duckDNS/Letsencrypt certificate seemingly OK, but digicert check says it is not trusted


#1

My domain is: banha.duckdns.org

I ran this command: https://banha.duckdns.org:8123

It produced this output: See screenshot:

My web server is (include version): Synology

The operating system my web server runs on is (include version): DSM 6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): DK

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): DK

I have set this up to have https access to Home Assistant, and I can log on to the server, but the certificate is deemed not trusted and thus some integrations won’t work.


#2

Hi @bjornand1

there is a self signed certificate ( https://check-your-website.server-daten.de/?q=banha.duckdns.org ):

CN=synology.com, O=Synology Inc., L=Taipei, C=TW
	23.03.2019
	08.12.2038
expires in 7198 days	

not one of Letsencrypt. But your port 8123 has the LE-certificate ( https://check-your-website.server-daten.de/?q=banha.duckdns.org%3A8123 ):

CN=banha.duckdns.org
	18.03.2019
	16.06.2019
expires in 83 days	banha.duckdns.org - 1 entry

With one problem - the chain is incomplete:

Chain - incomplete	
	1	CN=banha.duckdns.org

So add the intermediate certificate.

PS: Perhaps use fullchain instead of cert


#3

Thanks for helping out! I have been working for days to get this work, and one tip I got was to point to cert instead of chain. When I tried to change it back, the connection no longer work.

In the SSL folder, I have three files; cert, chain, and privkey (all pem files).

In the config.yaml file, I have the following:
http:
base_url: https://hbandersen.synology.me:8123 (if I try with https://banha.duckdns.org:8123, nothing works, only using http)
ssl_certificate: /config/SSL/cert.pem

ssl_certificate: /config/SSL/chain.pem

ssl_key: /config/SSL/privkey.pem

I realize this is probably obvious to someone who knows this stuff, but I clearly don’t!


#4

If you have these three files, then chain may not include the cert.

Open chain in an editor. There should be two blocks

-----BEGIN CERTIFICATE-----



-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

If there is only one block, that’s the problem.

Then merge both files (cert + chain) in one file, first cert, then chain, then use that (fullchain).

Then recheck the domain to see if that works.


Let's Encrypt Renewed But HTTPS Not working
#5

What do you know, that worked!!!

I am truly grateful, I have worked on this issue for so long!


#6

Having become aware of the certificate issues, I now realize that I also have issues with the default Synology certificate for “the rest of” the DMS setup. Is there any way to figure out what is wrong here:

That would be helpful as I now get warnings accessing my own home page…


#7

Hi @bjornand1,

I believe you had the same issue I had. This is not related to your Let’s Encrypt certificate, but to the default certificate that’s installed on your Synology NAS. As you can see in the screenshot, if you connect, the Synology uses its default certificate instead of the one you generated via Let’s Encrypt.

I’m assuming that you have imported / uploaded your certificate from Let’s Encrypt on the Synology already. If you go to Control Panel -> Security -> Certificate in DSM, and click Configure, you can select which certificate the NAS will use for which service, using the dropdown boxes.

You might also have to explicitly tell the Synology that its hostname is now hbandersen.synology.me (what it appears to be in the screenshot) - you can do that under Control Panel -> Network -> DSM Settings -> Domain (to set a custom domain name) and Control Panel -> Network -> General to set the server name. If you don’t do this, then the server name and the certificate won’t match. I’m not sure but that could cause trouble.

I also recommend turning on the firewall on the Synology to restrict access where possible.

Hope this helps!


#8

Thanks, @pietervanw, that is probably the reason. I configured the certificate settings to use the Letsencrypt certificate for all services, but that gave another issue:

I did change the domain name, but the server name is too long for the name field (it is now called Synology DS713


#9

Hi @bjornand1,

Hmm… what you show now in the screenshot is a different error: you’ve requested a certificate for banha.duckdns.org, but you probably put hbandersen.synology.me in your browser’s address bar. If banha.duckdns.org also routes to your Synology, you should put that in the browser address bar instead of the synology.me hostname.


#10

Yes, I see what you mean. The thing is, the Synology domain I set up long before starting to play around with DuckDNS certificates is the address hbandersen.synology.me and that is used as the address of our personal home page, an address that to some extent is known among a number of people. I would hate to have to change that, but would also like to stop seeing the “unsecure” warning for that page. There is a certificate from Synology and I was hoping to get that to work properly.


#11

The hostname that you request a certificate for with LE and the hostname of the server have to match 100%, otherwise the browser will not accept the certificate. In that case you cannot use a *.duckdns.org certificate with your NAS, you’ll have to get a certificate for hbandersen.synology.me. I’m not familiar with the synology.me domain, is that a service from Synology similar to QuickConnect? You might be able to use the HTTP-01 challenge, read more about it here:

I don’t think that challenge is natively supported by DSM though, so you’ll have to start a webserver on the DSM and put the required file in the right spot manually while running the ACME client (for example certbot) on either the synology directly (requires SSH access probably), or on your own laptop / computer.

Which ACME client did you use to create the duckdns.org certificate?


#12

Synologies come with an ACME client that supports HTTP-01, and supports DNS-01 when using the synology.me domain itself, I think. I don’t know much about using it, though.


#13

Thanks to both of you, that seems it could solve my issue. I must look into this!