Impossible to renew certificate for synology NAS

My domain is: backup.mydomain.dk

I ran this command: /usr/syno/sbin/syno-letsencrypt renew-all

It produced this output: nothing

My operating system is (include version): DSM 6.0.2-8451 Update 9

My web server is (include version): None/webstation?

Problem:

I used the easy setup on my Synology NAS to get a letsencrypt SSL certificate. It was easy, and has worked flawlessly until now. Because now it will not renew. Even though I keept port 80 forwarded and open, have webstation running… 2 weeks to go, and it has not updatede yet, and I’m starting to get warnings both from synology and letsencrypt.

I have seen many forums where people run this command from the SSH: /usr/syno/sbin/syno-letsencrypt renew-all with great succes, but nothing happens for me.

I wonder why it doesnt work, since I have changed no settings, and it was so easy to get working from the start.

Please help, and thanks in advance.

Hello @Franky13,

You should provide your real domain, there is no reason to hide it since your domain is being logged on Certificate Transparency and would help to give you accurate responses.

Anyway, did you restart your webserver/Synology NAS ?. Certificates should be reloaded once they have been modified, it should be done by syno-letsencrypt script so if you already restarted it try to launch symo-letsencrypt script in verbose mode to see what is going on:

/usr/syno/sbin/syno-letsencrypt renew-all -vv

Also, you can check if you have already renewed your certs searching for them on https://crt.sh there you will see all the certs already issued to your domain. Maybe they are being issued but something in your NAS is not working properly…

Cheers,
sahsanu

1 Like

Hi Sahsanu

Thanks a lot for your time to try to help me. I have to be honest and say that I know very little about this topic.

The domain name is backup.fms-data.dk

I did try to restart the server, and it did not help.

I don’t know what verbose mode is, but I tried entering the line you wrote in the SSH client, and really nothing happened. No errors, just a line change.

I tried entering the domain name on https://crt.sh, but all the data does sadly not make sense to me. So any help there will be very appreciated

As of now, the certificate is still unrenewed :frowning:

Thanks again.

I just found out that I can’t ping my NAS domain or IP from the outside. I can access it fine i my browser on its IP adresse:80.

I seem to remember that I could ping it when I setup the SSL certificate 3 month ago. Could this have an effect on the renewal process?

It most be my ISP that have changed something I guess.

without your real domain name it’s difficult to check.

blocked ping shouldn’t create a problem. If there is a firewall blocking port 80 then that would create a problem (your IP may be whitelisted for example, so you can access but Let’s Encrypt can’t)

Hi ServerCo

My Real domain name is. backup.fms-data.dk

Thanks a lot for replying. I’m getting desperate :slight_smile:

We have a few days ( until 12 Feb) to resolve this before your current certificate expires, so no need to panic yet :slight_smile:

From a quick look it seems to be more related to permissions on your device ( I get a 403 - permission denied) trying to get a response from the ,well-known folder.

can you paste the results of

ls -i /usr/syno/sbin/syno-letsencrypt

so I can see that the file exists, and what it's permissions etc are. And when you ran "/usr/syno/sbin/syno-letsencrypt renew-all -vv" it simply returned you to the prompt ? with no errors, or any other messages ?

1 Like

Thank you so much.

Strange that it should be a permission issue. I will paste the results as soon as I get back to the office in a few hours.

Yes, it simply returned me to the prompt. No errors or any other message. I tried several times with same results.

Hi Serverci

Here is the results from the command you requested:

20543 /usr/syno/sbin/syno-letsencrypt

Does it make sense?

Hi @Franky13,

Sorry for the delay but I've been (and I am) a bit bussy :frowning:

Yesterday I check your domain and I saw that it was served by a web server named "web station" or something like that and you were redirecting it to yourdomain:5050. Today it is served by nginx and it does not redirect to any other port so don't know whether this nginx server is a proxy server redirecting request to another machine or it is a web server running in your Synology NAS. Also, don't know what is the default web server used by your NAS nor if syno-letsencrypt can work with it...

Anyway, I don't use Synology so I've no idea how it works but, the first thing you should check is that the challenge needed by Let's Encrypt is reachable from internet. So, you should check what is the document root used by your domain (you can check it in your nginx conf and you should see a root directive in the nginx file, something like this:

server {
    listen       80;
    server_name  backup.fms-data.dk;
    root   /usr/share/nginx/html;
[...]
}

In this case the document root is /usr/share/nginx/html so you should create the following directories .well-known/acme-challenge/ inside your document root.

mkdir -p /usr/share/nginx/html/.well-known/acme-challenge/

Once you have created the dirs (keep in mind that /usr/share/nginx/html/ is just an example and you should change it for the right path) you should create a test file with whatever text.

echo "This is a test" > /usr/share/nginx/html/.well-known/acme-challenge/test

Now you should check that you can get the file with your browser: http://backup.fms-data.dk/.well-known/acme-challenge/test

If you get This is a test then this part is working fine and we should focus on how syno-letsencrypt works but if you don't, you should review your web server conf.

@serverco requested it to see the perms of syno-letsencrypt but there was a typo in the command he wrote so you are viewing the inode number used by syno-letsencrypt instead of the perms. It should be ls -l /usr/syno/sbin/syno-letsencrypt instead of ls -i /usr/syno/sbin/syno-letsencrypt

Again, sorry for the delay but I don't have too much time to answer these days.

Cheers,
sahsanu

2 Likes

Hi Sahsanu

Yesterday I changed my synology settings, so that trafic on port 80 would not be redirected to https:443. Just to try to do something. Now I switched back, and I assume, that is the cause for your different results for when you checked the domain?

I have no idea what nginx is, so I don’t know where to find the nginx file?

I will try to do the ls command later today, and post the results here.

Many thanks again for your time!!

Web station is the right one!..

Hi

When i type ls -1 /usr/syno/sbin/syno-letsencrypt it just returns the path?

/usr/syno/sbin/syno-letsencrypt

Nothing else. Is that right?

it’s a lower case letter L, rather than a number 1 (or even i as I had it before by mistake :wink: )

haha.

Many attemps later it seems to be right now :slight_smile: it returns this data:

-rwxr-xr-x 1 root root 190331 Aug 17 00:23 /usr/syno/sbin/syno-letsencrypt

Makes sense?

Once again, many many thanks for your time to help me!

1 Like

Yes, that makes sense - thanks :slight_smile:

Can you run

sudo grep letsencrypt /var/log/message

for me please

It asks for a password… typed my admin password, and it returned:

grep: /var/log/message: No such file or directory

hmm, OK (yes your admin was correct). can you check what files there are in /var/log ? I thought the synology NAS used /var/log/messages

Can you tell me how to?

If I just enter

/var/log/messages

it returns:

-sh: /var/log/messages: Permission denied

ls -l /var/log

where that is a lower case L (as before ) ... "ls" lists files in a location, and "-l" does it in a "long" format with more info