Lets encrypt fails to register certificate (on Synology DS 218+)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sakshi.ddns.net

I ran this command: sudo /usr/syno/sbin/syno-letsencrypt new-cert -d sakshi.ddns.net -m sathishbs@gmail.com -v

It produced this output:
DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v02.api.letsencrypt.org/directory
DEBUG: Email: sathishbs@gmail.com
DEBUG: Domain: sakshi.ddns.net
DEBUG: ==========================
DEBUG: setup acme url https://acme-v02.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v02.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v02.api.letsencrypt.org/acme/new-nonce
DEBUG: Found registed account. used old account. [/usr/syno/etc/letsencrypt/account/DarUbx/]
DEBUG: apply certs with type: RSA
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/new-order
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/new-order
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: dns-01 is not support for sakshi.ddns.net
DEBUG: Setup challenge for sakshi.ddns.net with type http-01
DEBUG: Failed to port map router detect. [1]
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/chall-v3/193343117117/qg5QPA
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/chall-v3/193343117117/qg5QPA
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz-v3/193343117117
DEBUG: Failed to do challenge for sakshi.ddns.net with type http-01.
DEBUG: close port 80.
{"error":101,"file":"client_v2-base.cpp","msg":"Failed to new certificate."}

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Synology

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot is not available on Synology

My nmap results:
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3261/tcp open winshadow
5000/tcp open upnp
5001/tcp open commplex-link
5357/tcp open wsdapi

My Router:
port 80 and 443 are opened on the router too:

my IPV6:
inet6 is disabled

my logs /var/log/messages
syno-letsencrypt[13323]: client_v2-disk.cpp:117 Failed to open port
Demon syno-letsencrypt[13323]: client_v2-base.cpp:603 Failed to do new authorization, may retry with another type. [{"error":101,"file":"client_v2-base.cpp","msg":"148.76.48.218: Fetching http://sakshi.ddns.net/.well-known/acme-challenge/VHPRyvc4HPJSCNMBypd_MSJj_wcpxOSP898GZeHVlPU: Timeout during connect (likely firewall problem)"}

myfirewall status:
Disabled,
when enabled port 80 and 443 is allowed traffic.

Your NMap might show perfectly fine results from within your internal network, but from the global internet, your port 80 seems to be closed. At least I can't reach it too, just a timeout. And apparently, so does Let's Encrypt.

Maybe your ISP is blocking access to port 80 if all firewalls and router portmaps are double and triple checked?

7 Likes

Here is a remote port scanner

3 Likes

From my location (IPv4 only) here is what I see with nmap.

$ nmap -Pn sakshi.ddns.net
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-07 11:47 PST
Nmap scan report for sakshi.ddns.net (148.76.48.218)
Host is up (0.10s latency).
rDNS record for 148.76.48.218: ool-944c30da.dyn.optonline.net
Not shown: 998 filtered ports
PORT     STATE  SERVICE
443/tcp  open   https
9040/tcp closed tor-trans

Nmap done: 1 IP address (1 host up) scanned in 12.39 seconds
1 Like

Here is the nmap of Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-07 14:48 EST
Nmap scan report for sakshi.ddns.net (148.76.48.218)
Host is up (0.0012s latency).
rDNS record for 148.76.48.218: ool-944c30da.dyn.optonline.net
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
2601/tcp open zebra
10000/tcp open snet-sensor-mgmt
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown

Requires Port 80 Challenge Types - Let's Encrypt
Best Practice - Keep Port 80 Open

1 Like

From where, you local LAN?
Or Publicly visible remote Internet Location?

Try Let's Debug.

2 Likes

Here are the results https://letsdebug.net/sakshi.ddns.net/1327090

2 Likes

I am not sure where the issue is if I key in http://sakshi.ddns.net/ in my browser it takes me to a page where "Your website is not set up yet." Which means port 80 is open and redirecting to webstation

Please look at these for addition locations for help.

3 Likes

Thankyou, I will try to explore them and will come back if I still fail. Thanks for the quick responses/

2 Likes

You might ask on ddns.net forums as well.

Also if you have a cellphone try connecting to http://sakshi.ddns.net/ with Wi-Fi OFF from the cellphone.
This will force the cellphone to go over the carrier's IP Address and not your local net.

2 Likes

I am able to reach my website over my phone/laptop hotpotted to phone n/w, but still LE fails.

Elsewhere from around the world cannot reach http://sakshi.ddns.net using this online tool https://check-host.net/ with the Permanent link to this check report

And using Let's Debug with HTTP-01 Challenge has 2 ERRORs https://letsdebug.net/sakshi.ddns.net/1328448

Please click the links above and checkout how the rest of the world is presently viewing your website.

2 Likes

I just tried this on check-host.net and I am able to reach well
https://sakshi.ddns.net.

Can u check once

HTTPS is Port 443
HTTP is Port 80

You attempting to use HTTP-01 Challenge which requires Port 80
I had check with HTTP Port 80, please check for yourself. And reread below.

1 Like

Bruce5051, I understand that. but I am not able to understand why LE fails to reach on port#80 while both 80 & 443 are opened on router and server

Please click on the BOLD links, I do not see anyone able to connect to your website via HTTP Port 80.

2 Likes

I have opened a ticket with Synology lets see, where the issue is. I will update this group so that we can understand this issue better.

1 Like

And yes, the rest of the world can access your website via HTTPS Port 443 as shown below
https://www.ssllabs.com/ssltest/analyze.html?d=sakshi.ddns.net

2 Likes