Impossible to renew certificate for synology NAS

Help
24

Hello @Franky13,

Again, sorry for the delay. I see @serverco is here fighting with you to solve the problem (thanks Andy) ;).

Just a comment, Let’s Encrypt follows redirects but as far as I know, it doesn’t follow them if they point to a non web standard port (80 and 443).

I mean, your web server is redirecting http://backup.fms-data.dk to https://backup.fms-data.dk:5050 and that won’t work. Let’s encrypt doesn’t like it, your redirect should go to 443 instead of 5050.

$ curl -IkL  http://backup.fms-data.dk
HTTP/1.1 302 Moved temporarily
Server: nginx
Date: Thu, 02 Feb 2017 00:25:41 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
Location: https://backup.fms-data.dk:5050/    <-- here is the redirect

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Feb 2017 00:25:42 GMT
Content-Type: text/html; charset="UTF-8"
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Security-Policy: base-uri 'self';  connect-src *; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com; font-src 'self' data:; form-action 'self'; frame-ancestors 'self' https://gofile.me http://gofile.me; frame-src 'self' data: blob: https://*.synology.com http://*.synology.com http://*.synology.cn; img-src 'self' data: blob:; media-src 'self' data: about:;  report-uri webman/csp_report.cgi; script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com; style-src 'self' 'unsafe-inline';
Strict-Transport-Security: max-age=15768000; includeSubdomains; preload

I’ve just tested it on my own server and I’m not able to issue a certificate if my domain redirects to https://domain:5050, if i use 443 instead of 5050 it works as expected. Don’t know if you are starting your service on port 5050 for any reason but if you want a Let’s Encrypt cert you should think about move it to 443 instead of 5050 or try to use the DNS challenge, but that is another story.

Also, as @serverco reminded you, you need to be sure that your web server process this request correctly http://backup.fms-data.dk/.well-known/acme-challenge/test (remember to create the dirs and the test file as I commented on previous posts).

Cheers,
sahsanu