However, the website could be viewed under http and https.

1 Like

If there is a firewall, please review the firewall logs.

2 Likes

I could find the outgoing traffic from my Synology NAS to 172.65.32.248 server.
However, I could not find the incoming traffic from 172.65.32.248 to my NAS for renewal the certificate.
What is the IP address of Let's encrypt service to reach the NAS for certificate renewal? Please advise. Thanks.

1 Like

The incoming (verification) would NOT be from the same IP.

2 Likes

I have already open port 80 and 443 for my NAS, my website could be reached from the internet.
If the incoming IP Address is not the same as the one for outgoing, how could I check this case? Thanks.

1 Like

Check the web server logs.

1 Like

Checked from apache log, it has autoindex error and proxy_fcgi error, not sure which one is related to certificate renewal. Thanks.

1 Like

Do you have a Palo Alto brand router / firewall? These products recently added a block of Let's Encrypt cert validations. The symptom is these "reset by peer" errors when trying the acme challenge URL. If so, see this description

Trying your server. See the differences?

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/ChallengeToken
curl: (56) Recv failure: Connection reset by peer

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
curl: (56) Recv failure: Connection reset by peer

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 25 Apr 2022 03:42:01 GMT
Content-Type: text/html
Content-Length: 162
Location: http://ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
Connection: keep-alive
Keep-Alive: timeout=20
2 Likes

Thanks, we do have Palo Alto firewall to protect the Synology NAS. Let me check with firewall team.

2 Likes

Thanks, MikeMcQ and rg305. Problem is solved by allowing acme-protocol in Palo Alto firewall policy.

2 Likes