My QNAP won´t let me renew my existing certificate. I am always told to check DNS or Port 80.
When I log in by SSL i can send a ping www.google.com without any problems.
And when accessing my NAS by http://externalIP:80/show-php.php I will see the output.
So both things should work. How can I renew my still valid certificate (until 9th of january 2024)?
Mid of december I receved an Email from Letsencrypt.org telling me, the certificate will expire in 19 days and I should renew it.
But as it´s not the first time I receive a mail like this and QNAP used to renew 10 days before I was waitung for the NAS to do the job.
I already started an issue at QNAP, too. Let's see what will come out.
Where are you located? I am from germany.
QNAP asked me to send a screenshop from "MyQnapcloud -> SSL Zertifikat".
I did so - but it is interesting there the certificate is valid only until 2024-01-02 while Control panek -> security -> SSL Zertifikat shows 2024.01.09....
I don't see any reason for the cert renewal to fail either.
From the public internet we can reach your domain using HTTP (port 80) used by the ACME HTTP challenge. See also Let's Debug result (link here)
The only active Let's Encrypt cert expires on Jan9. Sometimes NAS devices come with a built-in self-signed cert to use during setup. Are there any other details about that Jan2 expiring cert? See your LE certs with a tool like this Let's Debug Toolkit
Your domain is using the Jan9 expiring cert for HTTPS requests. Use a site like this SSL Checker to see (link here).
If you can get more detailed error messages for why it is failing we could maybe offer advice. But, for now your best action is to continue working with QNAP.
As far as I know the 2nd of january-certificate is not the real expire day - to me it seems only the recent day is shown - so tomorrow it should be 2024-01-03 - i will proof that.
Where can I find the LE certs to chech with that Let's Debug Toolkit?
I am already in touch with QNAP service - let`s see what they can do.
It seems I am not the only one haveing problem with that.
Enter your domain name on the screen and choose the look back.. Default is seven days but if you look back 90 days you will see all unexpired certs for that domain name
Yes. If you check the "auto renew" option when you apply for a Let's Encrypt SSL certificate, then the certificate will be automatically renewed when it is close to its expiry date. You can also change the auto-renewal setting of an existing certificate using the QTS SSL Certificate app
Auto-renewal works as follows:
30 days before a certificate expires, the QTS SSL Certificate app will try to renew the certificate.
To confirm that you still control the domain, Let's Encrypt will send a challenge request to myQNAPcloud DNS server.
If myQNAPcloud's DNS server cannot complete the challenge request, then the QTS SSL Certificate app will start other challenge methods using port 80 or 443.
The certificate will be downloaded to your device once the challenge request is complete.
The Web Server will be restarted after the new certificate is applied.
Notes: Renewing a certificate using port 443 first requires a new self-signed certificate to be generated. The web server will then be restarted, after the self-signed certificate is generated. This is normal behaviour.
To be honest I have no idea what it means. Until now i never had to do anything manually - QNAP renewed the certificate automatically.
What can I do now? How the "Chain issues" can appear?
Until now I still can access my domain.
QNAP user here, i've the same proble: trying to renew the Let's encrypt certificate results in a message stating something about ACME server error. Please Verify te router and the QNAP device accepts incoming traffic on ports 80 and 443.
Im' not that expert, looking at the steps abouve sugested by QNAP i read this:
30 days before a certificate expires, the QTS SSL Certificate app will try to renew the certificate.
To confirm that you still control the domain, Let's Encrypt will send a challenge request to myQNAPcloud DNS server.
If myQNAPcloud's DNS server cannot complete the challenge request, then the QTS SSL Certificate app will start other challenge methods using port 80 or 443.
The certificate will be downloaded to your device once the challenge request is complete.
The Web Server will be restarted after the new certificate is applied.
I think point number 2. could be the problem: i don't have ANY certificate on my myQNAPcloud page, i just have the let's encrypt certificate, so i guess the process will fail point 2 and goes directly to point 3, that also fails since the error message i get states he's unable to to accept incoming traffic on 80 or 443.
Is this a dead loop?
Maybe QNAP checks as first instance "theire" certificate, if not present they search for an external authority.
The problem, to me, is that when is probed let's encrypt, the result is a communication error on por 80 or 443, which is obviously a misleading information.
Seems like, for some reason, let's encrypt cannot reach the NAS on those ports
When you say "Web Server" you mean the port number under "Control Panel --> System --> General settings --> System port" ? Mine is usually set to 8080 but i changed it, just for this purpose, to 80.
I then have 2 forward rules on my router, forwarding 443 and 80 to the internal NAS IP.
I still keep getting error.
Ok, now it worked.
What is out of my understanding is why i should enable the internal web server (which i don't use at all) in order to update an SSL certificate that i've created 3 months ago with the QNAP webserver service was offline