My domain is: flodus.synology.me
My web server is : SYNOLOGY DSM6
I can login to a root shell on my machine : yes
Hello,
I have my domain flodus.synology.me active, I created my sub-domains in reverse-proxy (https wan >> http lan) that I indicated during my certificate creation, I deleted the default synology certificate, and I checked modern compatibility for SSL / TLS.
During my certificate creation I have no error message, and an OK validity date.
But I still have the same problem all the browsers make me an error of version of ssl, on chrome it gives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and on firefox: Advanced information: SSL_ERROR_UNSUPPORTED_VERSION
Is it possible that I made too many certificate requests?
Would someone have an explanation?
I had already completely reset my nas and redid a certificate but it still did not work, so I reset it again without thinking about backing up the certificates (as they did not work) but since I did not do not know where the error comes from I do not dare to redo a certificate, because I have already passed the quotat and I do not want to go back the date at which I can redo a let's encrypt certificate.
I would say the behavior here is possibly symptomatic of a protocol other than HTTPS on port 443. However, I’m not immediately sure what protocol.
This could be caused by your ISP blocking or intercepting inbound connections on port 443, or forwarding them to something other than port 443 of your NAS device, or by a firewall or router on your end doing one of these things. Do any of those seem like possibilities to you?
I don’t think there is anything particular about my configuration …
My router redirects ports 80 and 443 on the 80 and 443 of synology,
let’s encrypt create the certificate, I disabled the synology firewall for testing.
I will wait 1 week before redoing a certificate, we will see and I will give the result …
Thank you very much for taking the time
@stevenzhu, you'll notice in your OpenSSL command you received the output:
The SSL/TLS protocol defines a set of "alerts" that the server can send the client, or vice versa. In this case, the server is sending the client an alert about "handshake failure." This is commonly caused by a client failing to set the ServerNameIndication (SNI) extension in its ClientHello. And in fact, openssl s_client will not set the SNI extension by default. You need to add the -servername flag:
It's got an ancient, 512 bit, untrusted RSA certificate for a completely different domain name. @flodus, this suggests to me that you domain name may be pointing at the wrong IP address. For instance, maybe you had one IP address when you set up the domain, but your IP address has changed since then? You should double check your current IP address matches the output of host hassbian.flodus.synology.me.
EDIT: Problem solved, it took more than 8 days to redo the certificates, the Let’s Encrypt limit was exceeded, but Synology does not indicate it. (checking the number of certificates on https://crt.sh/)
