Let's Encrypt Certificate Renew/Add Not Working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
vaskion.com
I ran this command:
Go to Control Panel -> Security -> Certificate -> Renew
It produced this output:
Please check if your IP address, reverese proxy rules and firewall settings are correctly configured and try again.
My web server is (include version):
Synology Web Station 3.0.0-0287
The operating system my web server runs on is (include version):
Synology DSM 7.0 beta
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
WordPress 5.5.3-1025
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello,

The renew of Let's Encrypt certificate stopped working after I updated to DSM 7.0. I have not changed the router fonfiguration so port 80 and 443 are still open just like before. I tried also to replace or add a new certificate. I also stopped the firewall during my tries. Every time though I got the same message:

Please check if your IP address, reverese proxy rules and firewall settings are correctly configured and try again.

Does anyone have the same problem? Any ideas how can I fix it?

Thanks a lot!

Hi @vaskion

I can't find something about Synology Web Station 3.0.0.

And a Beta - may be it's buggy.

First step: Ask in a Synology forum if there is a better log.

Looks like a global, too unspecific error message.

Some basics (ip address, open port 80) are ok. But you have a redirect http -> https, I don't know if the integrated Synology Letsencrypt client can work with that.

But: There - https://vaskion.com/.well-known/acme-challenge/1234 is a Synology answer, that looks ok.

Hi @JuergenAuer ,

Thank s lot for your fast response!

I already posted my issue in the Synology community forum but there is no reply yet: https://community.synology.com/enu/forum/20/post/141139

I also submitted a ticket through DSM. It is in a state "Waiting for reply" for more than a week already...

I guess the whole DSM and its packages, as they are in beta, could be buggy and may be causing the issue. I still cannot tell. But there should be way to workaround it I hope...

Redirection from HTTP to HTTPS was working fine till now and I had no issues with renewing the certificates before. Unfortunately I cannot find this particular setting any more. Either they remove it or hide for some reason in DSM 7.0.

@JuergenAuer But: There - https://vaskion.com/.well-known/acme-challenge/1234 is a Synology answer, that looks ok.

I'm sorry I don't understand what you mean here.

I was able to extract some logs from the station:

2021-02-13T16:45:53+02:00 VASKION synoscgi_SYNO.Core.Web.DSM_2_set[9368]: plugin_action.c:319 synoplugin: [9330][POST][port_config/update][update_fw.sh][9368] ExitCode: 0
2021-02-13T16:45:53+02:00 VASKION synoscgi_SYNO.Core.Web.DSM_2_set[9368]: plugin_action.c:319 synoplugin: [9330][POST][port_config/update][update_fw.sh][9368] Runtime: 0.095s
2021-02-13T16:45:53+02:00 VASKION synoscgi_SYNO.Core.Web.DSM_2_set[9330]: plugin_action.c:317 synoplugin: [9330][POST][port_config/update][MAIN] Runtime: 0.110s
2021-02-13T16:54:20+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11332]: certificate.cpp:1609 handle le renew. [w52aAV]
2021-02-13T16:56:32+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11332]: certificate.cpp:1119 syno-letsencrypt failed. 110 [Invalid response from https://vaskion.com/.well-known/acme-challenge/ELM5NBrRZo107PI4Oqvy_8b4zyaAyIllZjTMre29hvE [87.246.21.165]: "\n\n\n<meta charset="utf-8">\n.circle_text{font-family:Verdana,Arial,Microsoft JhengHei,sans-serif"]
2021-02-13T16:56:32+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[11332]: certificate.cpp:1614 Failed to renew Let'sEncrypt certificate. [110][Invalid response from https://vaskion.com/.well-known/acme-challenge/ELM5NBrRZo107PI4Oqvy_8b4zyaAyIllZjTMre29hvE [87.246.21.165]: "\n\n\n<meta charset="utf-8">\n.circle_text{font-family:Verdana,Arial,Microsoft JhengHei,sans-serif"]
2021-02-13T16:56:44+02:00 VASKION synoscgi_SYNO.Entry.Request_1_request[12281]: systemd_reload.cpp:17 synosystemd: [nginx] reloading ...
2021-02-13T16:56:44+02:00 VASKION synoscgi_SYNO.Entry.Request_1_request[12281]: systemd_reload.cpp:21 synosystemd: [nginx] reloaded.

That's bad.

You see: https is checked, not http, because you have a redirect http -> https.

Looks like you have created a redirect that doesn't work with the required check of port 80, where Synology has created the validation file.

Where did you create that redirect?

• Remove that redirect complete (or)
• Remove it, if the path starts with /.well-known/acme-challenge

Hmmm, it was working like that for several years... I don't know what happen just now.

I also disabled the redirect where is saw it but it is only for DSP login.

image2146×405 85.6 KB

You didn't remove the redirect:

D:\temp>download http://vaskion.com/.well-known/acme-challenge/ELM5NBrRZo107PI4Oqvy_8b4zyaAyIllZjTMre29hvE -h
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Redirect-By: WordPress
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Feb 2021 20:02:58 GMT
Location: https://vaskion.com/.well-known/acme-challenge/ELM5NBrRZo107PI4Oqvy_8b4zyaAyIllZjTMre29hvE
Set-Cookie: sell_media_session=8f1a5c7b8df1c70e0057f0118a964ce0%7C%7C1613248377%7C%7C1613248017; expires=Sat, 13-Feb-2021 20:32:57 GMT; Max-Age=1800; path=/

Status: 301 MovedPermanently

Your WordPress redirects to https.

PS: That result says: Your WordPress handles port 80, not Synology. So the validation via port 80 can't work, because the Synology-created validation file isn't visible.

Hello again,

I found iTheme Security plugin has such redirect and disabled the module, didn't work. Disabled the whole plug in, didn' work. Stopped the WordPress package from DSM, also didn't work...

How do you get the above result? How can I check whether my changes are in the right direction because currently I just blindly change something hoping it will finaly work?

Hi @vaskion,

It does look like you've now successfully disabled a lot of things on this DSM device. When I try to download this test file, I get a reply that looks to me like it's directly from the DSM software. So if the DSM is still unable to get a certificate under these conditions, I think it's probably a Synology bug.

You could try again and post the resulting log again, in case it's a different error message from the one that you got the first time. If it's still the same error, I think you'll probably have to wait for help from the Synology company or community.

That's a simple own download tool, like curl or wget.

But it's curious.

http://vaskion.com/.well-known/acme-challenge/ELM5NBrRZo107PI4Oqvy_8b4zyaAyIllZjTMre29hvE

has now a Synology answer. So normally it should work, Synology handles http + /.well-known/acme-challenge

If it doesn't work -> our options are limited -> ask in a Synology forum.

Thank you all for looking into this!
Here are the logs from this morning:

messages:2021-02-14T00:21:21+02:00 VASKION syno-letsencrypt[24067]: client_v2.cpp:466 Failed to open port
messages:2021-02-14T00:22:29+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[24043]: certificate.cpp:1119 syno-letsencrypt failed. 110 [Invalid response from http://vaskion.com/.well-known/acme-challenge/Oxgjaaq4X3hujPOwRGKvhKYGwkaDXebJUyJr9MYbEA8 [87.246.21.165]: "\n\n\n<meta charset="utf-8">\n.circle_text{font-family:Verdana,Arial,Microsoft JhengHei,sans-serif"]
messages:2021-02-14T00:40:53+02:00 VASKION syno-letsencrypt[27386]: client_v2.cpp:466 Failed to open port
messages:2021-02-14T00:41:58+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[27382]: certificate.cpp:1119 syno-letsencrypt failed. 110 [Invalid response from http://vaskion.com/.well-known/acme-challenge/wMoTa21Iv2MUDrVhVi-aa1A8sgXKHlYPP5RWkXySbXE [87.246.21.165]: "\n\n\n<meta charset="utf-8">\n.circle_text{font-family:Verdana,Arial,Microsoft JhengHei,sans-serif"]
messages:2021-02-14T09:33:09+02:00 VASKION syno-letsencrypt[14015]: client_v2.cpp:466 Failed to open port
messages:2021-02-14T09:34:14+02:00 VASKION synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[14001]: certificate.cpp:1119 syno-letsencrypt failed. 110 [Invalid response from http://vaskion.com/.well-known/acme-challenge/YHdVuwQEmcYkwrTKR25XcyFbg5nY8uuyyrCSXtodzZM [87.246.21.165]: "\n\n\n<meta charset="utf-8">\n.circle_text{font-family:Verdana,Arial,Microsoft JhengHei,sans-serif"]

I also found this in the .htaccess file and commented WP_SITEURL and WP_HOME so that I can change the site url in the WordPress settings:

$pageURL = 'http';
#if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80" and $_SERVER["SERVER_PORT"] != "443") {
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"];
} else {
$pageURL .= $_SERVER["SERVER_NAME"];
}
#SYNOLOGY CUSTOMIZE FIX URL ALIAS
$path = substr($_SERVER['SCRIPT_FILENAME'], strlen("/var/services/web_packages/wordpress"));
$alias = substr($_SERVER['REDIRECT_URL'], 0, strlen($_SERVER['REDIRECT_URL']) - strlen($path));
#define('WP_SITEURL', $pageURL.$alias);
#define('WP_HOME', $pageURL.$alias);
#SYNOLOGY CUSTOMIZE FIX URL ALIAS
if (!defined('SYNOWORDPRESS'))
define('SYNOWORDPRESS', 'Synology Inc.');
/** Absolute path to the WordPress directory. /
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(FILE) . '/');
/* Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
require_once(ABSPATH . 'syno-misc.php');

Hi there,

Thanks a gain for all the help here!
Synology answered the ticket after a week or so and fixed it. There was a bug though as they told me this will be escalated to the development team.

Cheers!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.