Manually renew on Synology

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
obrien-pifer.com
The identifiers in the debug are obrien-pifer.com and synology.obrien-pifer.com

I ran this command:
sudo /usr/syno/sbin/syno-letsencrypt renew-all

It produced this output:
{"error":101,"file":"client_v2-base.cpp","msg":"108.212.144.25: Fetching http://obrien-pifer.com/.well-known/acme-challenge/OPf9-YQ1ap-kynAbWkvvM_9OdR3ZK52eN1CvKkmPop8: Timeout during connect (likely firewall problem)"}

My web server is (include version):
nginx or apache (I can switch them)

The operating system my web server runs on is (include version):
Synology DSM 7.1.1.42962 Update 3

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
N/A

I have been using this process for a pretty long time and I have never had this issue.

I've seen enough posts in searches that you guys my not be Synology experts. I also realize that the error makes it looks like the issue is the firewall or port forwarding, but I can confidently say it isn't. The renewal process places the challenge file in directory:
/var/lib/letsencrypt/.well-known/acme-challenge/

I have placed an html file in the same directory, and when I enable forwarding of port 80, I can load the html file from outside my network.

I do not know why the renewal process cannot get to the challenge file. I have ticket open with Synology, but so far that has not produced much help. Logging is not very accessible like it is on regular linux systems, ie an http access log.

If nothing else, is there any way to renew the certificate manually? I have 8 days before it expires.

Any help is greatly appreciated.

2

Yes, most of us are not wizards with Synology :slight_smile:

But, how exactly did you test access from outside your network?

Because I can't reach your domain on port 80 and neither can Let's Debug (link here)

My attempts fail and I don't see port 443 open either.

curl -i -m5 obrien-pifer.com
curl: (28) Connection timed out after 5001 milliseconds

nmap -Pn -p80,443 obrien-pifer.com
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

An nmap test does show some ports open: 53,587,993,995 (looks like DNS and email only)

6 Likes
3

Hey Mike. I didn't have the ports forwarded because I only enable them when renewing. They are enabled now, and there is an index.html in the same folder that let's encrypt writes it's challenge to:
.well-known/acme-challenge/index.html

Thanks
James

1 Like
4

OK. I can see that file now. I don't know Synology that well so not sure what to advise. I see you have nginx responding to those http requests so you should just ensure the server block responding to these requests is using the correct folder.

As for:

It looks like you run your own DNS server. If you install your own ACME client you could do a manual DNS Challenge where you place TXT records in your DNS. Something like the acme.sh ACME client might be easiest. Here's an example of it on Synology but for an automated DNS Challenge using Cloudflare. You just change to using a manual option instead.

Or, see if another volunteer has better ideas

4 Likes
5

I'll give it a shot. Thanks

2 Likes
6

So, you think that's insecure...
And you're OK with being insecure for a short period of time?

You need to feel safe about opening that port.
Then you can leave it open, because it is never insecure [even when open].

My whole point is automation.
If you have to open the port manually, then you have lost automation.

6 Likes
7

You just need to write a --pre-hook that enables the port forwarding and a --post-hook to disable it. :sunglasses:

6 Likes
8

Thanks overkill and may not be possible with all routers.

For the extremely paranoid [this should be enough]:
Don't listen on port 80 and leave the port open at the router at all times.
Then run a --standalone client on port 80 [when needed].

For the less paranoid:
Listen on port 80 and redirect it all [except the challenge requests] to port 443.
[you could even use a different web service - just for this single purpose]

6 Likes
9

Option #1 is equally as effective as the current close/open process.

Option #2 has the benefit of catching "example.com" and redirecting it to "https://example.com".
[as most browsers still try HTTP when not included, that may time out for those requests]

5 Likes
10

I guess I should have added the :rofl: after the :sunglasses: like I had originally planned. My response was intended primarily in jest even though it might be possible with the right hardware.

That is how I have handled HTTP-01 challenges for years.

If the Synology supports DNS-01 challenges, that would be another method to consider.

6 Likes
11

Trying to setup DNS-01 challenges but it's not easy. Maybe if your configuration matches exactly as the guide shows it's easier. Mine does not.

As for leaving 80 open, it really doesn't matter as the renewal doesn't work anyway.

Thanks

1 Like
12

Please look at these for addition locations for help.

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.