Renewing Synology LetsEncrypt certificate


Dear all,

I am having quite a complex situation here…
I have created in January my LetsEncrypt certificate directly via the NAS synology interface and it worked perfectly. My domain is

A week ago I received an email from letsencrypt saying that my certificate was going to expire. I then try to renew it and it’s where the complications started…
I saw that normally synology do it automatically but for some reason my NAS does not have access to the 80 port because of my router that for some reason does not allow it and to be honest, not sure I will be able to solve this quickly…

I even tried to run the synology command line directly but I got the error message that the 80 port is not available.

This is why I tried via the command line on a ubuntu distribution running:
sudo certbot certonly --force-renew -d
I then chose:
2: Place files in webroot directory (webroot)
the ouptut was then:
Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for Input the webroot for (Enter 'c' to cancel):
for this I input a local folder on my machine and then I got the following error:
Waiting for verification... Cleaning up challenges Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem)
IMPORTANT NOTES: The following errors were reported by the server:
Domain: Type: connection Detail: Fetching Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

Which actually make sense as the 80 port is closed…
So I was wondering is there not any manual command I could run using my current certificate and asking it to renew for more 90 days?

Thanks again for your help,


Hi @tfieschi

you should fix that.

Don’t mix the integrated solution of Synology with a manual certbot. That’s always bad.

Synology has it’s own management. But an open port 80 is required.

Your domain is invisible ( ):

Domainname Http-Status redirect Sec. G -14 10.026 T
Timeout - The operation has timed out -14 10.033 T
Timeout - The operation has timed out -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Is there a router?


Thanks a lot…
Yes I should fix it but not sure yet how to do it…I am working on my router…

Regarding my domain being invisible, is it ‘bad’? Should I make it visible? If so, how?

Yes my synology is directly connected to my router via ethernet cable. I can access it from outside using the 5001 port for https or 5000 for http.


Yep, I see, you have rechecked your domain with port 5000, there is a redirect to port 5001, that answers.

But to create a certificate, initial an open port 80 is required. If there is a redirect to https (with the standard port 443), Letsencrypt follows that redirect.