Error let's encrypt synology


#1

My domain is: flodus.synology.me
My web server is : SYNOLOGY DSM6
I can login to a root shell on my machine : yes

Hello,

I have my domain flodus.synology.me active, I created my sub-domains in reverse-proxy (https wan >> http lan) that I indicated during my certificate creation, I deleted the default synology certificate, and I checked modern compatibility for SSL / TLS.

During my certificate creation I have no error message, and an OK validity date.

But I still have the same problem all the browsers make me an error of version of ssl, on chrome it gives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH and on firefox: Advanced information: SSL_ERROR_UNSUPPORTED_VERSION

Is it possible that I made too many certificate requests?
Would someone have an explanation?

Thank you in advance.


#2

Hi,

UPDATE:
The mistake is SSL alert number 40. Which is an SNI problem.


Please refer to this: openssl s_client -showcerts -connect hassbian.flodus.synology.me:443

> openssl s_client -showcerts -connect hassbian.flodus.synology.me:443
> CONNECTED(00000154)
> 2596:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1407:SSL alert number 40
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 176 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1526300572
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---

Thank you


#3

thank you for the answer

I had already completely reset my nas and redid a certificate but it still did not work, so I reset it again without thinking about backing up the certificates (as they did not work) but since I did not do not know where the error comes from I do not dare to redo a certificate, because I have already passed the quotat and I do not want to go back the date at which I can redo a let’s encrypt certificate.

What can i do ?

from crt.sh


#4

I would say the behavior here is possibly symptomatic of a protocol other than HTTPS on port 443. However, I’m not immediately sure what protocol.

This could be caused by your ISP blocking or intercepting inbound connections on port 443, or forwarding them to something other than port 443 of your NAS device, or by a firewall or router on your end doing one of these things. Do any of those seem like possibilities to you?


#5

I don’t think there is anything particular about my configuration …
My router redirects ports 80 and 443 on the 80 and 443 of synology,
let’s encrypt create the certificate, I disabled the synology firewall for testing.
I will wait 1 week before redoing a certificate, we will see and I will give the result …
Thank you very much for taking the time


#6

@stevenzhu, you’ll notice in your OpenSSL command you received the output:

The SSL/TLS protocol defines a set of “alerts” that the server can send the client, or vice versa. In this case, the server is sending the client an alert about “handshake failure.” This is commonly caused by a client failing to set the ServerNameIndication (SNI) extension in its ClientHello. And in fact, openssl s_client will not set the SNI extension by default. You need to add the -servername flag:

openssl s_client -showcerts -connect hassbian.flodus.synology.me:443 -servername hassbian.flodus.synology.me

Note that when I test these now, both with and without SNI, I get a different message, “unsupported protocol.”

Checking this domain name with Qualys’ SSL Server test shows that it’s badly broken in a number of ways: https://www.ssllabs.com/ssltest/analyze.html?d=hassbian.flodus.synology.me

It’s got an ancient, 512 bit, untrusted RSA certificate for a completely different domain name. @flodus, this suggests to me that you domain name may be pointing at the wrong IP address. For instance, maybe you had one IP address when you set up the domain, but your IP address has changed since then? You should double check your current IP address matches the output of host hassbian.flodus.synology.me.


#7

True…

Apologize for the mistake @flodus

Thank you @jsha


#8

EDIT: Problem solved, it took more than 8 days to redo the certificates, the Let’s Encrypt limit was exceeded, but Synology does not indicate it. (checking the number of certificates on https://crt.sh/)


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.