Let´s Encrypt cert request fails for a specific domain on Synology

Buzztee · March 24, 2019, 12:47pm

Hey everyone.

I do have a Synology Diskstation with the latest DSM installed and I was trying to request certs for multiple domain names I own (which are banthon[dot]de, banthon[dot]com, banxx[dot]net (all via DD24 as registrar) and banthon[dot]net (via ChangeIP).

All of those domains are updated as www subdomain with my actual IP address daily via DDNS and I´m able to connect to the home page of all of those domains via port 80 and 443, which are actually hosted on an Apache on my Synology.

I was succesfully able to generate the certs for the first three domains via the DSM assistant, while it fails for the www.banthon[dot]net domain. The error message reported by the DSM assistant is

failed to connect to let's encrypt. please make your diskstation and router have port 80 open to Lets  Encrypt domain validation 
from the internet...."

I SSH´d in to my Synology and performed a ping to those domain names and the LE servers, too and was able to successfully resolve/reach every domain, I also checked the domain config via https://intodns.com and they just seem to be fine and identical. Since the request of all domains except that one .net domain was successful the error message appears to be wrong by indicating there is a connection issue.

I´d appreciate if you could share your ideas what troubleshooting steps I can take to investigate further.
Does anyone know where on the Synology the logs are stored which may provide further details about the cert request to LE?

Additional info:
I used to have a startcom cert for www.banthon[dot]net which, according to CRT.SH, is still valid and also has a SAN entry for www.banthon[dot]net - Also, there is still an LE cert valid fot banthon[dot]net until April 30th. Could this affect the cert request attempt to LE for www.banthon[dot]net?

JuergenAuer · March 24, 2019, 1:19pm

Hi @Buzztee

that’s a DNSSEC - problem (checked via https://check-your-website.server-daten.de/?q=banthon.net ):

The parent zone has a valid DS record. But

2 DS RR in the parent zone found

	1 RRSIG RR to validate DS RR found

	Algorithm: 8, 2 Labels, original TTL: 86400 sec, 
Signature-expiration: 28.03.2019, 05:53:40, Signature-Inception: 21.03.2019, 04:43:40, KeyTag 51638, Signer-Name: net

	• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 51638 
used to validate the DS RRSet in the parent zone

	0 DNSKEY RR found

	

	Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 50965, 
DigestType 1, Digest O3pPif4D6kevzPIoQAr/3hDW8jI=), but the 
destination DNSKEY doesn't exist or doesn't validate the DNSKEY 
RR set. No chain of trust created.

	Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 50965, 
DigestType 2, Digest C8kvpkbNNx3H4kBSTPkLFrIyp9ep5KKlNSrNPvVIKdY=), but the 
destination DNSKEY doesn't exist or doesn't validate the DNSKEY 
RR set. No chain of trust created.

So your DNS is broken and Letsencrypt can’t find your domain.

PS: Looks like the error message isn’t good.

PPS: Checked your de - domain ( https://check-your-website.server-daten.de/?q=banthon.de ): There is a wrong DNSKEY, but the parent zone has no DS RR. So that’s not good, but not critical.

If a parent zone has a valid DS Record, then the zone must have a DNSKEY that matches with the DS RR. If not, it’s fatal.

Buzztee · March 24, 2019, 2:14pm

Dear @JuergenAuer
Thank you very much for pointing that out. My assumption was also that there was a DNS issue but I´m not familiar on how to set up DNSSec at ChangeIP. With the other domains at DD24 there is simply a switch in their control panel to enable DNSSec
I´m going to contact CHangeIp Support and ask for info there.

system · April 23, 2019, 2:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.