Renewal fails while new certificate request works


#1

Hello,
I have an issue to renew my LE certificates (I’m running a Synology NAS with DSM6.1).
I can successfully request new LE certificates (with new urls / subdomains) but I’m not abale to renew the ones that I had already created.
Note: now they have expired.

Here is what I get when running the renew command (I get “Fail to connect to Letsencrypt server” from the DSM UI).

My port 80 is open.

Im launching the command:
/usr/syno/sbin/syno-letsencrypt renew-all -v

DEBUG: check need to renew. [/usr/syno/etc/certificate/archive/A385Rk/]
DEBUG: start to renew [/usr/syno/etc/certificate/archive/A385Rk/].
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: strat to do new-authz for bureau.vinch-syno.synology.me
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: new authz: setup challenge env.
DEBUG: new authz: http-01 challenge.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/challenge/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4/186347594
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/challenge/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4/186347594
DEBUG: new authz: http-01 check result.
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: new authz: setup challenge env.
DEBUG: Setup DDNS: TXT [acme-challenge.bureau.vinch-syno.synology.me][YEYpHv-IbB9gzcoJZRTDwSvAdNpsHhfMBExXO486kG0]
DEBUG: DDNS Curl: [https://ddns.synology.com/main.php?
=letsencrypt%2Fcreate&hostname=bureau.vinch-syno.synology.me&myds_id=551889&auth_key=2da73fc1ba38c12d8d553fb2f5e55319b058e4f60418221874ffa6688339d888fd4d79896d8355a9&serial=13C0LAN003022&txt=YEYpHv-IbB9gzcoJZRTDwSvAdNpsHhfMBExXO486kG0]
DEBUG: GET Request: https://ddns.synology.com/main.php?
=letsencrypt%2Fcreate&hostname=bureau.vinch-syno.synology.me&myds_id=551889&auth_key=2da73fc1ba38c12d8d553fb2f5e55319b058e4f60418221874ffa6688339d888fd4d79896d8355a9&serial=13C0LAN003022&txt=YEYpHv-IbB9gzcoJZRTDwSvAdNpsHhfMBExXO486kG0
DEBUG: Dns01 challenge: Setup [{“code”:“host_not_found”}].
DEBUG: DDNS Curl: [https://ddns.synology.com/main.php?
=letsencrypt%2Fdelete&hostname=bureau.vinch-syno.synology.me&myds_id=551889&auth_key=2da73fc1ba38c12d8d553fb2f5e55319b058e4f60418221874ffa6688339d888fd4d79896d8355a9&serial=13C0LAN003022&txt=YEYpHv-IbB9gzcoJZRTDwSvAdNpsHhfMBExXO486kG0]
DEBUG: GET Request: https://ddns.synology.com/main.php?_=letsencrypt%2Fdelete&hostname=bureau.vinch-syno.synology.me&myds_id=551889&auth_key=2da73fc1ba38c12d8d553fb2f5e55319b058e4f60418221874ffa6688339d888fd4d79896d8355a9&serial=13C0LAN003022&txt=YEYpHv-IbB9gzcoJZRTDwSvAdNpsHhfMBExXO486kG0
DEBUG: Dns01 challenge: Teardown [{“code”:“host_not_found”}].
DEBUG: DNS challenge failed, reason: { “error”: 203, “msg”: “Challenge setup is failed.”, “file”: “client.cpp:278”}
DEBUG: Normal challenge failed, reason: { “error”: 200, “msg”: “Authorization timeout.”, “file”: “client.cpp:332”}

Here is the detail of the file https://acme-v01.api.letsencrypt.org/acme/authz/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4 file:


{
“identifier”: {
“type”: “dns”,
“value”: “bureau.vinch-syno.synology.me
},
“status”: “valid”,
“expires”: “2017-05-16T14:13:04Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “valid”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4/186347592”,
“token”: “9g07e6WStWLjDZiPyAGIICRu9d3Wr8WFMpF9tW3eFU4”,
“keyAuthorization”: “9g07e6WStWLjDZiPyAGIICRu9d3Wr8WFMpF9tW3eFU4.J1Jo04uNFEEpBM7msAwBPtRo_i5V_xlQnwVQCWgpWq0”,
“validationRecord”: [
{
“Authorities”: [
synology.me.\t842\tIN\tNS\tns1.synology.me.”,
synology.me.\t842\tIN\tNS\tns2.synology.me.”
],
“hostname”: “bureau.vinch-syno.synology.me”,
“port”: “”,
“addressesResolved”: null,
“addressUsed”: “”
}
]
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4/186347593”,
“token”: “lSQrkdpRamEsfkJuqG-tEgWr4-pwxHWZZxIlaZ4X7Do”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4/186347594”,
“token”: “Syz54j94qW8eViyTldpcFY0xYM8N7lltVKiH4IgZvtg”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
]
]
}

It seems it is linked to some DNS Challenge error, but I don’ really understand what’s wrong ? My Certificates did renew (automatically with the DSM autorenewal) without any problem until this time.
And again, what is strange is that I’m able to create new certificates for the other sub-domains (ex: test.vinch-syno.synology.me) without problem.
Can anyone support me here to understand what’s wrong ?

Thank you !


#2

hi @vinch36

looks like dns records aren’t been created

DEBUG: Dns01 challenge: Teardown [{“code”:“host_not_found”}].
DEBUG: DNS challenge failed, reason: { “error”: 203, “msg”: “Challenge setup is failed.”, “file”: “client.cpp:278”}
DEBUG: Normal challenge failed, reason: { “error”: 200, “msg”: “Authorization timeout.”, “file”: “client.cpp:332”}


#3

actually i just checked and the DNS challenge is valid

https://acme-v01.api.letsencrypt.org/acme/authz/CoqHgnCwoFllF5hNE5pzo2zAdGPYcXU0lVYCSeO79l4

so you should be able to get the certificate


#4

Hi,

Thank you for the reply;

Yes, I can see the status is valid and even the expires seems updated (2017-05-16T14:13:04) , but it still does not renew my certificate and I still get this same error:
DEBUG: Dns01 challenge: Teardown [{“code”:“host_not_found”}].
DEBUG: DNS challenge failed, reason: { “error”: 203, “msg”: “Challenge setup is failed.”, “file”: “client.cpp:278”}
DEBUG: Normal challenge failed, reason: { “error”: 200, “msg”: “Authorization timeout.”, “file”: “client.cpp:332”}

And again, it just does not work for the sub-domains I had already created and just wanted to renew, but it works for other sub-domain of my domain vinch-syno.synology.me (if I try with test.vinch-syno.synology.me, it works).

Any idea ?

Thanks !


#5

I suspect that syno-letsencrypt isn’t using the updated version of ACME (from some 6 months ago ) - see Upcoming change: valid authz reuse The client should take note of this and simply obtain a new certificate, however it doesn’t look to be. It’s probably worth raising an issue with syno-letsencrypt

The easiest way may be to change you account key. The domain will not be validated for your new account key, so it should revalidated, and obtain a certificate.


#6

Thank you serverco,

Could you please guide me how to change my account key ?

Thanks.


#7

The easiest is to simply delete the existing key. I’m not familiar with syno-letsencrypt to know exactly where they store the key though, unfortunately.


#8

I think I found the account key, and and I just renamed the private_key.json file, but when trying I know get the following message when trying to renew (for all my certificates):
DEBUG: Failed to renew /usr/syno/etc/certificate/_archive/wmcWfU/. { “error”: 201, “msg”: “failed to load User Account key: /usr/syno/etc/letsencrypt/account/i6pbEF//private_key.json”, “file”: “client.cpp:108”}

Am I deleting the correct key ?


#9

That sounds like the account key then, yes. (if it gives an error on all accounts. If it gave an error on just one account it would be the account private key).

Once removed, most clients will generate a new key. I don’t know the syno-letsencrypt though. Hopefully someone else does ( or ask with the syno-letsencrypt developers )


#10

Yes, I will do so.I think you’re right and there is a flaw in the syno-letsencrypt clien, I’ll raise it.

I found a way to have it working, in the meantime: I’ve asked to replace my old certificate, for the same domain, but with another email as account, so it did generate a new account…

Thank you again for the hints and support.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.