Ssl cert from Let's Encrypt not working on my synology NAS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cpitechnical.info

I ran this command: installed ssl cert using Lets Encrypt

It produced this output: when i go to my domain name it still not secured

My web server is (include version): im using synology nas and i think it runs on nginx

The operating system my web server runs on is (include version):
DiskStation Manager DSM 7.2.2-72806 Update 3

My hosting provider, if applicable, is: NAS SERVER

I can login to a root shell on my machine (yes or no, or I don't know): JUST USING NAS CONTROL PANEL

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DSM 7.2.2-72806 Update 3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):I DONT KNOW

1 Like

Welcome @arieston31

I see a couple issues. The first is that your port 443 is blocked. Likely by your firewall. This is preventing HTTPS access. Port 80 is fine so HTTP works, but port 443 is blocked. See a test site like this one: https://decoder.link/sslchecker/cpitechnical.info/443

Another odd thing is I see you have a history of getting Let's Encrypt certs. Even as recently as Feb12 just 6 days ago. But, you now have CAA records in your DNS that prevent Let's Encrypt from issuing certs. See test result here: Let's Debug You will need to change that to use Let's Encrypt again.

1 Like

Hi @arieston31,

Is this what you expect for http://cpitechnical.info/ into a web browser?
Is that possibly a web parking sight?

Also it seem like there maybe some DNS issues


www.cpitechnical.info doesn't exist www.cpitechnical.info | DNSViz

Here is a list of issued certificates crt.sh | cpitechnical.info; I am assuming here the DNS-01 challenge was not used. Thus to obtain this certificate crt.sh | 16702225077 both Subject Alternative Name had to of actually existed.
And Mike's comment is of paramount concern

Which could easily happen if the DNS Configuration were being handled by a web parking sight.
That was issued Not Before: Feb 12 20:49:17 2025 GMT

            X509v3 Subject Alternative Name: 
                DNS:cpitechnical.info
                DNS:www.cpitechnical.info

Thus it seems like there has been a distinct change in the DNS configuration since Feb 12 2025.

I think contacting hostinger.com customer support is in order.

thank you so much ...i just port forward my 443 port and it is now solve...

1 Like

Yes, much better. But, you should still review your CAA records. I don't know how you got that cert this morning because these CAA records won't allow Let's Encrypt to issue as they are:

cpitechnical.info.	0	IN	CAA	0 issue "globalsign.com"
cpitechnical.info.	0	IN	CAA	0 issuewild "globalsign.com"
cpitechnical.info.	0	IN	CAA	0 issuewild "digicert.com"
cpitechnical.info.	0	IN	CAA	0 issuewild "comodoca.com"
cpitechnical.info.	0	IN	CAA	0 issue "www.cpitechnical.info"

See: Certificate Authority Authorization (CAA) - Let's Encrypt

1 Like

Well it looks like a new certificate was issued as it is in use as seen here

crt.sh | cpitechnical.info has yet to catch up.

Yes, but this would have been just before this first post in this thread so not sure.

Not Before: Feb 18, 2025 14:31:45 GMT 
Not After: May 19, 2025 14:31:44 GMT
1 Like