Impossible to renew certificate for synology NAS

the mistake was: messages with s, not message.

sudo grep letsencrypt /var/log/message

Returns:

2016-11-14T10:01:57+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[32525]: certificate.cpp:957 syno-letsencrypt failed. 1 [syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://fms-data.dk/.well-known/acme-challenge/pdmhOfBhfCRcupia3DzN0HjaX4Nq7ccc6otKPfoFJ_8: "<!doctype html>
2016-11-14T10:01:57+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[32525]: certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [1][syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://fms-data.dk/.well-known/acme-challenge/pdmhOfBhfCRcupia3DzN0HjaX4Nq7ccc6otKPfoFJ_8: "<!doctype html>
2016-11-14T11:05:25+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[4393]: certificate.cpp:957 syno-letsencrypt failed. 1 [syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/b2UGx73k5xmOlw93b_KcfnD7u8vL8OaAG1D5Vlk3_3A: "
2016-11-14T11:05:25+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[4393]: certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [1][syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/b2UGx73k5xmOlw93b_KcfnD7u8vL8OaAG1D5Vlk3_3A: "
2016-11-14T11:07:32+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[4696]: certificate.cpp:957 syno-letsencrypt failed. 1 [syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/lE35L9fH4DuLQxv3RWv-OJaB3Q5aH7s_3hxMd0CZjKc: "
2016-11-14T11:07:32+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[4696]: certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [1][syno-letsencrypt output is not a json: { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/lE35L9fH4DuLQxv3RWv-OJaB3Q5aH7s_3hxMd0CZjKc: "
2016-11-14T11:20:02+01:00 Backup synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[8541]: certificate.cpp:957 syno-letsencrypt failed. 101 [failed to open port 80.]
2017-01-19T08:28:09+01:00 Backup builtin-syno-letsencrypt-syno-letsencrypt: autorenew: syno-letsencrypt.cpp:288 Failed to renew /usr/syno/etc/certificate/_archive/ZJyyML/. { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/s7jX2D7--sWJKheLCmHuHRuOiuj-iN_oGlpyOvq6Yx0: "
2017-01-26T04:08:11+01:00 Backup builtin-syno-letsencrypt-syno-letsencrypt: autorenew: syno-letsencrypt.cpp:288 Failed to renew /usr/syno/etc/certificate/_archive/ZJyyML/. { “error”: 102, “msg”: "Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/Dn8cAHXbYNXOx6VdYjZRNQatIS1K31VdTpvVHtX-nvw: "

ls -l /var/log

returns:

total 3716
-rw-rw---- 1 system log 9561 Jan 30 12:46 apparmor.log
-rw-r----- 1 root log 177208 Feb 1 17:13 auth.log
-rw-rw---- 1 system log 4955 Feb 1 17:11 bash_err.log
-rw-rw---- 1 system log 2048 Feb 1 17:15 bash_history.log
drwxr-xr-x 2 root root 4096 Aug 2 2016 cluster
drwxr-xr-x 2 root root 4096 Dec 1 11:23 cstn
-rw-r–r-- 1 root root 0 Nov 10 14:04 disk_log.xml
-rw-r–r-- 1 root root 916 Feb 1 00:00 disk_overview.xml
-rw-r–r-- 1 root root 622172 Jan 30 12:46 dmesg
-rw-r–r-- 1 root root 0 Nov 10 14:10 dms.log
-rw-r–r-- 1 root root 52752 Jan 30 12:46 dpkg.log
-rw-r–r-- 1 root root 33995 Jan 30 12:46 dpkg_upgrade.log
-rw-rw---- 1 system log 19828 Jan 30 12:46 esynoscheduler.log
drwxr-xr-x 2 root root 4096 Jan 7 12:53 httpd
-rw-rw---- 1 system log 2655 Jan 30 12:46 iscsi.log
-rw-rw---- 1 system log 285054 Feb 1 16:31 kern.log
-rw-rw---- 1 system log 609423 Feb 1 16:31 messages
drwxr-x— 2 http root 4096 Nov 10 14:04 nginx
drwxr-xr-x 2 root root 4096 Aug 2 2016 openvswitch
-rw-rw---- 1 system log 242440 Jan 30 12:46 php56-fpm.log
-rw-rw---- 1 system log 17532 Jan 30 12:46 postgresql.log
-rw-rw---- 1 system log 258759 Feb 1 10:17 router.log
-rw-rw---- 1 system log 72572 Jan 19 14:17 router.log.1.xz
-rw-rw---- 1 system log 21908 Nov 11 23:17 router.log.2.xz
drwxr-xr-x 2 root root 4096 Nov 10 14:04 samba
-rw-rw---- 1 system log 65598 Feb 1 17:09 scemd.log
drwxr-x— 2 root root 4096 Jan 30 12:46 selfcheck
-rw-r–r-- 1 root root 124 Jan 10 00:00 smart_quick_log
-rw-rw-rw- 1 root root 2899 Jan 30 12:46 space_operation_error.log
-rw-r–r-- 1 root root 2333 Jan 30 12:46 synocmsclient.log
-rw-r–r-- 1 root root 32744 Jan 30 12:44 synocrond-execute.log
-rw-rw---- 1 system log 7774 Jan 30 12:46 synocrond.log
-rw-rw---- 1 system log 21092 Jan 30 12:44 synofeasibilitycheck.log
-rw-r–r-- 1 root root 8141 Jan 12 08:37 synoinfo.conf.bad
drwxr-x— 2 system log 4096 Feb 1 17:11 synolog
-rw-r–r-- 1 root root 439759 Jan 30 12:44 synopkg.log
-rw-rw---- 1 system log 4604 Jan 30 12:44 synopoweroff.log
-rw------- 1 root root 28855 Jan 30 12:46 synorelayd.log
-rw-r----- 1 root root 752 Nov 10 14:06 synoscheduler.log
-rw-rw---- 1 system log 562653 Feb 1 16:31 synoservice.log
-rw-r–r-- 1 root root 2433 Jan 30 12:46 synoupdate.log
-rw-rw---- 1 system log 19779 Jan 30 12:46 syslog.log
drwxr-xr-x 2 root root 4096 Jan 30 12:30 upstart

great, thanks - the "sudo grep letsencrypt /var/log/message" is the useful stuff

The key thing is ...

"Invalid response from http://backup.fms-data.dk/.well-known/acme-challenge/Dn8cAHXbYNXOx6VdYjZRNQatIS1K31VdTpvVHtX-nvw: "

to validate your domain (and hence obtain a certificate), your system needs to display a given token ( in this case backup.fms-data.dk/.well-known/acme-challenge/Dn8cAHXbYNXOx6VdYjZRNQatIS1K31VdTpvVHtX-nvw ) which Let's Encrypt needs to connect to - and can't (hence the error message, and no certificate).

This is where @sahsanu was referring to

and

Hello @Franky13,

Again, sorry for the delay. I see @serverco is here fighting with you to solve the problem (thanks Andy) ;).

Just a comment, Let’s Encrypt follows redirects but as far as I know, it doesn’t follow them if they point to a non web standard port (80 and 443).

I mean, your web server is redirecting http://backup.fms-data.dk to https://backup.fms-data.dk:5050 and that won’t work. Let’s encrypt doesn’t like it, your redirect should go to 443 instead of 5050.

$ curl -IkL  http://backup.fms-data.dk
HTTP/1.1 302 Moved temporarily
Server: nginx
Date: Thu, 02 Feb 2017 00:25:41 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
Location: https://backup.fms-data.dk:5050/    <-- here is the redirect

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Feb 2017 00:25:42 GMT
Content-Type: text/html; charset="UTF-8"
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Security-Policy: base-uri 'self';  connect-src *; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com; font-src 'self' data:; form-action 'self'; frame-ancestors 'self' https://gofile.me http://gofile.me; frame-src 'self' data: blob: https://*.synology.com http://*.synology.com http://*.synology.cn; img-src 'self' data: blob:; media-src 'self' data: about:;  report-uri webman/csp_report.cgi; script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com; style-src 'self' 'unsafe-inline';
Strict-Transport-Security: max-age=15768000; includeSubdomains; preload

I’ve just tested it on my own server and I’m not able to issue a certificate if my domain redirects to https://domain:5050, if i use 443 instead of 5050 it works as expected. Don’t know if you are starting your service on port 5050 for any reason but if you want a Let’s Encrypt cert you should think about move it to 443 instead of 5050 or try to use the DNS challenge, but that is another story.

Also, as @serverco reminded you, you need to be sure that your web server process this request correctly http://backup.fms-data.dk/.well-known/acme-challenge/test (remember to create the dirs and the test file as I commented on previous posts).

Cheers,
sahsanu

Hi Guys!

The Synology OS will not allow me to redirect to any port under 1000 as it tells me it is unsecure or to common. Somehow it worked for me in the setup fase with the :5050… Don’t know how to get around this, but I have contacted Synology as well who is looking at the log files right now.

I feel silly to ask for this, but although I’m pretty confident with DOS and the likes, and know zero about using the SSH client.

I had to search how to make dirs on the SSH. But what is the right path, and how do I create the testfile?

Is it this way?

echo “This is a test” > /usr/share/nginx/html/.well-known/acme-challenge/test

Many thanks again!

portforward.PNG958×755 57.5 KB

This is my router setup.

Synology is set to: HTTP :5500 HTTPS :5050

it will not allow my to use 80 or 443

Guys?

Synology support told me that I should just make sure that my server could be hit from port 80 from outside. So I forwarded port 80 directly, and now it just shows the blank “webstation” logo" when you type backup.fms-data.dk. So the path is straight as an arrow, but its been almost 48 hours, and my certificate will still not update.

I can’t belive I’ve hit a brick wall on this. I just followed the simple 3 step wizardguide when I set it up, and it all worked, and I haven’t changed a setting since then, and now I’m in so deep trouble that no one seems to be able to help me?

Please tell me how to create the folder you recommend, and how to create the files. When I type help in SSH it makes a list of commands, but none for dirs and files it seems. And what is the right folder path. I don’t want to screw anything up in the system?

I’m sorry if I am a moron… but my SSH experience is limited to finding a link in a forum, and installing the client. I’ve had no reason to get experience, since it all just worked out of the box…

Thank you in advance, and your time.

why not just use the DNS challenge with an online client such as zero ssl?

also a rough network map might help out

e.g. Internet -> Router -> Web Server?
or Internet -> Router/Firewall -> Synology

Andrei

Thanks guys. It’s working now. Did as follows:

restarted router and NAS (which allowed port 80 and 443 to work correctly)
Changed my port forward so it was straight 80 and 443 afterwards on my router.

Had to gain root access in order to make the renewal command work.

Thanks for a lot of advice. I would never have made it without your inputs!

my certificate is not automatically renewed.
so I checked if the 443 is open and to be sure I also opened 80 and ICMP.
My certificate fails to renew itself automatically and I can not even to obtain a new one for the same error.
I also stopped all services installed on NAS…

Are you also using a Synology NAS? If so what DSM version?

Yes, DSM versione is 6.0.2-8451…

Okay.

Has it auto opdated before?

Never. Port 80 and 443 are open properly. I’ve scanned it…

How long until it expires?

It only tries to auto renew once a week, and if you run this command from an SSH client you will see which dates it tries:

sudo grep letsencrypt /var/log/messages

It is expire from 10 days.
Log report that the 80 is close!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.