Failed to connect to Let's Encrypt. Please make sure the domain name is valid

I have a synology DS212j NAS which I am trying to setup so I can log into it from outside my lan using HTTPS. I am pretty new to this, but having read up on it and watched various videos on Youtube, it looked fairly straightforward, even as a complete novice.

I have a (second level) domain name, teamangwin.com to which I have added a subdomain - nas.teamangwin.com. As far as I can tell, this is setup and working correctly, in so far as if I try to access it from my mobile using mobile data (appending the relevant port number), it takes me to the login page for my NAS, but with warning that it is not a secure connection - which it wouldn’t be since I’ve so far been unable to setup my Let’s Encrypt certificate.

I am running Windows 10 with Norton Security Suite and have opened ports 80 and 443 (confirmed by testing at yougetsignal.com. I have also setup my router to forward incoming requests to the port used for HTTPS to my NAS.

Despite my best attempts to set everything up correctly, I can only assume that the issue is down to some error in my setup, therefore if anyone has any pointers to give me it would be much appreciated.

Many thanks.

Patch

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nas.teamangwin.com

I ran this command: I used the built-in features of Synology DSM 6.2

It produced this output: Failed to connect to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): Sorry, not sure how to answer this or whether it applies to my query… if you need this please explain what this means as though I were a five year old :wink:

The operating system my web server runs on is (include version): As above

My hosting provider, if applicable, is: Not sure this is relevant in my case, since I am trying to install a certificate on my NAS, not on a hosted website, but just in case it is: 1&1 Ionos. I do have a website hosted by them (with a different domain name altogether), but that is protected with a certificate which they have issued

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I’m not trying to access my site - I’m trying to log into my Synology NAS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Sorry, I don’t understand this.

Hi @ShogunPatch

your subdomain has ipv4- and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=nas.teamangwin.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
nas.teamangwin.com A 87.75.103.34 Notting Hill Gate/England/United Kingdom (GB) - Cable & Wireless Access Limited Hostname: static-87-75-103-34.vodafonexdsl.co.uk yes 1 0
AAAA 2001:8d8:100f:f000::252 Karlsruhe/Baden-Württemberg/Germany (DE) - DE-SCHLUND yes
www.nas.teamangwin.com A 87.75.103.34 Notting Hill Gate/England/United Kingdom (GB) - Cable & Wireless Access Limited Hostname: static-87-75-103-34.vodafonexdsl.co.uk yes 1 0
AAAA 2001:8d8:100f:f000::252 Karlsruhe/Baden-Württemberg/Germany (DE) - DE-SCHLUND yes

But checking files in /.well-known/acme-challenge there are different answers ipv4 / ipv6.

K http://nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 87.75.103.34, Status 404
http://nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2001:8d8:100f:f000::252, Status 204
configuration problem - different ip addresses with different status
K http://www.nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 87.75.103.34, Status 404
http://www.nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2001:8d8:100f:f000::252, Status 204
configuration problem - different ip addresses with different status

Ipv4 answers with the (correct) http status 404 - Not Found.

Ipv6 has a http status 204.

Result:

http://nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2001:8d8:100f:f000::252, Status 204
	
	http://nas.teamangwin.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 87.75.103.34, Status 404

	Fatal: Check of /.well-known/acme-challenge/random-filename has different answers 
checking ipv6 / ipv4. Ipv6 doesn't have the expected result http status 404 - Not Found. 
Creating a Letsencrypt certificate via http-01 validation may not work. Checking 
the validation file in /.well-known/acme-challenge Letsencrypt prefers ipv6. 
Two options: Remove your ipv6 / AAAA DNS entry or (better) fix your ipv6, 
so your webserver handles ipv6 correct. Perhaps add "Listen [::]:80". 
Don't use <VirtualHost ip-address:80>, switch to <VirtualHost *:80>. 
If you use IIS, check your bindings. Don't select a single ip address. 
Use this tool to check your raw ipv6 address. Add your domain name 
in the "Hostname" - field.

So

  • remove your ipv6 address (or)
  • fix your ipv6 configuration

Hi Juergen
Many thanks for taking the trouble to consider my query and respond.
Most of what you’ve explained is incomprehensible to me (my fault, not yours), but the last two lines seem to make sense. However, I am again hamstrung by my lack of technical nous… where do I do this: on my NAS, my router or my domain provider?

Also, since posting I’ve realised that, once properly setup I should be able (I think) to simply enter “nas.teamangwin.com” into a browser (and just that) and it should sort itself out, is that right? I ask because having said in my original post that

I’ve realised that I not only need to append the port number, but also manually prefix with “https:\”
Is there anything else I need to setup so that I can enter just the domain name on its own?

Many thanks.

Patch

Your domain provider is the correct place to change that.

There you have A (ipv4) and AAAA (ipv6) records.

But if ipv6 isn’t configured, that’s critical, because Letsencrypt prefers ipv6. Not working ipv6 -> Letsencrypt can’t check your domain.

Great, thanks for clarifying.
I’ve logged into the admin portal and had a look, but whilst the A record is understandable (just my static IP address), the current AAAA record, with a long string of seemingly random (though I’m sure they’re not) letters and numbers, seems unintelligible to me. I’m awaiting a support call from the helpdesk, so hopefully they will be able to guide me as to what to put.
Will update if and when I make progress.

That’s

2001:8d8:100f:f000::252

your ipv6 address. It’s hex coded - 0-9 A - F. Not “.”, instead “:”.

And it’s the future :wink:

See

Just one point of clarification—this discrepancy could be because your IPv6 address advertised in DNS is wrong, but it could also be because the router is forwarding ports differently in IPv4 and IPv6. Some routers make the port-forwarding process or configuration different depending on the Internet protocol version. It would be good to figure out which of these explanations is applicable here.

The A record is used to advertise an IPv4 address via DNS, while the AAAA record is used to advertise an IPv6 address (the name is a humorous reference to the fact that IPv6 addresses are four times as long, numerically, as IPv4 addresses—128 bits instead of 32 bits).

1 Like

Thank you for your input, also, Schoen.
In fact, when I went in to my router to check, it didn’t seemt to offer any option to setup separate port forwarding for IPv6 and upon discussion with my internet provider, Vodafone UK, it seems they have not adopted IPv6 yet and have no current plans to do so. I therefore went back to my domain provider and asked them to remove IPv6 per Juergen’s suggestion and - hey presto - my certificate request was processed without any further hiccup and it seems I can now get a secure connection straight to my nas.
Thank you both for your help on this, I have manage to sort my problem and learn something new in the process!

Yep. If you have “only” an ipv4 address and if that address works, then you can create a certificate.

Looks like some dns providers add ipv6 AAAA entries.

If it is a website, that may work. But if the ipv4 is changed (to a home server), ipv6 is wrong -> Letsencrypt can’t validate the domain.

I’ve wondered where they get these AAAA records that don’t work. Why would they think that the records should be added if they don’t correspond to an address that the customer can use‽

1 Like

I don’t know.

It’s curious: A lot of configurations with working ipv4, but not working ipv6.

As you will have gathered from my earlier comments, this is all a bit above my pay grade! If I understood what the help desk chap at my 1and1 said, they auto configure it with a dynamic IP address. Might that make sense?

I don’t know. Check your Domain management. If you have only an included domain, then it may not work. But if your ipv4 is your home server, you can change the ipv4. So you should be able to remove your ipv6.

Perhaps share a screenshot of your dns menu.

Sorry, I wasn’t clear. My issue is sorted: my ISP doesn’t offer IPv6, only IPv4. I set my dns to route IPv4 request to my static IPv4 IP address then, based on your input, spoke to my domain name provider and asked them to remove the IPv6 details which their system had put in by default, following which my Lets Encrypt certificate authenticated just fine.
I was merely commenting on yours and Schoen’s final comments, explaining that - if I understood the support guy at 1and1 correctly - they automatically put int some dynamic IPv6 details in. TBH it is all gibberish to me, I just didn’t know whether that might make sense to either of you.
Once again, thank you both for all your help.