Error connection new cert Synology

Hello! First of all thank you very much for the support. Sorry to create another thread on the same topic, but after reading some time in the community I have not found a solution to my problem.

Before detailing my assembly, I would like to explain it, I have a nas unit mounted behind two routers, the one from the internet company in bridge mode -innbox g64- and a -tplink archer c1200- working as a router. The case is that the WAN has dynamic ip and I have created a subdomain with cname that points to a ddns service (duckdns) Previously I tried it with the tplink ddns service until thanks to another community thread I could read that they offer a nefarious service that cannot be used, so I decided to change to the duckdns service that I read success stories with this ddns provider.

But I can't do it in nas, I always get a let'sencrypt connection error with the domain, I can assure that I have the ports open and redirected, I can access it from the outside without problems and that I have tried to review the solutions offered in others community threads, but I can't get it to finish correctly.

I have even come to understand a little how the https://check-your-website.server-daten.de tool works, seeing in my case that it creates the certificates but in the unit it always gives me that error until the limit reaches of requests

Well without lengthening more I detailed my assembly:

My domains are:
My main domain is: rodriguezcaroabogados.com
But as I have detailed previously for this process I have created a subdomain (CNAME) that points towards a ddns service (duckdns) which would be the important ones for the case:
My main subdomain is: intranet.rodriguezcaroabogados.com
My ddns service domain is: rcaintranet.duckdns.org

I ran this command:

Create a new certificate NAS: Security / Certificates panel.
I am asked to fill in the following details.
Domain Name: intranet.rodriguezcaroabogados.com
Email: servidor@rodriguezcaroabogados.com
Subject Alternative Name: rcaintranet.duckdns.org

It produced this output:

The error I get when I click on Next is

"Failed to connect to Let's Encrypt. Please make sure the domain name is valid"

The operating system my web server runs on is (include version): Nas Synology DSM 6.2.3-25426 Update 3

I would like to receive help to avoid having to continue wasting the resource of being able to create certificates that end in an error and not being able to use them

Checks

Letsdebug ok: https://letsdebug.net/intranet.rodriguezcaroabogados.com/404067
Verified access from outside
Ports opened and redirected correctly to nas ports, tested on https://www.yougetsignal.com/tools/open-ports/ (80 open, 443 open)

I appreciate some errors in the https://check-your-website.server-daten.de/?q=intranet.rodriguezcaroabogados.com tool, but I can't understand them, if someone can help me, I appreciate it.

Happy New Year

Hi @Maguila

you have created two certificates (see the CT-log part):

One is a cPanel with your 50.87 - ip, the other is a Letsencrypt with two domain names.

But the small certificate isn't used, instead, a Synology standard certificate is used.

That

may be part of the problem.

Your non-www and www have different ip addresses.

First step: Remove the www A record and create a CNAME www -> non-www. Or remove the www dns entry complete.

Looks like you have created the correct certificate, but the Synology client can't install it because the www version has another ip address.

So it's not a certificate creation problem, it's a certificate installation problem.

You should be able to follow this online guide:

[just be sure to use the domain name: intranet.rodriguezcaroabogados.com]

Hello! Thank you very much for the support. @JuergenAuer @rg305

Sorry for the wait, but I have to request the changes from a third person.

I have opted for the option of remove the www dns entry complete, having already made the changes, I keep getting the error...

"Failed to connect to Let's Encrypt. Please make sure the domain name is valid"

@rg305 That was one of the guides I used to use my own subdomain and see how it was configured, but still I can't get it to finish correctly

It ends up giving me the same error. I have tried to change the connection method to start the process, using the lan ip or doing it through the subdomain, but it also ends up failing.

I have also tried without filling in the subject alternative name (rcaintranet.duckdns.org), it also ends up failing with the same error.

Do you have any other ideas?

https://check-your-website.server-daten.de/?q=intranet.rodriguezcaroabogados.com

Are you using the name:

OR

What name do you put into the NAS?

A few thoughts...

• You've clearly managed to generate some certificates (some or all of which appear to be for cPanel)

• I see this:

intranet.rodriguezcaroabogados.com. 14399 IN CNAME rcaintranet.duckdns.org.
rcaintranet.duckdns.org. 59 IN A 185.67.107.194

Is your website content at the address pointed to by duckdns? Normally such a CNAME would be used for dns-01 challenges for delegating TXT records, not for http-01 challenges delegating A records (and thus entire websites)

Thanks for the help, but I don't quite understand your message

WAN has dynamic ip and I have created a subdomain with cname that points to a ddns service (duckdns) , the ddns service, runs on the nas

intranet.rodriguezcaroabogados.com > rcaintranet.duckdns.org > 185.67.107.194

intranet.rodriguezcaroabogados.com has record DNS CNAME to rcaintranet.duckdns.org

My domains are:
My main domain is: rodriguezcaroabogados.com
But as I have detailed previously for this process I have created a subdomain (CNAME) that points towards a ddns service (duckdns) which would be the important ones for the case:
My main subdomain is: intranet.rodriguezcaroabogados.com
My ddns service domain is: rcaintranet.duckdns.org

Create a new certificate NAS: Security / Certificates panel.
I am asked to fill in the following details.
Domain Name: intranet.rodriguezcaroabogados.com
Email: servidor@rodriguezcaroabogados.com
Subject Alternative Name: rcaintranet.duckdns.org

It produced this output:

The error I get when I click on Next is

"Failed to connect to Let's Encrypt. Please make sure the domain name is valid"

Domain Name: intranet.rodriguezcaroabogados.com
Email: servidor@rodriguezcaroabogados.com
Subject Alternative Name:

The error I get when I click on Next is

"Failed to connect to Let's Encrypt. Please make sure the domain name is valid"

Im using: intranet.rodriguezcaroabogados.com

The point is...

why this:

intranet.rodriguezcaroabogados.com. 14399 IN CNAME rcaintranet.duckdns.org.
rcaintranet.duckdns.org. 59 IN A 185.67.107.194
rcaintranet.duckdns.org. 599 IN MX 50 rcaintranet.duckdns.org

instead of this:

intranet.rodriguezcaroabogados.com. 59 IN A 185.67.107.194
intranet.rodriguezcaroabogados.com. 599 IN MX intranet.rodriguezcaroabogados.com

Do you really have an intranet email server (for @intranet.rodriguezcaroabogados.com addresses)?

No, I don't have a mail server

The burning question is then: why use duckdns instead of the dns for rodriguezcaroabogados.com? If you are using the duckdns API to dynamically modify DNS records I can understand that. Is that the case?

For the dynamic ip of the ISP

WAN has dynamic ip and I have created a subdomain with cname that points to a ddns service (duckdns) , the ddns service, runs on the nas

I'm not using it for that, just for the issue of dynamic ip as I have mentioned before

I am very sorry if I am not understanding what you are saying and it is beyond my knowledge. Maybe it's obvious and I don't realize where the trick of what you want to tell me is.

Fair enough.

Given that:

rcaintranet.duckdns.org. 59 IN A {current WAN IP}

Am I correct in stating that your NAS:

1. listens on port 80 at that IP.
2. can communicate outbound.

1.Yes
2.Yes

Have 80 and 443 open and forward on router to the nas ports

Can check that

intranet.rodriguezcaroabogados.com and rcaintranet.duckdns.org , appears the nas login page

I'm seeing the following:

http://rcaintranet.duckdns.org (implied port 80)
302 Moved temporarily
https://rcaintranet.duckdns.org:5001/
200 OK

https://rcaintranet.duckdns.org (implied port 443)
200 OK

Is that correct?

The nas has an option activated to redirect http to https

I have tried to do the certificate process in the two available ways (on/off), but it gives the same result, error.

Let's Encrypt always uses port 80 as the entry for connection. Redirection to port 443 is allowed. Redirection to port 5001 is not.

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

I have disabled the option for redirection, can you check? is 200 ok on 80 now?

Much better.

The question still remains: why redirect externally to port 5001 rather than to port 443?

Because the nas rules are designed in such a way that it does not let you use port 80 or 443, it has to say in some way reserved for the nas system