My certificate doesn't want to update

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: verochonnas.myqnapcloud.com

I ran this command: Update certificate automatically or manually

It produced this output: "Failed to connect DNS, look at port80..." and in log : "[myQNAPcloud] Failed to renew the Let's Encrypt certificate. The server failed to connect to the NAS and verify the domain.

My web server is (include version):

The operating system my web server runs on is (include version): QNAP TS-269L - QTS 4.3.4.1652

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello all,
I didn't have any problems of automatic certificate update before december 2021.
In december 2021, i wasn't able to renew the certificate.
I found this explanation https://forum.qnap.com/viewtopic.php?f=313&t=144434&start=15#p800345 on Qnap forum and solved this issue, my certificate was updated for 3 months and 3 months later, i've got that new issue.
Thanks for your help.

If I connect to this via http, I get redirected to

• https://VerochonNAS.myqnapcloud.com:8081/ if I use curl;
• https://verochonnas.myqnapcloud.com:44366/cgi-bin/ if I use Chrome on Android.

This is not supposed to happen. Where does the Let's Encrypt validator get redirected to?

Hello,
Many thanks for response.

44366 is the NAS https port. I use it to acces the webUI QTS interface.
8081 is the port configured for a web server on the NAS. I don't use it so i desabled the service but still have the certificate update issue.

Does it change anything on your side ?

Timeout on both clients. Unable to connect.

Thanks.

Yes, that the point. I didn't have any problems before 12/21 and didn't change anything on my NAS config.
On 02/21/22 i received this mail :

Hello,
Your certificate (or certificates) for the names listed below will expire in 11 days (on 04 Mar 22 10:54 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

verochonnas.myqnapcloud.com

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.

This could be in relation with my problem ?

Yes, your website needs to be reachable for a certificate to be issued using http validation.

I'd check:

• if your domain points to the right (public) IP
• if your port forwarding works
• if your webserver is listening (port 80)
• if various firewalls are set up right (your router, your ISP, your nas)

Welcome to the Let's Encrypt Community

You might find this to be helpful:

In addition to the topic @griffin linked, you should note this from the Let's Encrypt Challenge Types page

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.

Right now I do not see port 80 open. Try using a tool like this to check any port:

Hello,
Thanks all for responses.
I'd check my config again and don't understand what is going wrong.
Here's my NAS ports access config :

1978×328 38.4 KB

Here's the web server config :

2791×425 39.8 KB

Ports 80, 443 and 8081 are open for the NAS on the router.

I tested the redirection on this web site : Redirect Checker | Check your Statuscode 301 vs 302
Here's the result :

4675×708 81.5 KB

And i don't know what does it mean and how to solve that if needed...

Thanks to all again.

You should either validate on port 80, or redirect to 443.

Validation will not work if you redirect on port 8081.

Moreover, the validation bots only follow http redirects, while you are currently redirecting this way:

• port 80 -> http redirect to port 8081 (https)
• port 8081 -> javascript redirect to port 443.

See here:

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443.

301 or 302 doesn't matter. What matters is that you use port 80 or 443.

And this means that you should complain to the NAS manufacturer, because they should not redirect port 80 requests for .well-known/acme-challenge and should pass it to the acme client instead, if they know what they are doing.

Your solution right now can be moving the service responsible for validation on port 443.

You should try using ports 80 and 443 for your Serveur Web and use port 8081 for https for your Administration du Systeme.

I don't know that will fix all problems but that is a more common port use for web servers.

Hello all,
After the correction of my ports as explained here, i still had the same problem.
I found this explaination on the QNAP forum.
And it solved the issue. I could then update my certificate for 3 month. Hope that the automatic update will work fine in june...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.