I bought my domain name and I'm hosting one simple website on my NAS (DS418) with http connection.
Browsing this website is fine, so dyndns works. There is no submain.
As I'd like to have secure connection instead, I tried to get one cert from DSM let's encrypt embedded feature (to be installed on the NAS).
However, "doman non valid" is displayed as error message.
https://check-your-website.server-daten.de/?q=guill2v.fr looks file (green)
Thx for the support.
My domain is: guill2v.fr
I ran this command: I have entered in dialog box :
- domain name = guill2v.fr
- my e-mail address
- no other object name
It produces this output: "domain non valid.please check that this domain can be translated into public IP address"
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): DSM 7.0.1-42218
My hosting provider, if applicable, is: domain host is ovh.com
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):yes
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): N/A
The message seems pretty clear--you don't have any IP address(es) for your domain. You'll need to set up the appropriate DNS records to fix that.
Thanks Dan for my post check.
However, due to dydns, there is one A entry associated to my private ISP address behind (otherwise browsing my domain wouldn't work).
What do I miss more ?
LE can't validate such an IP.
[and no one on the Internet can reach it either]
Got it ! My ISP recently changed my connection to IPv4 CGNAT, so my external IP makes no sense as shared between several people.
Let me try to skip this and find the right IP address.
(and I forgot that 10.x.x.x IPs aren't routable )
For IPv4 CGNAT, that's not possible. Incoming connections to that ISP routers which has the "public" IPv4 configured wouldn't know where to send it. To you? Your neighbour?
AFAIK there is no such thing as CGNAT portmapping.
For IPv6 it's a different story. CGNAT isn't required for IPv6. And luckily Let's Encrypt prefers IPv6 over IPv4.
I made some progress:
- I have totally disabled the dynhost link from my ISP (server) and from my Synology NAS + my ISP router (clients) since ipv4 CGNAT is not supported
- I added DNS AAAAA entry with my NAS IPv6 adress
Now, I can reach default apache web page (port 80) of my NAS from outside.
On cert side, however I'm told that port 80 is not opened on NAS and on router :
If I try it from my end (which will of course ultimately fail), I'm getting an "incorrect challenge" error (as expected as my client here of course cannot add such a challenge file to your NAS) and not an incorrect domain error. Perhaps the DNS change didn't propogate yet? Could you try again?
Maybe your client checks for an A record? Or only supports IPv4 for some reason? You now have only the AAAA record. I also can reach your site just fine (with IPv6).
Can you be certain it is the right site?
What do you mean? It is the site indicated by the AAAA record at least. The home page says it is a new Synology Web Station. Seems likely to be right.
The only odd thing is the headers say it was nginx but first post says it is Apache 2.4.
Looks better and better. After retried the cert request from the NAS, I could get one 90-day cert as expected !
Thanks all for your support.
As summary, I'd say that removing dyndns (that doesn't support IPv4 CGNAT) and adding one redirection to my IP v6 NAS address in DNS were the trick.
As far as I know, dyndns is just a DNS service for dynamic DNS. It's your internet service provider which does the CGNAT on IPv4.
You got one but your NAS is still not sending it out. I see the Synology self-signed cert still. Also see the check-your-website tests or SSL Labs to see this. Maybe you need to restart your NAS?
No need to restart the NAS, I had to use this new cert (instead of default Synology one) on the web server.
Now, my domain is all green. I really appreciate your support guys.
Confirmed by the locker icon of any browser :
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.