Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: I am using the Security App on QTS, to replace an existing working certificate. I want to add an alternate domain to the certificate.
It produced this output: "A domain validation challenge was not received from the ACME Server"
You may need to ask about that on a QNAP support forum. That is not a Let's Encrypt error message.
There is a problem with your mcnas123.mycloud.com domain. Maybe this is causing your QNAP problem? You are missing an A record in your DNS for this name. You have an A record for your other two names pointing to the same IP. You will need to fix the DNS for this domain if you want to use it from the public internet in any case.
nslookup mcnas123.mycloud.com
** server can't find mcnas123.mycloud.com: NXDOMAIN
Also, domain names do not include the /allsky part of a URL. So if you added the name like that in your QNAP instead of a proper domain name (or hostname) then maybe that is causing trouble?
None of what I just described is unique to Let's Encrypt. These are just standard settings needed for domains on the public internet.
Thanks for taking the time to reply.
I guess what I am asking on this forum is, does lets encrypt still do HTTP challenge?
Or is it all TLS?
I understand that the message is from QNAP QTS certificate management software.
I have successfully registered a certificate with the QNAP software, but want to add an alternate domain name, so I am trying to replace it unsuccessfully.
I have monitored the traffic with wireshark while I try and register the new replacement certificate.
There is no port 80 traffic, all traffic with the ACME Server is TLS and a around 100+ packets. (possible TLS challenge)
I realise that allsky is not part of the domain name, I added it so anyone can check the domain is accessible. I have nothing at the web root.
nslookup works for me on both domain names and both domains are accessible from the internet.
MPMacMini ddclient % nslookup
My fault Mike, the message I posted first was not correct. I am only using the domain names when attempting to register. I already have a certificate registered to mcnas123.myqnapcloud.com and I am trying to add an alternate name nas.microconcepts.com.au. /allsky is a web site.
I found bug in the QNAP python code that manages the prepare_challenge().
After modifying the code the python client no longer reported a failure in prepare_challenge().
The QNAP certificate ssl log reported the following.
It appears the new certificates are being downloaded to temp files and waiting for the challenge to succeed.
check_for_myqnapcloud():check_can_request_cert failed with error code -3006e
get_letsencrypt_download_status():download letsencrypt certificate error with code:-4003
Are these frequency errors?
I don't see anything in the log that points to a specific Let's Encrypt issue
Of course I see the various failure message they just are too vague to know what they mean. Maybe the QNAP forum has seen these. Or, if they can even describe exactly what the error means. It just looks like: some error, do something, do something, another error, yet another error, do something. As if it does not know how to handle the series of errors and just continues anyway.
Do you control the Apache server? Or is that built-in to QNAP?
I can reach your domains using HTTP and so can Let's Debug test site (link here). So, it's nothing inherent with HTTP (port 80) or the format of the ACME HTTP Challenge. Both your domains respond with the same expected 404 (not found) to these tests
curl -I http://nas.microconcepts.com.au/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Date: Tue, 12 Dec 2023 22:00:29 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=iso-8859-1
I have been debugging there certficate managment bash shell and python scripts to try and find out why I cannot register a new certificate. I was just checking with the forum if these errors -3006 & -4003 were from the ACME Server, obviously not. There scripts use a letsencrypt_agent_cli binary with no source code.
I have posted messages to QNAP support who reply in broken english with "out of the manual" like responses not related to my questions.
Both domains work fine on http and https. I have a Lets Encrypt certificate associated with the mcnas123.myqnapcloud.com domain only and it works well, auto renews via crontab.
I am attempting to register without much success another certificate associated with both the qnap and my own domains.
The Web server is built in to QNAPS QTS (a custom linux) I do have control over the apache server via conf files, virtual host files and can restart on demand.
Similar to the previous log, below is all the log entries from 1 attempt to create a certificate.
The QNAP Gui reports "A domain challenge was not received from the ACME Server"
There is no traffic to the ACME server, I watch with wireshark, so it must be an internal limit to stay inside the Lets Encrypt frequency requirements.
I don't know why I forgot to mention this before but you could consider using the mod_md feature in Apache. You just configure a few things right in Apache and it manages and renews the Cert automatically. I am not certain it works in your qnap but I don't know why it would not.
You can review the Apache docs or I like the Github for it below that has nice docs
I backed up the exsiting /etc/stunnel/stunnel.pem.
The script "renew_certificate.sh" creates a new combined certificate and overwrites it.
I also added the renewal crontab job as instructed will see if it renews ok on 60 days.
ssl_agent_cli still reports the days remaining of the old certificate in the QNAP GUI