[DSM 6.2.2-24922] Cannot renew subdomain

HpNoTiQ56 · May 17, 2019, 9:10am

Hi,
I’m contacting you because I’m not able to renew my subdomain cert in DSM 6.2.2-24922 through interface. I’m using a 216 play.
My domain is: hpnotiq.synology.me

I’ve checked port 80 and 443 which are opened. I can create and renew my domain hpnotiq.synology.me but not my subdomains.

Here are logs from /var/log/messages :

2019-05-17T10:56:22+02:00 NAS synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[8815]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from https://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/uQtcvEAI0pu1L07AKdGBUOwZcmx2NPz3LpjXoG4OGic [WW.XX.XX.XXX]: “\n\n \n <script type=“text/javascript”>\n <!–\n location.href = location.protocol + ‘//’ + location.ho”]
2019-05-17T10:56:22+02:00 NASsynoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[8815]: certificate.cpp:1458 Failed to renew Let’sEncrypt certificate. [102][Invalid response from https://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/uQtcvEAI0pu1L07AKdGBUOwZcmx2NPz3LpjXoG4OGic [WW.XX.XX.XXX]: “\n\n \n <script type=“text/javascript”>\n <!–\n location.href = location.protocol + ‘//’ + location.ho”]
2019-05-17T10:51:10+02:00 NAS
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[6504]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from https://plex.hpnotiq.synology.me/.well-known/acme-challenge/8FGEEWFwvQL4PzSj1Qm3ytMyV9SRdLdy6JC9VAOhfyU [WW.XX.XX.XXX]: 401]
2019-05-17T10:51:10+02:00 NAS
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[6504]: certificate.cpp:1458 Failed to renew Let’sEncrypt certificate. [102][Invalid response from https://plex.hpnotiq.synology.me/.well-known/acme-challenge/8FGEEWFwvQL4PzSj1Qm3ytMyV9SRdLdy6JC9VAOhfyU [WW.XX.XX.XXX]: 401]

I can login to a root shell on my machine.

JuergenAuer · May 17, 2019, 9:33am

Hi @HpNoTiQ56

there is no answer ( https://check-your-website.server-daten.de/?q=sabnzbd.hpnotiq.synology.me ):

Domainname	Http-Status	Sec.	G
• http://sabnzbd.hpnotiq.synology.me/
82.64.82.212	-2	4.650	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80

• http://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212	-2	1.170	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80

• https://sabnzbd.hpnotiq.synology.me/
82.64.82.212	-2	1.157	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:443

• https://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212	-2	1.160	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:443

• http://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212	-2	1.174	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
Visible Content:

• http://www.sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212	-2	1.163	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
Visible Content:

Looks like a blocking firewall.

Your error

looks like there is a script that answers. Not the content Letsencrypt need to validate your domain.

HpNoTiQ56 · May 17, 2019, 11:44am

Was blocking port 80 to all except france and US (Lets encrypt servers used to be in US.).

Now, same problem with opened FW.

JuergenAuer · May 17, 2019, 1:54pm

Now it looks ok ( https://check-your-website.server-daten.de/?q=sabnzbd.hpnotiq.synology.me ):

Domainname	Http-Status	redirect	Sec.	G
• http://sabnzbd.hpnotiq.synology.me/
82.64.82.212	200		0.466	H

• http://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212	200		0.110	H

• https://sabnzbd.hpnotiq.synology.me/
82.64.82.212	303	https://sabnzbd.hpnotiq.synology.me/login/	0.974	B

• https://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212	200		0.870	N
Certificate error: RemoteCertificateNameMismatch

• https://sabnzbd.hpnotiq.synology.me/login/	200		3.000	B

• http://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212	404		0.253	A
Not Found
Visible Content: © 2019 Synology Inc.

• http://www.sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212	404		0.116	A
Not Found
Visible Content: © 2019 Synology Inc.

Port 80 is open, no wrong redirect, the expected answer http status 404 - Not Found. So try to find the root parameter of your port 80 vHost and use it:

certbot run -a webroot -i nginx -w yourRoot -d sabnzbd.hpnotiq.synology.me

HpNoTiQ56 · May 19, 2019, 9:15pm

Here is the solution, I’ve redirected everything in https port.
I needed to add letsencrypt library to port 80 :
I’ve posted it in the Synology forum.

Thanks for help btw!

system · June 18, 2019, 9:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.