Synolgy 918+ DSM 6.2.2 Update 4 cannot renew certificates

Help
1

Hi all,
I am running a Synology NAS and up to now had no problems using Let's Encrypt certificates which were automatically updated in the diskstationmanager.
Now the certificates cannot be renewed automatically any more, trying it manually in the diskstationmanager results in
"Keine Rückmeldung vom Zielserver. Bitte versuchen Sie es später erneut."

I tried to do it manually from the server console and got the result below.
Ports 80/443 are and were open. Dyndns is working, no Idea what might have changed... the server was running like that for over a year now.

Appreciate any help!
Cheers!

My domain is:
xpends.workstation.ddnss.de

I ran this command:
sudo syno-letsencrypt renew-all

It produced this output:
{"error":100,"file":"client_network.cpp","msg":"Server is not reachable."}

My web server is (include version):
Synology DSM 6.2.2-Update 4

The operating system my web server runs on is (include version):
Synology DSM 6.2.2-Update 4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hi @mibeyer and welcome to the LE community forum :slight_smile:

From the error message, it is not clear to me if the problem is from the client (your NAS) to the LE ACME server OR in the other direction.

If you can SSH to the NAS, please try some simple tests:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

curl -I4 https://google.com/
2 Likes
3

Hi, thanks for reaching out!
Here are the results of the test you proposed:

@XpenDS:~$ echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=acme-v01.api.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----

@XpenDS:~$ curl -I4 https://google.com/
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Wed, 27 Oct 2021 14:01:39 GMT
expires: Wed, 27 Oct 2021 14:01:39 GMT
cache-control: private, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
set-cookie: CONSENT=PENDING+078; expires=Fri, 27-Oct-2023 14:01:39 GMT; path=/; domain=.google.com; Secure
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

Unfortunaltely I not proficient enough to make sense of it...

2 Likes
4

OK so outbound is good.
The problem must be inbound.

To verify the external IP address, please show the output of:
curl -4 ifconfig.co

2 Likes
5

@XpenDS:~$ curl -4 ifconfig.co
149.172.96.159

2 Likes
6

Ok that is a match:

Name:    workstation.ddnss.de
Address: 149.172.96.159
Aliases: xpends.workstation.ddnss.de
2 Likes
7

Yep, that looks good. I can still access all the machines on the server via the reverse proxy.

1 Like
8

? ? ?
Please explain; what reverse proxy?

2 Likes
9

I use prefixes to the domain "workstation.ddnss.de" to reach different applications.
Like
xpends.workstation.ddnss.de for my NAS frontend.
moments.workstation.ddnss.de for the foto server and so on.

On the NAS I run an nginx reverse proxy to manage this trafic.
On the NAS there also is the application "syno-letsencrypt" managing the certificates for all the different addresses.

I guess this is the common use of the Synology Diksstation

1 Like
10

@rg305 This looks like they are missing ISRG Root X1 - doesn't it. Do you think this could explain their original error message: {"error":100,"file":"client_network.cpp","msg":"Server is not reachable."}

I am guessing "server" might mean the DiskStation trying to reach the LE acme server

3 Likes
11

Just to mention, it worked until like Sept.21, i am not aware to have made any changes in the setup.

I got an email the the certtificate for
note.workstation.ddnss.de will run out on 02.April.2021 but that could be renewed automatically and expires 03.Nov.21

Then there was an expiry warning on 16.Nov.21. Now the Let's Encrypt automatic renewal does not seem to work for me anymore.

1 Like
12

@mibeyer Two different LE certs expired the end of Sept. This has caused issues on various systems which use unusual cert validation or older systems not updated for several years.

I am not certain that you are missing an LE root of ISRG Root X1. And, if that is the cause of the problem I do not know Synology well enough to say how to add that to your system. Maybe a simple system software update would do it - I am not sure.

I searched the Synology forum a little but did not see anything exactly like what you see. But, there were enough similar comments that it could well be the cause of your problem.

A key change with LE ACME servers occurred on Sept 30 when they started using the "short chain" ending in ISRG Root X1 when before they used the "long chain" ending with DST Root CA X3. See this for more on these chains. Note that while the LE ACME server api uses the short chain, all the LE websites use the long chain for maximum compatibility (mostly with older Android devices).

You could try posting at the Synology forum. Maybe this extra info well help with that. This is the best I can do.

3 Likes
13

Yes, possibly.

2 Likes
14

For the records, Synology has a KB article on this issue: How do I obtain a certificate from Let's Encrypt on my Synology NAS? - Synology Knowledge Center

An upgrade to 6.2.4 update 2 or later is supposed to address it.
For users who can't upgrade, it looks like ssh'ing to the NAS, then running

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

does work (adding Root X1 to the certs).

7 Likes
15

thanks a lot, it works for me too !

3 Likes
16

It also worked for me Synology DS918+ DSM 6.2.3-25426 (XPEnology)

3 Likes
17

Hey Oja,
thank you for the hint. After I Updated to DSM 6.2.3-25426 Update 3 the certificate renewall works again.

Cheers
Mirko

2 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.