Creation of SSL cert on synology issue

kotkotcodec · March 28, 2022, 7:23am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | maison.francois.cc), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: maison.francois.cc

I ran this command: Create new cert from synology interface

It produced this output: Cannot validate this domain name

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Free; fixed IP

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Synology 7.0.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thanks a lot

9peppe · March 28, 2022, 7:40am

Your IPv4 and your IPv6 point to different machines (or your server is listening differently on them.) (~~No, not really, nmap isn't telling that, but you should still check it~~. Ok, I'm changing my mind again, nmap tells me that, if I scan the standard ports instead of port 80 alone.)

IPv4 needs port forwarding but each device on your network has their own public IPv6 address. You need to use the right one, the IPv4 for the router but the IPv6 for the actual device.

% nmap -6 -A -Pn -p80  maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:37 CEST
Nmap scan report for maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96)
Host is up (0.00044s latency).
Other addresses for maison.francois.cc (not scanned): 82.64.71.225

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Host script results:                                                        | address-info:
|   IPv6 EUI-64:
|     MAC address:                                                          |       address: a0:ce:c8:e8:8e:96
|_      manuf: CE Link Limited

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds

% nmap -4 -A -Pn -p80  maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:37 CEST
Nmap scan report for maison.francois.cc (82.64.71.225)
Host is up.
Other addresses for maison.francois.cc (not scanned): 2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96
rDNS record for 82.64.71.225: 82-64-71-225.subs.proxad.net

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds

% nmap -4 -A -Pn   maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:45 CEST
Nmap scan report for maison.francois.cc (82.64.71.225)
Host is up (0.096s latency).
Other addresses for maison.francois.cc (not scanned): 2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96
rDNS record for 82.64.71.225: 82-64-71-225.subs.proxad.net
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
5000/tcp open  http     nginx
|_http-title: Site doesn't have a title.
| http-robots.txt: 1 disallowed entry
|_/
5001/tcp open  ssl/http nginx
| ssl-cert: Subject: commonName=francois.familyds.net
| Subject Alternative Name: DNS:*.francois.familyds.net, DNS:francois.familyds.net
| Not valid before: 2022-02-16T04:23:28                                     |_Not valid after:  2022-05-17T04:23:27
|_ssl-date: TLS randomness does not represent time                          | http-robots.txt: 1 disallowed entry
|_/
|_http-title: ELMHOME_DATA&nbsp;-&nbsp;Synology&nbsp;DiskStation

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.23 seconds
% nmap -6 -A -Pn   maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:47 CEST
Nmap scan report for maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96)
Host is up (0.00026s latency).
Other addresses for maison.francois.cc (not scanned): 82.64.71.225
All 1000 scanned ports on maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96) are in ignored states.
Not shown: 1000 filtered tcp ports (net-unreach)

Host script results:
| address-info:
|   IPv6 EUI-64:
|     MAC address:
|       address: a0:ce:c8:e8:8e:96
|_      manuf: CE Link Limited

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
%

9peppe · March 28, 2022, 8:25am

If you ask "why does this matter"...

The Let's Encrypt validation robots try and connect over IPv6 if you have an AAAA record. If you don't answer, they complain. Loudly.

kotkotcodec · March 28, 2022, 8:36am

Thanks a lot for your reply
I've solve my issue

I've descativate the Syno Firewall for the certificate creation
No everything is working fine

Thanks for support

9peppe · March 28, 2022, 8:39am

Good, because I wasn't even too sure I have IPv6 connectivity where I am now. All those commands could've meant nothing.

system · April 27, 2022, 8:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't create certificate for 1 domain on Synology others do work on same NAS Help	7	843	July 16, 2019
Certificate request keeps failing on Synology NAS Help	13	901	August 4, 2025
Error getting Let's Encrypt certificate with IPV4 Help	5	1481	April 28, 2020
Certificate request with Synology with subdomains Help	18	10354	March 25, 2018
Can't get a cert on Synology NAS Help	54	5551	September 9, 2020

Creation of SSL cert on synology issue

Related topics