Help getting let's encrypt to validate domain registered with namecheap on Synology

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blittbase.com

I ran this command:
I’m trying to use Synology Router to issue let’s encrypt certificate for this domain, which will point to a example.synology.me DDNS
It produced this output:
“Failed to connect to Let’s Encrypt. Please make sure the domain name is valid”.
Namecheap.com CS says: “Unfortunately, we do not provide support with the Let’s Encrypt validation.”

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi,

You have DNSSEC enabled in registry level, but didn’t have the corresponding DNSSEC-signed records.
This would prevent record resolution. (Which means you can’t see the website)

Please contact Namecheap to resolve “DNSSEC signature” issue.
https://dnsviz.net/d/blittbase.com/dnssec/

Thank you

1 Like

After a long chat session with Namecheap CS, they didn’t see any problems on their end, suggested activating DNSSEC from their DNS domain management webpage. I did activate this, but don’t see any changes on the site you linked… Also, still getting the “Failed to connect” error from Synology when trying to connect to LE

1 Like

Just did a recheck and your DNSSEC are enabled now.
What exactly are you trying to do?

You’ve mentioned CNAME to a Synology domain, did you do it? (Checking your DNS record there’s no IP address or CNAME found for both your root domain or www domain.)

1 Like

I’m trying to secure a LE certificate using Synology Router.
LE works for certificate for Synology DDNS, but I want one for the FQDN blittbase.com, so I can use that site as well. This site will eventually link back to my router, server, and whatever else follows.
So namecheap says all I need is type: CNAME Record, host: router, and value: example.synology.me. I set this up, went back to RT2600 router and tried to get LE to issue certificate w/ Domain: blittbase.com, SAN: router.blittbase.com.
But I keep getting the same error. Again, tested it fine with DDNS, so the ports are open, and LE is issuing, just not to this domain name!
thanks so much!

1 Like

Try to only issue a certificate with router.blittbase.com.

If that succeed, add your IP /the IP in your CNAME record to your root domain, you can’t get a certificate for your root domain unless there are A/AAAA records for that domain.

1 Like

I put router.blittbase.com in the domain name and the SAN. no luck. still fails to connect.
I don’t have an IP in the CNAME record or root domain with namecheap. The only record I have for the domain is the one pointing from router.blittbase.com the the Synology DDNS. No A/AAAA records because I don’t think I have a static IP address for the router…

what he’s telling you is that you cannot have a cname on domain.tld, only on sub.domain.tld.

on domain.tld you can have an a/aaaa and other records, but no cname.

1 Like

This is all I have. Namecheap said it should work. It’s a CNAME on a subdomain (router.blittbase.com) . But I don’t have any a/aaaa attached to the domain.tld.

1 Like

it’s ok, a/aaaa are attacched to planetmoonofendor.synology.me. I see no problem with your dns records.

% dig router.blittbase.com

; <<>> DiG 9.16.0-Ubuntu <<>> router.blittbase.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59331
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;router.blittbase.com.		IN	A

;; ANSWER SECTION:
router.blittbase.com.	59	IN	CNAME	planetmoonofendor.synology.me.
planetmoonofendor.synology.me. 238 IN	A	75.76.29.188

;; Query time: 131 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: lun mar 16 22:54:55 CET 2020
;; MSG SIZE  rcvd: 108

There are some pretty strange redirects, though: https://check-your-website.server-daten.de/?q=router.blittbase.com#url-checks

% curl -IL router.blittbase.com
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 16 Mar 2020 22:02:07 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Keep-Alive: timeout=20
Location: http://router.blittbase.com:5000/

HTTP/1.1 302 Moved temporarily
Server: nginx
Date: Mon, 16 Mar 2020 22:02:08 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
Location: https://router.blittbase.com:5001/

[timeout]
1 Like

(sorry - I am totally daft about this stuff) — so the DNS stuff on namecheap is OK? That’s good. but I’m still not able to get LE to create the certificate or OK the domain…which is the original problem…

You should tell your control panel that you want a cert for domain router.blittbase.com using http-01 as validation type (if it asks).

this is what I have from synology router… and I’ve tried w/ domain router.blittbase.com and just domain blittbase.com with router.blittbase.com as SAN

does it complain? how?

This message isn't telling me very much

try router.blittbase.com as both.

I wish it said more, but that’s the error…tried again as u suggested and …

Hi,

First of all, can you please check if your DSM is up to date?
Can you also enable port forwarding on your router, for port 5001?
(Port 80, 5000 and 5001 should all be open and forward to your DSM)

Thank you

1 Like

The LE certificate request is for my RT2600 router. …
But SRM and DSM are up to date. I spoke with Synology tech earlier, and they said ports are all good, esp since I was able to reach LE for certificate for the Synology DDNS . Basically, I am falling between the cracks — synology and namecheap are pointing fingers at the other…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.