Thanks for this. A reference to that Synology article looks like the best way forward.
How? I'm sure Let's Encrypt wants to improve if they can.
Please note that most of the people here on this Community are just volunteers from around the world not being employed by Let's Encrypt what so ever.
How can the email be more clear? With keeping in mind the limitations at the Let's Encrypt side.
What kind of FAQ did you have in mind? Note that Let's Encrypt cannot make a FAQ of 4293 pages long for every possible implementation.
Well, in the end Let's Encrypt issues more than 3 million (!!!) certificates per day. I'm pretty sure your single failure to get a certificate, how rude it may sound, is actually your problem and not one of this Community. We're happy to try to help, but in the end you're the one with the problem. I personally won't sleep any less over it, sorry.
4 Likes
Yep - well I think that's QED. You guys are simply unable to explain the issue in plain terms so that an end user, faced with an email that lacks any useful links for forward action, has any useful pointers as to action that can be taken. And when asked for plain instructions the user is presented with a trail of technical disagreements and ultimately with a deal of finger wagging, suggesting that it's all a bit complicated and he should have known better all along.
I think we can all agree that this matter has exposed some pretty unsatisfactory communication, not least by Synology. Thanks for your attempts to help. Those who choose to use a forum such as this to say they are 'not going to lose any sleep' over a member of the general public's problems require, I suggest, a period of reflection about what exactly they imagine they are doing on a forum such as this.
You would prefer no email at all?
If so, just click the link to remove yourself from any such future emails.
There is little that can be done about that from outside of your systems.
The most anyone can do is to point you to the public logs.
Why do you make it sound like a crime has been, or is being, committed?
That email was from 2 months ago [when your cert life was below 30 days left].
Why/how is this a problem now?
Not true.
Again, if you don't want any such future emails, you can just opt out of them.
The email is clear to most.
But as with everything ever written - there is a bit of subject to interpretation involved.
And it seems that your interpretation is not what was intended.
At this point, your NAS should have a valid cert.
So, I'm not even certain why this conversation continues.
You repeat "your problem, not mine" like anyone here [mostly unpaid volunteers] can do anything about it OR would somehow be persuaded to take your view.
I don't take any of this personal.
I do try to help those that I can.
But sometimes there are those that can't, or won't, be helped by this system.
I can only help within the system, I can't change it - even if I would somehow see/take your view.
The goal is to automate the entire certificate process.
But that is not within any single set of hands.
It will require vendors [like Synology] to take steps, and continue taking steps, in that direction as well as many others.
Until then, we can only do our best to endure and help each other through this.
If this is all too "technical" for you, then you may need to reconsider your role in this and/or your choice of NAS vendor in this process.
5 Likes
I try to help anyone presenting with a constructive attitude, which immediately mentioning "rather unsympathetic responses" is not, IMO. But even then, I try to help you, for better or for worse. But in the end, no, I will not lose any sleep over a thread on this Community, sorry to disappoint.
2 Likes
The only thing I'll add to this is that, as NAS vendors go, Synology is generally considered to be very (perhaps overly) end-user-friendly. There's always a balance between flexibility and ease of use; some other systems (e.g., TrueNAS, with which I'm most familiar) are more flexible and powerful at the expense of ease of use. Synology, if anything, goes too far in the other direction.
Are you seriously suggesting that we who provide support here should be so invested in the problems of people we don't know that we'd lose sleep over them? Because that's frankly a nonsensical suggestion, even when the users in question aren't combative off the bat as you've been.
4 Likes
I do think we could do better about that.
Lots of people get their issues solved on this forum every day. They are usually people who are in some kind of technical role, who were intentionally setting up a Let's Encrypt certificate somewhere and got an error. The forum volunteers then helped them identify what was causing that error, and they changed it, and it then worked.
The Let's Encrypt service is completely, 100% automated, which is what allows it to issue 3 million certificates per day while being run by a not-for-profit organization and not charging anyone money for certificates. On the flip side, that prevents Let's Encrypt from having paid supportāthe "official" support is volunteer support!āand requires that most of the responsibility for making certificate issuance and renewal work be taken on by organizations that are relatively expert. It also means that there is nobody who can step in and fix or work around the problem from Let's Encrypt's end; the systems are literally designed to prevent Let's Encrypt's own staff from manually intervening in an individual case.
The only way that Let's Encrypt will be able to issue a new certificate to you is if the software that you use is able to meet its criteria for proving that it's entitled to get a certificate for your particular domain name, which will probably require some kind of technical change on your sideāin the Synology software, in your home router settings, or in your Internet service provider's configuration, depending on where the problem turns out to be. Since nobody is able to override Let's Encrypt's policies or make a special exemption, that change (whatever it is) has to be identified and made by someone.
It's not obvious who that "someone" should be, on various levels.
There are technical things that have to be checked by someone who understands them well enough to check them. Then they may have to be changed by someone who has the ability to change them. This should probably be Synology, since you're paying them, but there doesn't seem to be a perfect answer.
Let's emphasize again that Let's Encrypt is a free service that's "used" by machines, not by people. It offers a so-called API, which is a means for other computers to communicate with it; it doesn't have any kind of web site for people to log into and use its services through. So all guidance on fixing a problem involving it will relate to "how can we get the machines to talk to each other happily again?".
People here are mainly unpaid volunteers with various levels of expertise in figuring out the details of why the machines aren't happily talking to one another.
I can see the issue with the renewal reminder e-mails. Those were originally written for the prototypical "end user" of Let's Encrypt, who is a professional computer administrator who runs a public web site. That user will have a professional responsibility, and typically the knowledge and ability, to investigate and fix the problem. They're usually extremely helpful to people in that situation. In other cases, where people's connection to the issue is more remote, they're potentially much less helpful, although they're still an attempt to point out a real problem to someone who could hopefully do something about it. The landscape of people who may end up getting these e-mails is very broad by now.
One possibility is that we should write a new web page which describes these roles and relationships in some way, and then link to that in the beginning of the renewal reminder messages, so that people who get these messages without knowing why can potentially get some guidance about who's who, so to speak.
Your Synology device is programmed to request certificates from Let's Encrypt. Those certificates are only valid for 90 days, so a new one has to be requested frequently. This process is supposed to be completely automated, and is carried out by software running on the Synology device itself. Unfortunately, this process now seems to be failing in some way, because the Synology software could not communicate with Let's Encrypt, or could not successfully prove to Let's Encrypt that it was entitled to a certificate for your domain name.
Fixing this will probably require identifying where the breakdown in communications between the Synology device and Let's Encrypt has occurred and making some kind of change to fix that problem. This could turn out to be in your home router settings, your Internet service provider's configuration, or maybe elsewhere. Ideally, we would want to see more technical details from the Synology device that explain what kind of problem it's having with Let's Encrypt. We are unfortunately not able to look up information from Let's Encrypt's end that would indicate this, although the Synology device itself should in principle have access to more details about what's going wrong.
The participants in the Synology forums have more expertise in how to debug problems related to these devices.
Even if they can't solve the problem, they might be able to explain how to get more technical details about what the problem is, which would be helpful in helping us advise you what might fix it.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.