Reregistering certificate on QNAP NAS

Atreyu · December 16, 2017, 5:57pm

In the past I have used letsencrypt successfully from a Raspberry pi. The SD card of the pi has broken and I have since moved some of the applications I want to access securely over to my QNAP NAS.

QNAP have introduced using letsencrypt to add a certificates to the NAS via a GUI. Unfortunately I’m not able to request a certificate for my original domain name. Using another dynamic dns does work, and QNAP support indicates that this is probably due to the domain name already having been registered at Let’s encrypt before.

Can you please tell me if this is the case, and if so, if I can remedy the situation?

My domain is:
thuis.robertsirre.nl

I ran this command:
GUI by QNAP

It produced this output:
irrelevant error message by QNAP

My web server is (include version):
QNAP

The operating system my web server runs on is (include version):
QNAP

My hosting provider, if applicable, is:
na

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
QNAP

jmorahan · December 16, 2017, 6:17pm

I suspect it may be a CAA problem:

$ dig thuis.robertsirre.nl caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> thuis.robertsirre.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6005
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thuis.robertsirre.nl.		IN	CAA

;; ANSWER SECTION:
thuis.robertsirre.nl.	518	IN	CNAME	atreyu.tplinkdns.com.

;; Query time: 396 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Dec 16 18:09:30 GMT 2017
;; MSG SIZE  rcvd: 83

It’s my understanding that Let’s Encrypt will not issue if it gets SERVFAIL in response to a CAA query; the DNS server has to return NOERROR or a valid CAA record. Perhaps some of the DNS experts here can provide more detailed (or indeed more accurate) help, but I think this is something you’ll have to take up with your DNS provider.

Atreyu · December 16, 2017, 11:46pm

Hi @jmorahan,

Thanks for the hint. I have tried using another dynamic address as a CNAME, and then it works.

I have contacted TPLINK support (they are a network equipment manufacturer that also deliver a dynamic DNS solution with their hardware)

Regards,

Robert

Atreyu · December 17, 2017, 11:07pm

Hi @jmorahan, I cannot seem to reproduce your result.
Do you still have the same result?

dig thuis.robertsirre.nl caa

with me results in:

; <<>> DiG 9.9.5-9+deb8u13-Raspbian <<>> thuis.robertsirre.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42507
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thuis.robertsirre.nl.          IN      A

;; ANSWER SECTION:
thuis.robertsirre.nl.   602     IN      CNAME   atreyu.tplinkdns.com.
atreyu.tplinkdns.com.   602     IN      A       95.96.113.25

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 17 23:01:59 UTC 2017
;; MSG SIZE  rcvd: 99

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3616
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;caa.                           IN      A

;; AUTHORITY SECTION:
.                       600     IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2017121701 1800 900 604800 86400

;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 17 23:01:59 UTC 2017
;; MSG SIZE  rcvd: 107

Which looks like no error, right?

In the mean time I was able to get the certificate once when I rerouted the CNAME to another dynamic DNS, but when I changed it back, the error is back too. (obfuscated by the QNAP gui)

jmorahan · December 17, 2017, 11:11pm

Yes, I still get the same (bad) result. You seem to be using an old version of dig that doesn’t know about CAA records - if you use type257 instead of caa you should see what I’m seeing.

You can also check on https://unboundtest.com/ which checks your DNS using a configuration very similar to what Let’s Encrypt uses. This also gives an error (with more detail, though I’m not sure how to interpret it…)

system · January 16, 2018, 11:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.