Synology can't get certificate

michaelbierman · January 5, 2021, 11:17am

I have a problem with getting a certificate from Let’s Encrypt via a Synology NAS.
It worked before (got working Let’s Encrypt certificates out of it), now it stopped working. I tried renewing and replacing the certificate.

My domain is: thebiermans.ddns.net ( DDNS from noip.com)

I ran this command: used the current synology gui client.

It produced this output:

My web server is (include version): DSM 6.2.3-25426 Update 3

The operating system my web server runs on is (include version):
DSM 6.2.3-25426 Update 3

System time PST

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): NA

I can successfully ping letsencrypt.org from the NAS.
I can ping letsencrypt.org from other devices- succes
I have turned off the firewall on the Synology
I can ping my DDNS domain from the NAS.

Local configuration:
Open ports on Router: 80,443,5001 (TCP)
Open ports on NAS: turned off firewall.

All DSM’s functionality is 100% operational by the way, it’s just the certificate.

rg305 · January 5, 2021, 11:05am

You need to ensure that the NAS can get out to global DNS and HTTPS sites on the Internet.
And also, your firewall/NAT router needs to port forward, at least, 80 to the NAS.

michaelbierman · January 5, 2021, 11:12am

Thanks, @rg305.

You will note that I said that the router is forwarding the ports.
Also, I can ping letsencrypt.org from the NAS.

So if there's something more specific required, perhaps you can provide that?

rg305 · January 5, 2021, 11:18am

OK here is the problem:

curl -Iki http://thebiermans.ddns.net/
HTTP/1.1 302 Moved temporarily
Date: Tue, 05 Jan 2021 11:17:03 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Cache-control: no-store
Location: https://thebiermans.ddns.net:5001/

LE will only follow redirections to other port 80 or 443 (not to 5001).

michaelbierman · January 5, 2021, 11:20am

So how do I fix that? The port isn't part of the certificate.

rg305 · January 5, 2021, 11:21am

You find the setting in the NAS that is doing the redirection.
[and turn it off]

That's more of a Synology question that an LE one.

michaelbierman · January 5, 2021, 11:21am

That's not possible with Synology and was not how I had it set up when it was working.

rg305 · January 5, 2021, 11:23am

Do you really think that LE had anything to do with that port forwarding setting?

Again:

JuergenAuer · January 5, 2021, 11:22am

That's not the problem.

http://thebiermans.ddns.net/.well-known/acme-challenge/1234

doesn't show that redirect, instead, there is a correct Synology answer.

michaelbierman · January 5, 2021, 11:24am

@JuergenAuer I don't understand your response. Can you elaborate?

rg305 · January 5, 2021, 11:25am

That is interesting!
Ok let's dig deeper:
Try these from the NAS:
curl -6I https://acme-v02.api.letsencrypt.org/directory
curl -4I https://acme-v02.api.letsencrypt.org/directory

rg305 · January 5, 2021, 11:27am

He's pointing out that NOT all requests are being redirected to port 5001.
The challenge requests (pathed: /.well-known/acme-challenge/) are not redirected.
But I do get 403 errors (not 404), when trying a test file there.

curl -Iki http://thebiermans.ddns.net/.well-known/acme-challenge/test-1234
HTTP/1.1 403 Forbidden
Date: Tue, 05 Jan 2021 11:23:43 GMT
Content-Type: text/html
Content-Length: 11939
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "5eb9ce51-2ea3"

michaelbierman · January 5, 2021, 11:30am

admin@pigpen:/volume1/michael/bin$ curl -6I https://acme-v02.api.letsencrypt.org/directory
curl: (7) Error

admin@pigpen:/volume1/michael/bin$ curl -4I https://acme-v02.api.letsencrypt.org/directory
    HTTP/2 200
    server: nginx
    date: Tue, 05 Jan 2021 11:26:19 GMT
    content-type: application/json
    content-length: 658
    cache-control: public, max-age=0, no-cache
    replay-nonce: 0103aK_zfcdyIVW05PIQABSZLmW2Hn9gVQ2X4ej6pLd_QX4
    x-frame-options: DENY
    strict-transport-security: max-age=604800

rg305 · January 5, 2021, 11:33am

OK those look good.
The only thing still out-of-line is the 403 error.

JuergenAuer · January 5, 2021, 11:35am

That's normal, Synology sends a lot of non-standard 403 if a 404 is expected.

PS: @michaelbierman : The main problem: That screenshot information hides too much.

May be your device can't connect Letsencrypt. May be it's another problem.

Use the Synology forum to find a better protocol, so the real error is visible, not such an unspecific error message.

rg305 · January 5, 2021, 11:34am

If that is normal, what can explain why this fails?

michaelbierman · January 5, 2021, 11:35am

NGINX is what the synology runs.

JuergenAuer · January 5, 2021, 11:37am

If I would know that, I would write an answer.

Different users with the same screenshot -> different problems or "no problems". May be a DSM update is required.

rg305 · January 5, 2021, 11:37am

[did I say brief? - lol]

michaelbierman · January 5, 2021, 11:37am

@JuergenAuer I can ping letsencrypt. I don't see any connectivity issue.