I have a sinology where I created the current certificates right before the shutdown of the deprecated method back in Feb. When I got those certs I had several web-proxies that passed the certificate setup, but now that the certs need to be renewed, they are failing.
(I actualy two different Ids to renew since there are too many for Synologies UI to accept, but they fail identically). I suspect there is something wrong in the main server conf file? I tried removing the listen 443; line, but no difference. I also tried simply moving the conf file for the main domain aside, but again, no difference.
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
The non-www /.well-known/acme-challenge is redirected to https + www + covisp.net - does your Letsencrypt client really saves there the validation file?
The www version /.well-known/ is redirected to the root and port 5000 -> that doesnāt work.
Looks like there are too much different things. The port 5000 isnāt visible in your definition. Same with the other domain.
Yeh, I have no idea what is going on here. There is not mention of covisp.net anywhere in the entire nginx configuration, nor of port 5000 in any of the reverse proxy settings or the sites-enabled files, thought it is the default port the synology users for its DSM web face, nor any idea why 65.121.55.45 is showing up for you anywhere as that is an entirely different IP (one of the name servers for my domain).
So the location block isnāt doing what I expected it to do, as that is the login page for sabnzbd (its sites-enabled file is essentially identical to the sonarr one, other than the server name).
The sub domains now load properly, so all of that configuration failure seems to have been caused entirely by the typo in the proxy line. One other thing that is not obvious here is that the main domain is setup for HSTS, so it is https: only.
changing the proxy to http:// and disabling HSTS has not made a difference.
http + /.well-known/acme-challenge/unknown-file is redirected to https (this is ok) and the ā/ā, thatās bad. Letsencrypt canāt find the validation file in your root directory.
A redirect shouldnāt remove the REQUEST_URI (folder and file name):
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
Synology has its own (somewhat opaque) letsencrypt setup. Iām getting 502 errors or 301 error, depending on the configuration, when trying to look at .well-known, it seems like the location /.well-known block is ignored if the return 301 is there.
I have āsolvedā the immediate issue by moving aside all the site-enable files, renewing the certs, and putting them back. Not ideal, but itās either that or leave the subdomains open to http requests.
Itās possible, though usually sites should have separate server blocks with different settings. (E.g. a redirect to HTTPS in the HTTP block, and an HSTS header in the HTTPS block.)