I do have a Synology Diskstation with the latest DSM installed and I was trying to request certs for multiple domain names I own (which are banthon[dot]de, banthon[dot]com, banxx[dot]net (all via DD24 as registrar) and banthon[dot]net (via ChangeIP).
All of those domains are updated as www subdomain with my actual IP address daily via DDNS and I´m able to connect to the home page of all of those domains via port 80 and 443, which are actually hosted on an Apache on my Synology.
I was succesfully able to generate the certs for the first three domains via the DSM assistant, while it fails for the www.banthon[dot]net domain. The error message reported by the DSM assistant is
failed to connect to let's encrypt. please make your diskstation and router have port 80 open to Lets Encrypt domain validation
from the internet...."
I SSH´d in to my Synology and performed a ping to those domain names and the LE servers, too and was able to successfully resolve/reach every domain, I also checked the domain config via https://intodns.com and they just seem to be fine and identical. Since the request of all domains except that one .net domain was successful the error message appears to be wrong by indicating there is a connection issue.
I´d appreciate if you could share your ideas what troubleshooting steps I can take to investigate further.
Does anyone know where on the Synology the logs are stored which may provide further details about the cert request to LE?
Additional info:
I used to have a startcom cert for www.banthon[dot]net which, according to CRT.SH, is still valid and also has a SAN entry for www.banthon[dot]net - Also, there is still an LE cert valid fot banthon[dot]net until April 30th. Could this affect the cert request attempt to LE for www.banthon[dot]net?
2 DS RR in the parent zone found
1 RRSIG RR to validate DS RR found
Algorithm: 8, 2 Labels, original TTL: 86400 sec,
Signature-expiration: 28.03.2019, 05:53:40, Signature-Inception: 21.03.2019, 04:43:40, KeyTag 51638, Signer-Name: net
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 51638
used to validate the DS RRSet in the parent zone
0 DNSKEY RR found
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 50965,
DigestType 1, Digest O3pPif4D6kevzPIoQAr/3hDW8jI=), but the
destination DNSKEY doesn't exist or doesn't validate the DNSKEY
RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 50965,
DigestType 2, Digest C8kvpkbNNx3H4kBSTPkLFrIyp9ep5KKlNSrNPvVIKdY=), but the
destination DNSKEY doesn't exist or doesn't validate the DNSKEY
RR set. No chain of trust created.
So your DNS is broken and Letsencrypt can't find your domain.
Dear @JuergenAuer
Thank you very much for pointing that out. My assumption was also that there was a DNS issue but I´m not familiar on how to set up DNSSec at ChangeIP. With the other domains at DD24 there is simply a switch in their control panel to enable DNSSec
I´m going to contact CHangeIp Support and ask for info there.