Failing to request certificate after expiration


#1

Hey all, I’ll start off by noting that I’m far from a networking expert, so I apologize if I’m not explaining the situation properly. I have a Synology DiskStation DS216j NAS device setup on my home network and I’ve setup DDNS config on my router as usg.alllday.biz via Google Domains. I usually access my NAS remotely via VPN configuration on my router, but whenever I want to allow temporary access for a friend I would like to simply forward the necessary port on my router to allow the friend to access the NAS via a secure connection. I had obtained a SSL certificate from Let’s Encrypt several months back, but I accidentally let it expire so I am trying to renew the certificate. I made several requests for the certificate yesterday while tinkering with my router configuration after each failed attempt, and there were a few times when I’d received a different error message than what’s shown below, but now my requests are being denied and I believe it’s because I made too many requests (none successful, as far as I’m aware).

I have confirmed that my NAS is setup for external access and that my router is configured to allow connections, and I’ve successfully tested this from outside my LAN. Any help would be greatly appreciated!

My domain is: usg.alllday.biz

I ran this command: N/A. I’m not familiar with the specific commands; I am requesting the certificate via the control panel of my Synology DS216j (DSM Version 6.1.7-15284).

It produced this output: Failed to connect to Let’s Encrypt. Please make sure the domain name is valid.

My web server is (include version): Don’t know

The operating system my web server runs on is (include version): Don’t know

My hosting provider, if applicable, is: Verizon FiOS

I can login to a root shell on my machine (yes or no, or I don’t know): I’m sure I can since I am the network owner, but I’m not familiar with this process.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes. Synology DiskStation device, model DS216j. Control panel is built in to the DiskStation Manager Version 6.1.7-15284.


#2

Hi @deadringer21

your domain is online, http / port 80 works.

checking

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:usg.alllday.biz&lu=cert_search

You have 3 certificates created 2018-07-18, no yesterday. So you’ve hitted the

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

which isn’t today a problem.

This is good. Use the integrated solution.

But checking your configuration there is an error:

D:\temp>download http://usg.alllday.biz/ -h
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: base-uri ‘self’; connect-src ws: wss: ; default-src ‘self’ ‘unsafe-eval’ data: blob: https://.synology.com https://www.synology.cn/; font-src ‘self’ data:; form-action ‘self’; frame-ancestors ‘self’ https://gofile.me http://gofile.me; frame-src ‘self’ data: blob: https://.synology.com https://www.synology.cn/; img-src ‘self’ data: blob:; media-src ‘self’ data: about:; report-uri webman/csp_report.cgi; script-src ‘self’ ‘unsafe-eval’ data: blob: https://.synology.com https://www.synology.cn/; style-src ‘self’ ‘unsafe-inline’;
Cache-Control: no-store
Content-Type: text/html; charset=“UTF-8”
Date: Wed, 31 Oct 2018 15:49:06 GMT
P3P: CP=“IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”

Status: 200 OK

819,90 milliseconds
0,82 seconds

Your root answers with a 200 - status. But /.well-known/acme-challenge/1234 (not existing file)

D:\temp>download http://usg.alllday.biz/.well-known/acme-challenge/1234 -h
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
ProtocolError
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Content-Length: 11939
Content-Type: text/html
Date: Wed, 31 Oct 2018 15:49:19 GMT
ETag: “5aff8559-2ea3”

Status: 403 Forbidden
403

364,83 milliseconds
0,36 seconds

This is wrong. Looks like you don’t allow access to this directory. Your server should send a 404 status (not found).

So create a file in this directory and check (via browser), if you can load this file.


#3

Thank you, @JuergenAuer, this is a very helpful reply, but I’m not sure how to go about creating a file in the /.well-known/acme-challenge/1234 directory. Can you provide any additional information on this, or any advice on how I might achieve this? When I access my device via browser, the URL remains constant since the UI is a single page emulating a desktop similar to a Windows OS. I do not believe I’ve made any configuration changes since I was first able to successfully request the certificate in July.

Again, I really appreciate your feedback, and I’m sorry I can’t do more with it -_-


#4

I don’t use Synology. Perhaps my idea is wrong and Synology manages the folder access.

Checking

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/connection_certificate

it should work. But if such an integrated solution doesn’t work, it’s nearly impossible to find a direct solution.


#5

Okay, thanks for the follow-up. I’ll do some research on the Synology end and see if I can find any help there.