Install Certificate Synology NAS Errors

cfraser · January 7, 2019, 6:29pm

My domain is: asteroid.trilliumbrewing.com

I ran this command: Creating cert using Synology DSM 6

It produced this output:

2019-01-07T13:13:20-05:00 asteroid synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[26559]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/UUC3nzUu4xHzkauY-WcftepSG7zRpGmA9SBoU1uV788: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>300 Multiple Choices</title>\n</head><body>\n<h1>Multiple C"]

2019-01-07T13:13:20-05:00 asteroid synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[26559]: certificate.cpp:1392 Failed to create Let'sEncrypt certificate. [102][Invalid response from http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/UUC3nzUu4xHzkauY-WcftepSG7zRpGmA9SBoU1uV788: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>300 Multiple Choices</title>\n</head><body>\n<h1>Multiple C"]

My web server is (include version): Synology DSM 6.2.1-23824 Update 2

The operating system my web server runs on is (include version): DSM 6.2.1-23824 Update 2

My hosting provider, if applicable, is: 1&1 IONOS

I can login to a root shell on my machine (yes or no, or I don’t know): Into the Synology, yes. The TLD, no.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ? The host is 1&1, the A record of the TLD points to a Squarespace page.

Can someone help me decrypt the error message? Thank you!

JuergenAuer · January 7, 2019, 6:39pm

Hi @cfraser

in your test you had a 300 - Multiple choice, so the server doesn't know which file should be sent.

Now you have a different error:

Domainname	Http-Status	Sec.	G
• http://asteroid.trilliumbrewing.com/
96.70.222.42	400	0.270	M
Bad Request

• https://asteroid.trilliumbrewing.com/
96.70.222.42	200	6.884	N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

• http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
96.70.222.42	400	0.277	M
Bad Request

Bad request - 400. My browser says:

The plain HTTP request was sent to HTTPS port

So you have configured your http port 80 as https - port:

https://asteroid.trilliumbrewing.com:80/.well-known/acme-challenge/1234

answers with a http status 404.

So first fix your configuration, that port 80 is used to send http traffic. This is required to use http-01 - validation.

--
PS: And you have an ipv4 and ipv6 - address.

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
asteroid.trilliumbrewing.com	A	96.70.222.42	yes	1	0
	AAAA	2607:F1C0:1000:4067:5C6F:6F0A:B5ED:2017	yes
www.asteroid.trilliumbrewing.com	A		yes	11	0
	AAAA	2607:F1C0:1000:4067:5C6F:6F0A:B5ED:2017	yes

So your ipv6 address may send the Multiple choice - 300.

cfraser · January 7, 2019, 7:05pm

Thanks for that information. I deleted the AAAA records and am still experiencing the issue, so there’s some configuration error somewhere, but I’m not sure where.

In my firewall, I have created a destination NAT rule that looks at HTTP+S traffic and forwards to the Synology’s port 5001, the HTTPS port. Could this potentially be the problem? Or could it be something in the Synology’s or web services configuration itself?

cfraser · January 7, 2019, 7:16pm

I made the change so that HTTP redirects to the correct HTTP port on the Synology and no longer am receiving the error 400 myself! So progress is being made. Thank you for pushing me towards that, @JuergenAuer …

However, I am still receiving the failed to connect error in the DSM. In the logs, I receive the following error:

2019-01-07T14:13:56-05:00 asteroid synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[31204]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/u3VMbVGtid14P5UIhUhF2CSLFSeWqs67bgBCatpW6a0: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"]
    2019-01-07T14:13:56-05:00 asteroid synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[31204]: certificate.cpp:1392 Failed to create Let'sEncrypt certificate. [102][Invalid response from http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/u3VMbVGtid14P5UIhUhF2CSLFSeWqs67bgBCatpW6a0: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"]

JuergenAuer · January 7, 2019, 8:22pm

Yep, your ipv6 is gone.

This was the problem. Your firewall sends http + https traffic to the same port, that can't work. Your firewall must send different traffic to different ports.

Now you have a new error (checked via https://check-your-website.server-daten.de/?q=asteroid.trilliumbrewing.com ):

Domainname	Http-Status	Sec.	G
• http://asteroid.trilliumbrewing.com/
96.70.222.42	200	0.506	H

• https://asteroid.trilliumbrewing.com/
96.70.222.42	200	6.533	N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

• http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
96.70.222.42	403	0.266	M
Forbidden

There is a forbidden status 403. So Letsencrypt can't check a file in this directory.

The online tool should find a 404 - not found - status, if the file is unknown.

cfraser · January 7, 2019, 9:27pm

I have no idea how to proceed from here in that case. Any suggestions?

JuergenAuer · January 7, 2019, 9:39pm

I don’t use a Disk Station.

But this

https://www.synology.com/en-us/knowledgebase/DSM/help/DSM/AdminCenter/file_share_privilege

suggests, that you have a menu to manage the directory properties.

So you must allow access to /.well-known/acme-challenge

cfraser · January 8, 2019, 6:49pm

I changed the permissions to /www/.well-known/acme-challenge so that it can be accessed by everyone and created a “text.txt” file in that directory to see if I could navigate to it over the web but get the “not found” error when I try to navigate to: http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/text.txt …

I can easily navigate to /volume2/www/.well-known/acme-challenge through the terminal and am not prompted for authentication to view the contents of these directories.

I’m not sure the web server is configured correctly – I installed the Web Station package and it looks like it’s running on Nginx … could there be some configuration error in the nginx.conf?

I’m at a loss right now… I’m guessing the /.well-known/acme-challenge directory is not in the correct place and that’s why it can’t be accessed… I just don’t know where it’s supposed to go.

JuergenAuer · January 8, 2019, 7:05pm

It's curious. Checking this with an offline tool I have the http status 403 Forbidden.

D:\temp>download http://asteroid.trilliumbrewing.com/.well-known/acme-challenge/text.txt -h
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (403) Unzulässig.
ProtocolError
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Content-Length: 11939
Content-Type: text/html
Date: Tue, 08 Jan 2019 18:59:42 GMT
ETag: "5b923df6-2ea3"
Server: nginx

Status: 403 Forbidden
403

380,32 milliseconds
0,38 seconds

Yes, it's a nginx. But checking it with a browser it says: "Not found". So the "not found" error looks like a masquerade of the "Forbidden" - status.

Perhaps check the https://forum.synology.com/enu/

cfraser · January 9, 2019, 5:42pm

Thanks @JuergenAuer for helping me through this, I’ve got it figured out.

The problem was in the port forwarding in my firewall. From the internet, I was forwarding HTTP port 80 to Local NAS port 5000 – so it was directing traffic to the DSM login … when I switched forwarding from external port 80 to Local port 80, I was able to successfully get the LE cert installed.

Thank you, again.

system · February 8, 2019, 5:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.