"Invalid Domain" Renewing or Creating New? Synology

I've searched the web, read many posts/guides, and tested a ton.. so hoping someone here has a real solution, not a guess... I've read all the guesses I think! :wink:

Tried renewing the not-yet expired cert. The deleted that cert and tried creating new -- same problem both ways.

"Invalid domain. Make sure the domain name can resolve to public IP."


  • Synology 'Web Server' service on and off
  • my DDNS IP is resolved properly using multiple test sites
  • ports 80/443 test good withcanyouseeme.org and letsdebug.net
  • TCP & UDP 80/443 all forwarded from firewall to Synology (no other open ports)


  • Synology on latest DSM with all updates
  • Reverse Proxy running on Synology
  • Synology Firewall is Off
  • PiHole running on Synology, in Docker

I don't think you've provided enough information for anyone to even take a normal guess.
At this point, it would be a wild guess on my part.

If you could please provide more details.
Starting with: Answering the questions that are provided to all "Help" topics.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

And in addition... Since you showed the error message "`Invalid domain`", the FQDN shown in that error message. Since you mentioned "proxy", the proxy settings [as they relate to the FQDN involved]. Since you mentioned ports being forwarded, those firewall NAT settings as well.

This domain name does not seem to exist

Using the online tool https://unboundtest.com/ and using a Query type: of CAA yields

Query results for CAA withcanyouseeme.org

;; opcode: QUERY, status: NXDOMAIN, id: 60388
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;withcanyouseeme.org.	IN	 CAA

org.	0	IN	SOA	a0.org.afilias-nst.info. hostmaster.donuts.email. 1683481029 7200 900 1209600 3600

----- Unbound logs -----
May 07 17:49:07 unbound[219643:0] notice: init module 0: validator
May 07 17:49:07 unbound[219643:0] notice: init module 1: iterator
May 07 17:49:07 unbound[219643:0] info: start of service (unbound 1.16.3).
May 07 17:49:08 unbound[219643:0] info: withcanyouseeme.org. CAA IN
May 07 17:49:08 unbound[219643:0] info: resolving withcanyouseeme.org. CAA IN
May 07 17:49:08 unbound[219643:0] info: priming . IN NS
May 07 17:49:08 unbound[219643:0] info: response for . NS IN
May 07 17:49:08 unbound[219643:0] info: reply from <.>
May 07 17:49:08 unbound[219643:0] info: query response was ANSWER
May 07 17:49:08 unbound[219643:0] info: priming successful for . NS IN
May 07 17:49:08 unbound[219643:0] info: response for withcanyouseeme.org. CAA IN
May 07 17:49:08 unbound[219643:0] info: reply from <.>
May 07 17:49:08 unbound[219643:0] info: query response was REFERRAL

I think they meant "with canyouseeme.org". Looks like a connectivity testing site


Thanks @MikeMcQ! :slight_smile:


The Redirect is incorrect

$ curl -Ii http://canyouseeme.org/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Sun, 07 May 2023 18:12:31 GMT
Server: Apache/2.4.7 (Ubuntu)
Location: https://canyouseeme.org.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

This URL http://canyouseeme.org/.well-known/acme-challenge/sometestfile redirects to https://canyouseeme.org.well-known/acme-challenge/sometestfile

Please note the canyouseeme.org.well-known appears to be missing a forward slash.
I believe the redirected URL should look like https://canyouseeme.org/well-known/acme-challenge/sometestfile

$ curl -Ii https://canyouseeme.org/well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Sun, 07 May 2023 18:15:05 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Also using the online tool Let's Debug yields these results https://letsdebug.net/canyouseeme.org/1471495

Sending an ACME HTTP validation request to canyouseeme.org results in an unacceptable redirect. This is most likely a misconfiguration of your web server or your web application.
It appears that a redirect was generated by your web server that is missing a trailing slash after your domain name: https://canyouseeme.org.well-known/acme-challenge/letsdebug-test. Check your web server configuration and .htaccess for Redirect/RedirectMatch/RewriteRule.

@0ms: Making a request to http://canyouseeme.org/.well-known/acme-challenge/letsdebug-test (using initial IP
@0ms: Dialing
@14ms: Server response: HTTP 302 Found
@14ms: Received redirect to https://canyouseeme.org.well-known/acme-challenge/letsdebug-test 
A test authorization for canyouseeme.org to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued. Fetching https://canyouseeme.org.well-known/acme-challenge/OLLFrrd9-QZAq1u2dNwJMGYG6kzwm0LXVX-DnFeqv64: Invalid host in redirect target "canyouseeme.org.well-known". Check webserver config for missing '/' in redirect target. 

I am pretty sure they do not own the canyouseeme.org domain. They were using that web site as a tool to check connectivity to their own site.

Was just a typo missing a space between 'with' and 'canyou' in first post


Thanks again @MikeMcQ. :slight_smile:

And therefor back to @rg305's post "Invalid Domain" Renewing or Creating New? Synology - #2 by rg305


Its working now... as a whim, I removed the "www" from the list provided to 'Subject Alternative Name' and it worked! I assumed I needed the A NAME, but looks like I only needed the CNAMEs?