First certificate for Synology NAS

Hello guys,

This is the first time I am trying to get a Let's Encrypt certificate. I am already struggling for quite some time. When I check immanuelcloud.nl - Make your website better - DNS, redirects, mixed content, certificates it reports something wrong for acme, but I can't figure out what. I have opened port 80 on my router to port 80 on the Synology, but that does not seem to work. Anybody can shine a light on it? Hugely appreciated!

My domain is: immanuelcloud.nl

I ran this command: Request for certificate with Synology DSM 6.2.4

It produced this output: Fetchinh http://immanuelcloud.nl/.well_known/acme-challange/....: Timeout during connect (likely firewall problem)

My web server is (include version):Synology DSM 6.2.4

The operating system my web server runs on is (include version):Synology DSM 6.2.4

My hosting provider, if applicable, is: ISP is KPN (netherlands), Domain via strato using DynDNS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, just Synogy DSM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @Immanuel

you can, you have already the answer:

Exact that's the problem. Your port 80 doesn't answer, so you can't create a certificate via http validation.

Why? I don't know. Wrong router config, your ISP blocks, a firewall kills the connection silent ...

Hi @JurgenAuer,

That is weird. If I try to go to immanuelcloud.nl:80 I do get to my Synology login screen (forwarded via port 5001)

Welcome to the Let's Encrypt Community :slightly_smiling_face:

This might help:


For http://immanuelcloud.nl, which Let's Encrypt uses for an http-01 challenge, port 80 is unresponsive/closed. I eventually received a 504 Gateway Timeout response.

You can check this with:
https://www.yougetsignal.com/tools/open-ports/

For https://immanuelcloud.nl, which Let's Encrypt would use for an http-01 challenge if there were a proper http to https redirect in place, port 443 has a 302 Moved Temporarily forward to port 5001, which Let's Encrypt will not use for an http-01 challenge.

You can check this with:
https://www.redirect-checker.org/


Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.