Creation of SSL cert on synology issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | maison.francois.cc), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: maison.francois.cc

I ran this command: Create new cert from synology interface

It produced this output: Cannot validate this domain name

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Free; fixed IP

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Synology 7.0.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thanks a lot

1 Like

Your IPv4 and your IPv6 point to different machines (or your server is listening differently on them.) (No, not really, nmap isn't telling that, but you should still check it. Ok, I'm changing my mind again, nmap tells me that, if I scan the standard ports instead of port 80 alone.)

IPv4 needs port forwarding but each device on your network has their own public IPv6 address. You need to use the right one, the IPv4 for the router but the IPv6 for the actual device.

% nmap -6 -A -Pn -p80  maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:37 CEST
Nmap scan report for maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96)
Host is up (0.00044s latency).
Other addresses for maison.francois.cc (not scanned): 82.64.71.225

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Host script results:                                                        | address-info:
|   IPv6 EUI-64:
|     MAC address:                                                          |       address: a0:ce:c8:e8:8e:96
|_      manuf: CE Link Limited

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
% nmap -4 -A -Pn -p80  maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:37 CEST
Nmap scan report for maison.francois.cc (82.64.71.225)
Host is up.
Other addresses for maison.francois.cc (not scanned): 2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96
rDNS record for 82.64.71.225: 82-64-71-225.subs.proxad.net

PORT   STATE    SERVICE VERSION
80/tcp filtered http

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds
% nmap -4 -A -Pn   maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:45 CEST
Nmap scan report for maison.francois.cc (82.64.71.225)
Host is up (0.096s latency).
Other addresses for maison.francois.cc (not scanned): 2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96
rDNS record for 82.64.71.225: 82-64-71-225.subs.proxad.net
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
5000/tcp open  http     nginx
|_http-title: Site doesn't have a title.
| http-robots.txt: 1 disallowed entry
|_/
5001/tcp open  ssl/http nginx
| ssl-cert: Subject: commonName=francois.familyds.net
| Subject Alternative Name: DNS:*.francois.familyds.net, DNS:francois.familyds.net
| Not valid before: 2022-02-16T04:23:28                                     |_Not valid after:  2022-05-17T04:23:27
|_ssl-date: TLS randomness does not represent time                          | http-robots.txt: 1 disallowed entry
|_/
|_http-title: ELMHOME_DATA - Synology DiskStation

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.23 seconds
% nmap -6 -A -Pn   maison.francois.cc
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 09:47 CEST
Nmap scan report for maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96)
Host is up (0.00026s latency).
Other addresses for maison.francois.cc (not scanned): 82.64.71.225
All 1000 scanned ports on maison.francois.cc (2a01:e0a:834:5780:a2ce:c8ff:fee8:8e96) are in ignored states.
Not shown: 1000 filtered tcp ports (net-unreach)

Host script results:
| address-info:
|   IPv6 EUI-64:
|     MAC address:
|       address: a0:ce:c8:e8:8e:96
|_      manuf: CE Link Limited

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
%
1 Like

If you ask "why does this matter"...

The Let's Encrypt validation robots try and connect over IPv6 if you have an AAAA record. If you don't answer, they complain. Loudly.

1 Like

Thanks a lot for your reply
I've solve my issue :slight_smile:

I've descativate the Syno Firewall for the certificate creation :slight_smile:
No everything is working fine :slight_smile:

Thanks for support

2 Likes

Good, because I wasn't even too sure I have IPv6 connectivity where I am now. All those commands could've meant nothing.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.