Renewal from synology stopped working

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
syno-letsencrypt

As much as I tried ports, DNS and such it all works.
I mean all services work fine but certificate renewal fails after many that succeeded over the years. Main question would be what server is unreachable and why?
Here is just tail end of the output.
.....
"type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall/943048507/540588436861/FNzRJw", "status": "valid", "validated": "2025-06-24T23:30:09Z", "token": "zdPyc_HAdWKgVYdbg62AhxefKsuMVQIi_F69-hYE86k", "validationRecord": [ { "url": "http://calculusx.net/.well-known/acme-challenge/zdPyc_HAdWKgVYdbg62AhxefKsuMVQIi_F69-hYE86k", "hostname": "calculusx.net", "port": "80", "addressesResolved": [ "96.38.147.193" ], "addressUsed": "96.38.147.193" } ] } ] }] DEBUG: Get valid without setup challenge, may cache? DEBUG: Post JWS Request: https://acme-v02.api.letsencrypt.org/acme/authz/943048507/540588436881 DEBUG: szUserAgent: [synology_geminilake_920+ DSM7.2-72806 Update 3 (DDNS)] DEBUG: Post Request: https://acme-v02.api.letsencrypt.org/acme/authz/943048507/540588436881 DEBUG: Post value: { "payload" : "", "protected" : "eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTQzMDQ4NTA3Iiwibm9uY2UiOiI3cWRSWjlPaTA1UWpLMlJRcTdUSUtQcVFSVkpwZFVuWWFSeGs5WE9mTVEzVnAzZkdZbGMiLCJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei85NDMwNDg1MDcvNTQwNTg4NDM2ODgxIn0K", "signature" : "J-WiB-RzfzG3PdPb9y_KemXB09mx5ybwKTUMuFRT0qZfBXQWd9siNLaxgiGiojIXXZw37zMeRrt19L0CScu64CYvKFGja6dgwcxFKudl7Wv81PtcQ-LFg3xiBmdmOgEVo62k8Rx8JAp2zlwIgL1xbghydn4f7IYUJ3SUotWuvPMe40JtNOaWnBhMoME0ZJoEJTwG63gjNvWZrlXsyKoBtbPvw8-9fiAR1Pqs1z3GwX-grfaDwdA5MFmHAWAG75RNZfphgMsU0e3xrMusR9hgGaaUqPZ2WhShCuoAqZ6RorSUurMh5vArotvoOm6sC1BhufNSOES_XcRBUw_B1HVkKg" } {"error":100,"file":"client_network.cpp","msg":"Server is not reachable."}

My web server is (include version):
WebStation 4.2.3

The operating system my web server runs on is (include version):
synology DSM 7.2.2-72806

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
DSM 7.2.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
syno-letsencrypt 2023

2

I see you got a Let's Encrypt certificate just over a day ago. And, one from Vitalwerks.

Do you still need help?

image
image1893×318 57.8 KB

2 Likes
3

Yes, if possible. I have all set up with letsencrypt, especially outgoing mail server. The other certificate is single domain and i have no idea if it would work for smtp, imap and such. As it's fairly obvious I'm not a professinal IT guy, it would be best if I could just renew letsencrypt certificate as I was doing before. Thank you for your time.

4

I don't have any specific advice. Were there any networking changes on your side since Apr10 when you last got that 5-domain cert?

From your log the key info is below. The puzzling thing is the message seems to say you cannot reach the Let's Encrypt API server. But, to have gotten to this step of the cert request your system had to make several prior successful requests to the LE API. In fact, we can see parts of the request just preceding this in the partial log you showed.

You are better off asking about this on the Synology forum. If there is a way to get more detail about "not reachable" maybe we could help. There isn't much for us to work with just with that. But, from that info it points to a local networking or system problem and not a general problem with Let's Encrypt. Note if you look at that "authz" url it shows a valid authorization.

Maybe some other volunteer with personal experience with Synology will offer help. But that is the best I can do.

As an aside, your cert history is long and each renewal you request two certs. One for an RSA cert and one ECDSA cert. There is nothing wrong with that but adds some complexity which is beyond what I know about Synology.

4 Likes
5

Not sure who should I thank and who fixed what but a few days ago the certificate renewed sussessfully. I have not done anything that I think would matter. Thanks again for looking into this. Best, Chester

2 Likes
6

Synology's built-in ACME client always getting both ECC and RSA certs.

First, in order to know which is which, check this file:

cat /usr/syno/etc/certificate/_archive/INFO

And you'll get the big list of a JSON, it shows folder name and its description (that shows in DSM UI).

"NsJXjb" : {
      "desc" : "Synology QuickConnect Certificate",
      "services" : [
         {
(For services that use this cert)

Let's check QuickConnect's certificate:

root@Device_Name:/usr/syno/etc/certificate/_archive/NsJXjb# ls
cert.pem      ECC-chain.pem      fullchain.pem  RSA-cert.pem       RSA-privkey.pem
chain.pem     ECC-fullchain.pem  privkey.pem    RSA-chain.pem
ECC-cert.pem  ECC-privkey.pem    renew.json     RSA-fullchain.pem
1 Like