Failed to renew cert -- possible port confusion

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: icanhome.e2snail.com
My web server is (include version): I have a Synology NAS DS415+ version DSM 7.0.1-42218 Update 2
I am trying t orenew the certificate that is already installed. I have followed the process step by step.

The IPaddress of the NAS is 192.168.1.170. I have place portforwarding for port 443, 8443, and 80 from my external router to the NAS device. See image below. This for both UDP and TCP.

image
image715×69 6.31 KB

I do the following.
step1: under Security, I edit the shown certificate.
image
image

step2: I select to get a new certificate.
image

step3: I inserted the domain details and selectnext.
image

After waiting about 4 mins I keep getting the below error and I cannot figure out why. I do have access to the NAS from the internet without hassles.

image

Don't know if this is even relevant, but these domains are allocated to specific ports, for this domain I use port 5000.
Do you have any advice
Lawrence

2

This address times out for me on port 80.

Are you sure your port forwarding is working and your ISP is not getting in the way?

1 Like
3

Sorry i don't understand. Thsi is not being served on port 80. it is not a web site it is a synology NAS I could open port 80 for teh cert and then close it down again.

Will keep you informed, thanks

4

I have just checked and the firewall on the Synology NAS is not configured.

image

I have also checked on the networ setting and HTTPS and HTTP are both set to respond.

image

I would assume that with the firewall not enabled and the HTTP response set to reply, and I have the ports open on my unifi portforwarding set to allow traffic on port 80 and 443 and 8443, there should be no issue.

Did a little more searching and found the following.
I tailed the /var/log/messages file and saw the following.

# # # # # # # # #

2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.256065] Module [xt_recent] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.280658] Module [xt_iprange] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.297753] Module [xt_limit] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.314332] Module [xt_state] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.342591] Module [xt_multiport] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.382599] Module [xt_LOG] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.408560] Module [nf_conntrack_ipv4] is removed.
2022-02-04T15:50:32+01:00 ICANHOME kernel: [1200745.515483] Module [nf_defrag_ipv4] is removed.
2022-02-04T15:50:32+01:00 ICANHOME syno-letsencrypt[4436]: client_v2.cpp:468 Failed to open port
2022-02-04T15:50:45+01:00 ICANHOME syno-letsencrypt[4436]: client_v2.cpp:808 Failed to do new authorization, may retry with another type. [{"error":101,"file":"client_v2.cpp","msg":"Fetching http://nas.e2snail.com/.well-known/acme-challenge/Dp3R6XaSp9ytNNLUPYCkVgTmMaWi6wc10I4YWU0zLuw: Timeout during connect (likely firewall problem)"}
]

Then I checked the ports open on my NAS.
AS you can see port 80 is open.

image
image944×106 21.9 KB

Now I have checked port 80 on the NAS and also port 80 on my unifi firewall. bith are opened.

Now I have no idea.
Lawrence

5

You should accept port 80 and NAT/PortForward it directly to 5000.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.