Could not renew certificate in Synology NAS

jingle · April 22, 2022, 7:19am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ccs.crs.cuhk.edu.hk

I ran this command: curl -v https://acme-v02.api.letsencrypt.org/directory

It produced this output:

TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.54.0
Accept: /

< HTTP/2 200
< server: nginx
< date: Fri, 22 Apr 2022 06:55:07 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
"MOre7lco3CA": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

My web server is (include version): apache 2.4.43

The operating system my web server runs on is (include version): DSM 6.2.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

rg305 · April 22, 2022, 12:58pm

Hi @jingle, and welcome to the LE community forum

I would try updating the DSM version first:

jingle · April 22, 2022, 1:19pm

Thanks. The Synology NAS is DSM 6.2.4-25556 Update 5 which is the most update one in ver 6.2.4. I could not upgrade to DSM 7.0 due to some reasons.

jingle · April 22, 2022, 1:22pm

When I run Let's Debug, the error is connection reset by peer.
However, the website could be viewed under http and https.

rg305 · April 22, 2022, 1:28pm

If there is a firewall, please review the firewall logs.

jingle · April 25, 2022, 2:07am

I could find the outgoing traffic from my Synology NAS to 172.65.32.248 server.
However, I could not find the incoming traffic from 172.65.32.248 to my NAS for renewal the certificate.
What is the IP address of Let's encrypt service to reach the NAS for certificate renewal? Please advise. Thanks.

rg305 · April 25, 2022, 2:28am

The incoming (verification) would NOT be from the same IP.

jingle · April 25, 2022, 2:32am

I have already open port 80 and 443 for my NAS, my website could be reached from the internet.
If the incoming IP Address is not the same as the one for outgoing, how could I check this case? Thanks.

rg305 · April 25, 2022, 2:42am

Check the web server logs.

jingle · April 25, 2022, 3:03am

Checked from apache log, it has autoindex error and proxy_fcgi error, not sure which one is related to certificate renewal. Thanks.

MikeMcQ · April 25, 2022, 3:45am

Do you have a Palo Alto brand router / firewall? These products recently added a block of Let's Encrypt cert validations. The symptom is these "reset by peer" errors when trying the acme challenge URL. If so, see this description

Trying your server. See the differences?

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/ChallengeToken
curl: (56) Recv failure: Connection reset by peer

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
curl: (56) Recv failure: Connection reset by peer

curl -I ccs.crs.cuhk.edu.hk/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 25 Apr 2022 03:42:01 GMT
Content-Type: text/html
Content-Length: 162
Location: http://ccs.crs.cuhk.edu.hk/.well-known/acme-challenge/
Connection: keep-alive
Keep-Alive: timeout=20

jingle · April 25, 2022, 4:24am

Thanks, we do have Palo Alto firewall to protect the Synology NAS. Let me check with firewall team.

jingle · April 25, 2022, 5:09am

Thanks, MikeMcQ and rg305. Problem is solved by allowing acme-protocol in Palo Alto firewall policy.

system · May 25, 2022, 5:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.