Error Renewing Let's Encrypt Certificate


I got an email from Let’s Encrypt saying that my certificate is going to be expire in 20 days, then I got another one saying it will expire in 10 days, and now it’s saying it will expire in 1 day which will be on the Monday the 19th of August, 2019. Since I got those emails, I’ve tried to renew the certificate via DSM and have both ports open on my Linksys Velop Router, port 80 and 443. Every time I go to try to renew is says it cannot connect to Let’s Encrypt. How do I fix this before it expires on Monday?

I look forward to hearing from you as soon as possible!


1 Like

Hi @TheSimsHouse

please share your domain name.

It’s currently

There is already a check of your domain - yesterday evening - - now an own check:

Host T IP-Address is auth. ∑ Queries ∑ Timeout Name Error yes 1 0 Name Error yes 1 0

You don't have ip addresses defined. Read the output:

Info: Creating a Letsencrypt certificate with that domain name isn't possible. To create a certificate you need a registered, worldwide unique domain name. The domain name ends with a public suffix, that's good (no Grade Z). But the domain isn't registered. If you want a certificate with that domain name, you have to proof that you are the domain owner.

An A- or AAAA record (ipv4 or ipv6) is required : Your domain name -> ipv4 or / and ipv6

Yes, I checked it yesterday evening, because I was trying to solve this. So, in order to “renew” the certificate, I have to purchase “my” domain listed above?

That's correct if you want to use an own domain.

But you have a subdomain of

I don't use synology products. But there are a lot of other users with such subdomains. So it's possible to use such subdomains with a Letsencrypt certificate.

Check the synology documentation how to register such a subdomain and how to create a public visible A record.


must find an ip address.

Checking the help of Synology:

Ok, so why did I get an email saying to renew this certificate for? What was it for? I never used the domain in the first place, I just used Synology’s QuickConnect feature to access my NAS remotely. If I do this will it create another certificate with Let’s Encrypt and then will I eventually have to renew it? Is it free as well? Also, what’s going to happen with my current certificate if I can’t renew it? Will anything change / not function? I have no option to remove it or delete from DSM.

Most of your questions may be better answered by a Synology forum.

The Let’s Encrypt staff might be able to determine part of what’s going on from the server-side logs.

Without access to any information from your ACME client, the community can only guess at what might be happening.

If anyone here has a detailed understanding of how Synologies work, that would help, but I’m not sure how many of us do.

You certainly have a certificate.

It’s odd that has no DNS records, but Synologies can obtain certificates using DNS validation, so A and AAAA records aren’t actually required.

I have no idea about anything beyond that, though.

That may have created the certificate.

But what's the problem? If you are the only user of your NAS, create an exception in your browser. Then you don't need a public trusted Letsencrypt certificate.

Or do it again. Maybe there is a missing step, so your setup is incomplete.

PS: First you should read some basics:

@mnordhoff - Thanks for your input, I have contacted Synology about this topic.

@JuergenAuer - I was thinking the QuickConnect feature created that certificate as well. I have more than one user for the NAS, so I don’t think the web browser exception would work. Should I just try doing the DDNS setting or set up QuickConnect again?

I appreciate all your help so far.

Then you should use that again.

Such tools are "closed worlds". But you don't have an ip address - - so the DSM may have used dns-validation.

Can your DSM talk with Letsencrypt? Perhaps you have changed your router settings.

Or you use another domain name.

Perhaps share a screenshot of your login screen (with the browser url).

After doing much digging around, and help from you, @JuergenAuer, I found that I did not have my DDNS on my Synology NAS setup despite having the certificate from LetsEncrypt.

I now remember that I had the DDNS setup when I got my NAS, and then after for some reason I deleted the DDNS, and didn’t realize that was causing the issue. After I added the DDNS back on my Synology, I went back to renew the certificate with port 80 and 443 open on my Linksys Velop Router and it worked!

The only issues I have now is when I go to my NAS with its local IP address on the network, it says it’s not a secure connection on both Safari and Chrome after I say to proceed to the site, but Safari saves the information so I don’t have to keep telling it to proceed each time, and it shows an encrypted connection unlike Chrome, which does not do that. My question is, how do I fix this?

Also, when I go to the QuickConnect site to access my NAS I get a “not-secure” badging when loading that page until it reaches my NAS, in which that case it turns to an encrypted connection on Safari, but not Chrome. Do you know how I could fix this too or is it something on Synology’s end?

Finally, when I change some of the open ports and HTTP to HTTPS connections on the web link I go to access my NAS, like port 5000 or 5001, I get a server not found or a 404 Error page depending on how I mix those variables up. Do you know how I could fix this or should I ask Synology?

Anyways, I appreciate your help and information, and will be contacting Synology about those questions I asked you above as well.

That's normal, you can't fix that.

So you must use the domain name to connect your NAS. The ip can't work.

Rechecking your domain I see the problem ( ):

Domainname Http-Status redirect Sec. G 301 0.270 A 302 0.270 D -14 10.030 T
Timeout - The operation has timed out 302 2.867 N
Certificate error: RemoteCertificateNameMismatch 200 3.313 I

Your certificate has one domain name:
expires in 89 days - 1 entry

So it doesn't work with your www version. Use only the non-www version without a port 5000 / 5001.

What's the url of the "QuickConnect site"? Perhaps there is a link to the ip address -> same problem, always wrong.

Port 5001 doesn't answer. But works, so you don't need that port.

Ok. I can still connect using the IP Address, but I will just get that error, so is it “safer” to use the domain name? I think Synology has a way of fixing that (How do I obtain a certificate from Let's Encrypt on my Synology NAS? - Synology Knowledge Center) but I can’t figure how to do it even though I tried.

I was able to connect to my domain with the port 5000 redirecting to 5001 when I put those ports on my router in the port forwarding settings, but then I decided to use the HSTS setting on the Network section in the subsection of DSM Settings (DSM Settings | DSM - Synology Knowledge Center) which removes the 5000 and 5001 ports when typing in the domain and removing from my router port forwarding settings too. Is this safer?

Should I be able to connect to all those domains if they worked? Or does each domain have conflicts with each other?

The URL to Synology’s QuickConnect is which shows “not secure” when navigating to that page, but if I change the it to it shows “secure”. Once I put in my specified QuickConnect ID, that redirects to my IP Address on my local network (which shows it’s “not secure” then goes to “secure” on Safari as said earlier above) but externally it goes right to the domain name with a “secure” badge.

Ok, so I should just disregard all of those other domains and just stick to “” despite them being active?

If you use the domain name, the certificate is valid.

This isn't "safer", it's - simple - easier. Port 5000/5001 are used if the standard ports are blocked. But if you have an own subdomain, you can use the standard ports.

You don't need a www version. It's not a public website, it's only a subdomain with a login. So the non-www version is enough.

http is always "not secure". That's not a problem, use the https version.

Yes. You don't need more.

Alright, thanks for your help @JuergenAuer. It is much appreciated! Synology just got back to me and they said similar things to what you said. Take care.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.