Impossible to get a certificat for my NAS


#1

Hello,
I hold a domain scadalliance.net registered at OVH.
I have 2 NAS Synology, each located at a different site. I want to get certificate for both, but I fail.
Both sites have dynamic public IP, so I have created two DynHOST, one named serv1.scadalliance.net, the other serv2.scadalliance.net. They are both included in the DDNS of the NAS. Connection is OK.
I have also created some subdomains like file.serv1.scadalliance.net and file.serv2.scadalliance.net
The URL https://file.serv1.scadalliance.net bring me correctly to the file station of the NAS, thus meaning that the address is ok.
Port 80 and 443 are directed to the NAS and I use the Reverse Proxy to resolve the addresses locally.
Despite all that, I cannot get a certificat for serv1.scadalliance.net and its subdomains.
The process abort and I get a message saying that operation fail, reconnect to dsm and retry.
I have not yet tried with serv2 domain. I’ll do it once serv1 will work.
Any idea of what prevent me to get a proper certificat ?


#2

Hi,

I’m not sure what prevent you from getting a certificate.
(Might be dyn’s problem) (others might know what’s going in)

However, you can try use DNS validation which you’ll need to create a TXT record for validation.

Thank you.


#3

You mean a txt like this ?
serv1.scadalliance.net IN TXT “serv1.scadalliance.net


#4

The TXT record is for _acme-challenge.serv1.scadalliance.net IN TXT and the value is a random string specified by the certificate authority at the time you attempt to obtain or renew the certificate.


#5

Thanks schoen for the information.
I have checked the log and there is no such random strings.
It seems that something block the process. Here are the messages :
2018-02-27T11:40:13-05:00 xxxxxxxx synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[11479]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-cert: Unexpect httpcode. (new-cert)]
2018-02-27T11:40:13-05:00 xxxxxxxx synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[11479]: certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [200][new-cert: Unexpect httpcode. (new-cert)]

What could be this unexpected httpcode ?


#6

Port 80 (HTTP) is not forwarded or else it is blocked by your ISP. Port 443 (HTTPS) works fine on both domains. Please double-check your port forwarding and firewalls!

If it is blocked by your ISP, your only choice is DNS authentication as mentioned earlier. The Synology client only does DNS authentication with their dynamic DNS service. If you use a third-party DNS provider, you can use acme.sh on a Synology device, but the setup is a bit more involved.


#7

Thanks Patches, you have pinpoint the problem. The ISP is Videotron and I come to discover that they block some ports on their residential access to avoid people to settle ther own server.
80 is one of them.
What a stupid idea.
It seems that I have no option but to go for the acme.sh stuff.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.