How to restart automatic renewals for a Synology certificate

My domain is: editholivier.synology.me

I ran this command: [Sorry - no idea what you mean. I got emails from you saying that my auto-renew was no longer working but no guidance as to how to restart.]

It produced this output: n/a

My web server is (include version):

The operating system my web server runs on is (include version): I guess that means Synology?

My hosting provider, if applicable, is: no idea

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I can access the Synology control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No idea

Sorry - I'm just a user of a Synology device and I've started getting emails from you. I'd be grateful for a simple means of renewing the CERTIFICATE

You need to fill out a lot more of that template in order to get the help you are requesting.

You should be able to identify the domain names from the email you have received.

You, or someone acting on your behalf, had to obtain the certificate that you want to renew. You typically obtain a new certificate the same way as you obtained its predecessor.

You are certainly welcome to offer more information in the hope that someone here can help. You may also find members of the Synology forum more familiar with that platform.

The certificates usually renew automatically. It doesn't get much simpler than that. For the volunteers here to figure out what has changed will require, at a minimum, the domain name on your certificate.

Thank you for helping us to help you help yourself.

Just adding to linkp's good comment ... I don't see any reason you would have started to get emails from Let's Encrypt for that domain name. A cert with that name has been renewed regularly for a long time. And, the latest does not expire for 40 more days.

Let's Encrypt does not send warning emails until 20 days before expiry (and again at 7 days before).

Can you show part of the email you received?

image2043×639 112 KB

yeah - thanks for your rather unsympathetic responses. I should be grateful if you would bear in mind that I am simply an end user and I know nothing about this subject. Whatever you might claim, the first I heard about your service was when I started receiving emails saying that my certificate was running out. I never applied for one - I'm guessing that it is a deal you guys must have with Synology. But I now find that I can't remotely access my Synology.

If I don't fill in your form It's because I am not an IT specialist, just an historian faced with an issue I don't understand. Two IT companies I have approached with this issue both declined to get involved because they couldn't understand it. One of them was the one that set up the Synology in the first place. So something is not self-evident, even for IT specialists.

Here's the text of the email I get.

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 2023-06-17). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

editholivier.synology.me

For details about when we send these emails, please visit: Expiration Emails - Let's Encrypt In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.

To learn more about the latest technical and organizational updates from Let's Encrypt, sign up for our newsletter: Join our Newsletter Community

If you are receiving this email in error, unsubscribe at: <snip>
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.

Regards,
The Let's Encrypt Team

The certificate was actually renewed on June 2nd. The old cert referenced by the email is crt.sh | 8950339274 and a new one was issued some time after the email was send (which was send on [approx] May 28th): crt.sh | 9568104064

The one thing that stands out is that your Synology isn't reachable using port 80 nor port 443, which could hinder the renewal process, unless a DNS challenge was used. But I think Synology usually simply uses the http-01 challenge, which requires an open port 80 (and 443 if a HTTP to HTTPS redirect is being used).

Thanks - that's very helpful.

I'm afraid I don't understand 'the one thing that stands out is that your Synology isn't reachable using port 80 nor port 443, which could hinder the renewal process, unless a DNS challenge was used. But I think Synology usually simply uses the http-01 challenge, which requires an open port 80 (and 443 if a HTTP to HTTPS redirect is being used).'

But maybe if I pass it to an IT company they can sort it out.

Looks like my lack of access to the Synology must have some origin other than lack of a certificate.

I thought they used a DNS Challenge for subdomains of synology.me but would use HTTP Challenge for custom names.

Ah, I didn't recognise the nameservers, but it would make sense indeed.

I just realized your most recent cert was renewed with only 15 days remaining on the prior cert. Ideally, the renewal is done 30 days ahead.

I don't know how you set the renewal schedule for Synology but that's why you got an email.

Your Synology should have a good cert to work with but we can't reach it to check because of the problems Osiris pointed out and it appears you now realize too.

Sorry if it came across as unsympathetic, but there really isn't much that people in this community can really do about an issue with getting a certificate. The people who hang out here tend to do what they can to help diagnose problems.

And the core issue you're running into is that Let's Encrypt really isn't designed for end users at all. It's designed for exactly the use case you're seeing, where some software (such as Synology) uses it to automatically acquire certificates. So in the ideal use case, you wouldn't have been directed here at all, since your software should just be handling everything for you. (In practice, a lot of software doesn't do a great job of helping its users understand what's needed and what might be causing any problem with the software's integration with Let's Encrypt.)

There are a lot of challenges with having the automated expiration emails actually be useful to people, and I sometimes wonder if things would be better if they were simply stopped altogether (or maybe more explicitly opt-in-only or the like).

I'm not familiar with how Synology works myself, but in general yes. And in fact, it's much more likely to be the other way around, that the Synology not working means that it can't get a certificate.

First look for any firewall settings in the Synology and/or your router. Maybe even try power cycling your router.

Some residential ISPs block ports 80 and 443. Hopefully they haven't changed their policy about this but you may need to check with them if you can't find a reason you can't reach your Synology. Perhaps they have started using CGNAT which would prevent inbound requests to your Synology.

I see all ports to your domain name "filtered" which usually points to a firewall (or the ISP).

Thanks all. A lot to get someone - not me, but who knows about this kind of stuff - to look into.

Perhaps I can suggest that, if Let'sEncrypt is going to send emails out, they need to have a link to somewhere where you can simply apply for a new certificate - not just links to IT-gradate-only explanations about why you might not be getting one.

Clearly Synology is only really an appropriate system in situations with IT back-up, not to the general public. I must make that point to the guys who sold it to me.

That's not how Let's Encrypt works. Let's Encrypt only offers an API, not an interface usable by humans.

It's the job of the developers of whichever system using this API to provide adequate software and adequate documentation on how to deal with problems for their users.

Ok - in which case, please send out emails that make it clear what action can be taken.

It does: it recommends to renew.

But there are like perhaps a hundered different ACME clients (the API is called "ACME") out there and Let's Encrypt can only send out a generic expiry warning. It cannot provide detailed "how to renew" emails, because that's different for every ACME client. You're using Synology, someone else is using Certbot, another user is on Windows using something else entirely et cetera et cetera.

OK - but your email is clear that I'm using Synology. Ergo, no problem giving instructions how to renew. Or where to go to find instructions (even if it's one in a hundred different scenarios) about how to renew. All you need is an end-user set of explanations and instructions about what the issue is and where to go. You guys have been able to explain a good deal of the issue to me now. No difficulty in putting all that in a simple page that any end-user can access, with links to the various different ways forward. Just requires someone who can translate from tech-speak to ordinary language so that end-users understand what can and can't be done.

Not really. You happen to use a shared domain name ending in synology.me. But, you can use custom names with Synology and they have a large number of root domains that could be used (see below).

We see problems with Synology NAS more often than any other vendor NAS. And, it isn't always the same underlying failure. A laundry list of actions should be provided by Synology. Let's Encrypt can't possibly know the best actions for each Synology product and software version. Sadly, Synology main documentation is so poor we reuse a stock answer when someone was obviously mis-lead by it. If they had a good list we would have linked to it immediately.

Frankly, I think your complaints are misdirected. The email got you here which got you prompt answers from very experienced people for free. The email you showed was sent almost 2 months ago.

And, to top it off, all year you had valid certs without any gaps in expiration. The only failure is Synology (or you) not following Let's Encrypt guidelines to renew with 30 days before expiration.

From the Public Suffix List which can change at any time:

// Synology, Inc. : https://www.synology.com/
// Submitted by Rony Weng <(redacted)@synology.com>
dscloud.biz
direct.quickconnect.cn
dsmynas.com
familyds.com
diskstation.me
dscloud.me
i234.me
myds.me
synology.me
dscloud.mobi
dsmynas.net
familyds.net
dsmynas.org
familyds.org
vpnplus.to
direct.quickconnect.to

And as I was trying to say, it's really as much on the interface that has someone put an email address in a box to sign up as a Let's Encrypt subscriber, without making it clear who exactly should be the one getting that email. It sounds like the person getting the email really shouldn't be you (if there isn't anything you can be doing about certificates expiring), but your email address got used anyway.

That may be the case (like I said, I'm not really familiar with Synology). I think the way to think of it is that Let's Encrypt is your vendor's vendor, and not really something you should be needing to interact with directly.

Well, in the case of Synology, who else would it have to be? support@synology.tld? There's not much in between of the NAS vendor and the end user..

By the way, Synology has a knowledge base article about problems with renewing:

It advices to open port 80, even though they also apparently support a wildcard certificate using their DDNS service. But perhaps the http-01 challenge is being used when no wildcard cert is requested.

'The only failure is Synology (or you) not following Let's Encrypt guidelines to renew within 30 days before expiration.'

Sure thing, Mike. But since Let's Encrypt have not enabled me - even now - to find a path to renew within 30 days, it's not a useful or helpful caution to issue. And since it is plainly obvious that I have no means of knowing whether or not I have a certificate (and note that nobody has thought to show me how to find out) your acerbic 'to top it off' comment is, it appears to me, a breach of your own forum guidelines.

The point here is that you guys are very keen to point out all the issues there are with Synology now that I - a totally innocent member of the public, drawn into this by Let's Encrypt's own email - have tangled with your forum. All this could and should have been made clear right at the beginning.

Let me reiterate my point: I am an end user caught up in this because of an email that came from you guys out of the blue. If that email was not clear about the issues involved, that's your problem not mine. If my inquiries are met with demands for information I am not qualified to give, that's your problem, not mine. If a reference to issues with Synology was what was required all along, that's your problem not mine. If you are not set up to deal with non-IT members of the public, that's your problem not mine. If you don't have a FAQ page that is intelligible to non-specialists, that's your problem not mine. If you can't explain in layman's terms in a single response, what 's going on, that's your problem not mine. If you can't - despite everything you've read about where I'm coming from - resist sending me jargon-laden paragraphs about ports and challenges , that's your problem not mine. If you can't, in short, take responsibility for dealing with a non-IT query about something that has arisen, then that is something on which you need to reflect. This is simply a member of the public trying to sort what you guys can do to help. If you offer a service, then making that viable, accessible and helpful is very much your problem, not mine. I don't have to pass a test to be allowed to use this forum. Working around what I know and what expertise and information is available to me is, perhaps I may be permitted to repeat, your problem, not mine. I suggest you may need to reflect on the tone in which these exchanges have been conducted.