[DSM 6.2.2-24922] Cannot renew subdomain

#1

Hi,
I’m contacting you because I’m not able to renew my subdomain cert in DSM 6.2.2-24922 through interface. I’m using a 216 play.
My domain is: hpnotiq.synology.me

I’ve checked port 80 and 443 which are opened. I can create and renew my domain hpnotiq.synology.me but not my subdomains.

Here are logs from /var/log/messages :

2019-05-17T10:56:22+02:00 NAS synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[8815]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from https://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/uQtcvEAI0pu1L07AKdGBUOwZcmx2NPz3LpjXoG4OGic [WW.XX.XX.XXX]: “\n\n \n <script type=“text/javascript”>\n <!–\n location.href = location.protocol + ‘//’ + location.ho”]
2019-05-17T10:56:22+02:00 NASsynoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[8815]: certificate.cpp:1458 Failed to renew Let’sEncrypt certificate. [102][Invalid response from https://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/uQtcvEAI0pu1L07AKdGBUOwZcmx2NPz3LpjXoG4OGic [WW.XX.XX.XXX]: “\n\n \n <script type=“text/javascript”>\n <!–\n location.href = location.protocol + ‘//’ + location.ho”]
2019-05-17T10:51:10+02:00 NAS
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[6504]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from https://plex.hpnotiq.synology.me/.well-known/acme-challenge/8FGEEWFwvQL4PzSj1Qm3ytMyV9SRdLdy6JC9VAOhfyU [WW.XX.XX.XXX]: 401]
2019-05-17T10:51:10+02:00 NAS
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[6504]: certificate.cpp:1458 Failed to renew Let’sEncrypt certificate. [102][Invalid response from https://plex.hpnotiq.synology.me/.well-known/acme-challenge/8FGEEWFwvQL4PzSj1Qm3ytMyV9SRdLdy6JC9VAOhfyU [WW.XX.XX.XXX]: 401]

I can login to a root shell on my machine.

#2

Hi @HpNoTiQ56

there is no answer ( https://check-your-website.server-daten.de/?q=sabnzbd.hpnotiq.synology.me ):

Domainname Http-Status redirect Sec. G
http://sabnzbd.hpnotiq.synology.me/
82.64.82.212 -2 4.650 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
http://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212 -2 1.170 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
https://sabnzbd.hpnotiq.synology.me/
82.64.82.212 -2 1.157 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:443
https://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212 -2 1.160 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:443
http://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212 -2 1.174 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
Visible Content:
http://www.sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212 -2 1.163 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 82.64.82.212:80
Visible Content:

Looks like a blocking firewall.

Your error

looks like there is a script that answers. Not the content Letsencrypt need to validate your domain.

#3

Was blocking port 80 to all except france and US (Lets encrypt servers used to be in US.).

Now, same problem with opened FW.

#4

Now it looks ok ( https://check-your-website.server-daten.de/?q=sabnzbd.hpnotiq.synology.me ):

Domainname Http-Status redirect Sec. G
http://sabnzbd.hpnotiq.synology.me/
82.64.82.212 200 0.466 H
http://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212 200 0.110 H
https://sabnzbd.hpnotiq.synology.me/
82.64.82.212 303 https://sabnzbd.hpnotiq.synology.me/login/ 0.974 B
https://www.sabnzbd.hpnotiq.synology.me/
82.64.82.212 200 0.870 N
Certificate error: RemoteCertificateNameMismatch
https://sabnzbd.hpnotiq.synology.me/login/ 200 3.000 B
http://sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212 404 0.253 A
Not Found
Visible Content: © 2019 Synology Inc.
http://www.sabnzbd.hpnotiq.synology.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.64.82.212 404 0.116 A
Not Found
Visible Content: © 2019 Synology Inc.

Port 80 is open, no wrong redirect, the expected answer http status 404 - Not Found. So try to find the root parameter of your port 80 vHost and use it:

certbot run -a webroot -i nginx -w yourRoot -d sabnzbd.hpnotiq.synology.me
#5

Here is the solution, I’ve redirected everything in https port.
I needed to add letsencrypt library to port 80 :
I’ve posted it in the Synology forum.


Thanks for help btw!

1 Like