I am no longer able to create a certificate from my Synology NAS for my domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: boushi.fr

I ran this command: Using graphic interface from the NAS

It produced this output: "Please check that your IP address, reverse proxy rules, and firewall settings are configured correctly and try again."

The operating system my web server runs on is (include version): DSM (SYNOLOGY)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DSM 7

From my point of view, port 443 and 80 are open and redirected to the NAS.
Able to connect from outside using these ports.

Let's debug produces an error using http-01 (not for DNS) but I don't understand really the meaning.

Welcome @grego

Your apex domain name boushi.fr has an IP address in your DNS that is different than the IP you have for all your subdomains.

Specifically, your apex domain IP is for a Hostinger page but the others use a CNAME to a boushi.synology.me

To get a certificate with all those names they should all use the same IP

Since Dec27 did you change your DNS for your apex domain? Because that was the last successful certificate you got: crt.sh | 15903073265

4 Likes

Hello @MikeMcQ and thank you for the welcome.

Yes I have changed to hostinger recently.

I have checked the previous configuration and my apex domain name was in the same configuration than today. It was a misconfiguration.

Nevertheless, I removed the A record for the apex domain and added an ALIAS record for it, with the same IP than the subdomains.

Thank you for this, I'm waiting for the propagation and make another test.

Come back to you then.

1 Like

You are ready for another test now. Let's Encrypt checks your authoritative DNS Servers directly. It is not affected by TTL propogation.

See: https://unboundtest.com/m/A/boushi.fr/JLIHJGHX

3 Likes

You're a master!

It was the issue, renewal is ok now!

Thank you for the help :waving_hand:

3 Likes