Having trouble certifying a domain

My domain is: androla.nl

I ran this command: NA

It produced this output: NA

My web server is (include version): none

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: Dynu.com

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): NA

I am having trouble getting the domain certified.
I have a Synology NAS running and I ca acces it via the domain.
So, I do not see why i get the message:
"ongeldig domein. zorg dat dit domein in een openbaar ip-adres kan worden geconverteerd" Witch translates to: "invalid domain. make sure this domain can be converted into a public ip address". Realy frustrating.

So I tried a couple of days. an now I get the message that i have made to many atempts to get certification.

If annyone has sugestions, I hope you will share them with me, becouse i am cleuless.

Hello @Driesum, welcome to the Let's Encrypt community. :slightly_smiling_face:

When I try connecting to http://androla.nl with Firefox 107.0.1 (64-bit) on Windows I see nothing;
and then after several second (maybe 20 seconds) it seems to redirect to here http://androla.nl:5000/
and get "The connection has timed out".

Some investigative results

> androla.nl
Server:         ns1.dynu.com.
Address:        162.216.242.2#53

Name:   androla.nl
Address: 87.208.78.114
>
$ nmap androla.nl
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-09 07:55 PST
Nmap scan report for androla.nl (87.208.78.114)
Host is up (0.16s latency).
rDNS record for 87.208.78.114: 114-78-208-87.ftth.glasoperator.nl
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
5001/tcp open  commplex-link

Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds

$ curl -I http://androla.nl
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 09 Dec 2022 15:56:50 GMT
Content-Type: text/html
Content-Length: 543
Last-Modified: Fri, 09 Dec 2022 12:28:28 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes

e6430-i5$ curl -I http://androla.nl/.well-known/acme-challenge/testfile
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 09 Dec 2022 15:57:33 GMT
Content-Type: text/html
Content-Length: 11939
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "62a83cc4-2ea3"

Using this online tool Rex Swain's HTTP Viewer with http://androla.nl as the input I see these results which does not indicate to me that I connecting to the Synology NAS

http://www.rexswain.com/httpview.html
Code last updated 21 March 2020
Request:

GET http://androla.nl HTTP/1.1
Host: androla.nl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Referer: http://www.rexswain.com/httpview.html
Connection: Close

Response Header:

HTTP/1.1 200 OK
Connection: close
Date: Fri, 09 Dec 2022 15:59:08 GMT
Accept-Ranges: bytes
Server: nginx
Content-Length: 543
Content-Type: text/html
Last-Modified: Fri, 09 Dec 2022 12:28:28 GMT

Content (Length = 543):
<!DOCTYPE·html>(LF)
<html>(LF)
····<body>(LF)
········<input·type="hidden"·id="http"·name="http"·value="5000">(LF)
········<input·type="hidden"·id="https"·name="https"·value="5001">(LF)
········<input·type="hidden"·id="prefer_https"·name="prefer_https"·value="false">(LF)
····</body>(LF)
····<script·type="text/javascript">(LF)
········var·protocol=location.protocol;(LF)
········var·port=location.protocol·===·"https:"·?·5001·:·5000;(LF)
········var·URL=protocol+"//"+location.hostname+":"+port+location.pathname+location.search;(LF)
········location.replace(URL);(LF)
····</script>(LF)
</html>
Done
Total elapsed time: 1 seconds
1 Like

See Rate Limits - Let's Encrypt, searching for request on that page will help you find which limit you are running up against and how long you will have to wait before attempting again.

Also testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

2 Likes

Hi Bruce,

Thank you for your help.
Androla.nl is a Zyxel T54 router.
On this router ports 5000 and 5001 are forwarded to the synology. An alias.androla.nl leads to the NAS.
Port 80 has been forwarded as well, since Let's encript requires it to be open to be able to certify the domain.
I hope this explains the ports.

I used telnet to check if the port 80 is open, and it is. I do not see why this message is being shown. and why certfication is not succesfull.

I hope someone can figure this out.
I can reach the NAS, but the FQDN domain is not certified.

2 Likes

Not 100%; here are the Challenge Types - Let's Encrypt.
If you look to the DNS-01 challenge then is not a requirement.

1 Like

I did check https://androla.nl and it does redirect and connect to https://androla.nl:5001/ and is serving a Synology Self-signed certificate - Wikipedia.
Given that the TLS-ALPN-01 Challenge Type is also available.

1 Like

I am confused. What domain name is a cert being requested for? The apex or alias.androla.nl ?

I don't see a redirect for an HTTP Challenge to the apex domain. I get an expected 404 since Test123 won't exist.

Was there any other info shown in the error message?

curl -i http://androla.nl/.well-known/acme-challenge/Test123

HTTP/1.1 404 Not Found
Server: nginx
3 Likes

Using this online tool https://www.ssllabs.com/ssltest/index.html the results for the domain name are here SSL Server Test: androla.nl (Powered by Qualys SSL Labs) showing the Alternative names synology MISMATCH which I expected.

1 Like

Here are community forums for Synology that may be of assistance as well:

  1. https://community.synology.com/enu
  2. https://www.synoforum.com/
  3. https://synocommunity.com/
3 Likes

Yes, that shows the result for HTTPS. But, an HTTP Challenge starts with HTTP

I am not surprised HTTPS will fail until they get a new Let's Encrypt cert

They also mentioned another domain name though (alias) which would help to know more about

3 Likes

Yeah, that is why I had mentioned Challenges of DNS-01 and TLS-ALPN-01 as alternatives to work around that; but at last I am no expert.

1 Like

Just zinng @Bruce5051 here; nothing like stating the obvious.

4 Likes

Hi Mike,

Thanks for joining in. I see a lot of comments, however I am not an expert in this field. These tests and challenges is all abra cadabra for me.

The synology software allows aliasses to be certified together with the domain.
First it promts you to chose an action: in my case Add a new Certificate
second it prompts you to choose an action:
1 import a certificate
2 Get a certificate from Let's encript (Witch is my choice)
Then this pops up:

Does this explain why the main domain and the alias are being certfied in one go?

Hope you can help.

1 Like

HI all,
I tried again leaving the [Subject Alterrnative Name] empty and managed to get it certified. I certified the alias separately.
Apparently it is not convenient to include the aliases in this field.

Thanks for your assistance.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.