Synology can't get certificate

Help
1

I have a problem with getting a certificate from Let’s Encrypt via a Synology NAS.
It worked before (got working Let’s Encrypt certificates out of it), now it stopped working. I tried renewing and replacing the certificate.

My domain is: thebiermans.ddns.net ( DDNS from noip.com)

I ran this command: used the current synology gui client.

It produced this output:

image
image670×557 57.3 KB

My web server is (include version): DSM 6.2.3-25426 Update 3

The operating system my web server runs on is (include version):
DSM 6.2.3-25426 Update 3

System time PST

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): NA

  • I can successfully ping letsencrypt.org from the NAS.
  • I can ping letsencrypt.org from other devices- succes
  • I have turned off the firewall on the Synology
  • I can ping my DDNS domain from the NAS.

Local configuration:
Open ports on Router: 80,443,5001 (TCP)
Open ports on NAS: turned off firewall.

All DSM’s functionality is 100% operational by the way, it’s just the certificate.

2

You need to ensure that the NAS can get out to global DNS and HTTPS sites on the Internet.
And also, your firewall/NAT router needs to port forward, at least, 80 to the NAS.

3

Thanks, @rg305.

You will note that I said that the router is forwarding the ports.
Also, I can ping letsencrypt.org from the NAS.

So if there's something more specific required, perhaps you can provide that?

1 Like
5

OK here is the problem:

curl -Iki http://thebiermans.ddns.net/
HTTP/1.1 302 Moved temporarily
Date: Tue, 05 Jan 2021 11:17:03 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
Location: https://thebiermans.ddns.net:5001/

LE will only follow redirections to other port 80 or 443 (not to 5001).

6

So how do I fix that? The port isn't part of the certificate.

7

You find the setting in the NAS that is doing the redirection.
[and turn it off]

That's more of a Synology question that an LE one.

8

That's not possible with Synology and was not how I had it set up when it was working.

9

Do you really think that LE had anything to do with that port forwarding setting?

Again:

10

That's not the problem.

http://thebiermans.ddns.net/.well-known/acme-challenge/1234

doesn't show that redirect, instead, there is a correct Synology answer.

1 Like
11

@JuergenAuer I don't understand your response. Can you elaborate?

12

That is interesting!
Ok let's dig deeper:
Try these from the NAS:
curl -6I https://acme-v02.api.letsencrypt.org/directory
curl -4I https://acme-v02.api.letsencrypt.org/directory

13

He's pointing out that NOT all requests are being redirected to port 5001.
The challenge requests (pathed: /.well-known/acme-challenge/) are not redirected.
But I do get 403 errors (not 404), when trying a test file there.

curl -Iki http://thebiermans.ddns.net/.well-known/acme-challenge/test-1234
HTTP/1.1 403 Forbidden
Date: Tue, 05 Jan 2021 11:23:43 GMT
Content-Type: text/html
Content-Length: 11939
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "5eb9ce51-2ea3"
14 
admin@pigpen:/volume1/michael/bin$ curl -6I https://acme-v02.api.letsencrypt.org/directory
curl: (7) Error

admin@pigpen:/volume1/michael/bin$ curl -4I https://acme-v02.api.letsencrypt.org/directory
    HTTP/2 200
    server: nginx
    date: Tue, 05 Jan 2021 11:26:19 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0103aK_zfcdyIVW05PIQABSZLmW2Hn9gVQ2X4ej6pLd_QX4
    x-frame-options: DENY
    strict-transport-security: max-age=604800
15

OK those look good.
The only thing still out-of-line is the 403 error.

Do you know if the NAS runs Apache or NGINX (for web services)?
if you don't know (for sure), try:
netstat -pant | grep -i listen | grep -Ei 'apache|nginx|http'
or
ps -ef | grep -Ei 'apache|nginx|http'

16

That's normal, Synology sends a lot of non-standard 403 if a 404 is expected.

PS: @michaelbierman : The main problem: That screenshot information hides too much.

May be your device can't connect Letsencrypt. May be it's another problem.

Use the Synology forum to find a better protocol, so the real error is visible, not such an unspecific error message.

17

If that is normal, what can explain why this fails?

18

NGINX is what the synology runs.

19

If I would know that, I would write an answer.

Different users with the same screenshot -> different problems or "no problems". May be a DSM update is required.

20

Let's get a brief overview of the config with:
nginx -T | grep -Ei 'config|ssl|host|server_name|location|return|redirect|listen'

[did I say brief? - lol]

21

@JuergenAuer I can ping letsencrypt. I don't see any connectivity issue.