You can curl the acmev2 /directory - outbound is working OK.
I'm thinking the problem is inbound...
Ports 80 and 443 forward to the NAS.
Please:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main;
error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error;
server_names_hash_max_size 8192;
server_names_hash_bucket_size 128;
ssl_certificate /usr/syno/etc/certificate/system/default/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/system/default/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_dhparam /usr/syno/etc/ssl/dh2048.pem;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 3600s;
listen 5000 default_server;
listen [::]:5000 default_server;
server_name _;
location = / {
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
location ~ \.cgi {
location @error_page {
location ~ ^/webman/modules/Indexer/ {
location ~ ^/webapi/lib/ {
location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~* \.(?:js|css|png|jpg|gif|ico)$ {
location = /favicon.ico {
location = /robots.txt {
listen 5001 default_server ssl http2;
listen [::]:5001 default_server ssl http2;
server_name _;
location = / {
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
location ~ \.cgi {
location @error_page {
location ~ ^/webman/modules/Indexer/ {
location ~ ^/webapi/lib/ {
location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~* \.(?:js|css|png|jpg|gif|ico)$ {
location = /favicon.ico {
location = /robots.txt {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location = /webdefault/images/logo.jpg {
location @error_page {
location ^~ /.well-known/acme-challenge {
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
location ~ ^/$ {
rewrite / http://$host:5000/ redirect;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location = /webdefault/images/logo.jpg {
location @error_page {
location ^~ /.well-known/acme-challenge {
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
location ~ ^/$ {
rewrite / https://$host:5001/ redirect;
# configuration file /etc/nginx/conf.d/main.conf:
# configuration file /etc/nginx/conf.d/events.conf:
# configuration file /etc/nginx/mime.types:
# configuration file /etc/nginx/app.d/dsm.AudioStation.conf:
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location ~ ^/as/sharing/(:?scripts|webman|synoSDSjslib|webapi)/(.*)\.cgi {
location ~ ^/as/sharing/(scripts|webman|synoSDSjslib|webapi)/(.*) {
location ~ ^/as/sharing/([^\/]*)/(scripts|webman|synoSDSjslib|webapi)/(.*)\.cgi {
location ~ ^/as/sharing/([^\/]*)/(scripts|webman|synoSDSjslib|webapi)/(.*) {
location ~ ^/as/sharing/([^\/]*)/([^\/]*)$ {
location ~ ^/as/sharing/([^\/]*)$ {
location ~ ^/as/sharing/(.*)\.cgi {
location ~ ^/as/sharing/(.*)$ {
location ~ ^/webman/3rdparty/AudioStation/webUI/audiotransfer.cgi {
# configuration file /etc/nginx/scgi_params:
scgi_param SERVER_NAME $host;
scgi_param HOST $fqdn if_not_empty;
# configuration file /etc/nginx/app.d/dsm.DownloadStation.conf:
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
location ~ ^/download/btsetting.cgi {
location ~ ^/webman/modules/DownloadStation/dlm/(.*) {
# configuration file /etc/nginx/app.d/dsm.FileStation.conf:
location ~ ^/sharing/([-_\w\d]+)$ {
location ~ ^/sharing/(.+)\.cgi {
location ~ ^/sharing/$ {
location ~ ^/sharing/errors$ {
location ~ ^/sharing/(.+)$ {
location ~ /webman/modules/FileBrowser/index_ds.php$ {
location ~ ^/wfmlogindialog.js(.*) {
location ~ ^/fbsharing/(.*)$ {
rewrite /fbsharing/(.*)$ $scheme://$http_host/sharing/fbsharing-$1 break;
location ~ ^/fsdownload/webapi/file_download\.cgi/(.*)$ {
location ~ ^/fsdownload/(webman|scripts|synoSDSjslib)/(.*)$ {
location ~ ^/fsdownload/webapi/(.*)$ {
location ~ ^/fsdownload/([-_\w\d]+)/(.*)$ {
location ~ ^/fbdownload/(.*)$ {
rewrite ^.*$ $scheme://$http_host/sharing/fbsharing-$arg_k? last;
location ~ ^/fbgdrivedownload/(.*)$ {
location ~ ^/viewer/(.*)/(.*)/(.*)/(.*)$ {
# configuration file /usr/syno/share/nginx/conf.d/dsm.PackageCenter.conf:
location ^~ /pkgicon {
# configuration file /usr/syno/share/nginx/conf.d/dsm.SecurityAdvisor.conf:
location ~ ^/sar/(.*)$ {
# configuration file /usr/syno/share/nginx/conf.d/dsm.synosharing.conf:
location ~ ^/sharing/([-_\w\d]+)$ {
location ~ ^/sharing/(.+)\.cgi {
location ~ ^/sharing/$ {
location ~ ^/sharing/errors$ {
location ~ ^/sharing/(.+)$ {
# configuration file /etc/nginx/conf.d/dsm.CloudStation.conf:
location ~ ^/cstndownload/ {
# configuration file /etc/nginx/conf.d/dsm.StorageAnalyzer.conf:
location ~ ^/dar/(.*)$ {
rewrite ^/dar/(.*)$ /webapi/_______________________________________________________entry.cgi?path="$1"&api=SYNO.Core.Report.Redirect&method=open_report&version=1;
# configuration file /etc/nginx/conf.d/dsm.SynologyApplicationService.conf:
location ~ /webman/3rdparty/SynologyApplicationService/browser_pair/service-worker.js$ {
# configuration file /etc/nginx/conf.d/dsm.docker.conf:
location ~ ^/docker/ws {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
# configuration file /etc/nginx/conf.d/www.PhotoStation.conf:
location = /photo/csp_report.cgi {
return 200;
location = /photo {
location = /blog {
location ~ ^/photo/ {
location ~* \.php(/|$) {
fastcgi_param SERVER_NAME $host;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/conf.d/www.PhotoStation.disabled.conf:
location ~ ^/photo/report\.php {
location ~ ^/(photo|blog)(/.*)?$ {
return 302 /photo/report.php?msgkey=photo_str_service_disabled;
location ~ ^/~([^\/]*)/(photo|blog)(/.*)?$ {
return 302 /photo/report.php?msgkey=photo_str_service_disabled;
# configuration file /etc/nginx/app.d/server.ReverseProxy.conf:Not sure if this is normal for Synology NASes, but it is running all vhost configs as "_" ("default"):
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name _;
There is no specifically defined section for your requested FQDN.
Please run:
nginx -T
And crop out and post the entire HTTP vhost server section that contains:
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
server {
listen 80 default_server;
listen [::]:80 default_server;
gzip on;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
include app.d/www.*.conf;
include app.d/alias.*.conf;
include /usr/syno/share/nginx/conf.d/www.*.conf;
include conf.d/www.*.conf;
location = /webdefault/images/logo.jpg {
alias /usr/syno/share/nginx/logo.jpg;
}
error_page 403 404 500 502 503 504 @error_page;
location @error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
}
location ~ ^/$ {
rewrite / http://$host:5000/ redirect;
}
}OK
Let's work with that.
Do the following:
echo "test file #1" > /var/lib/letsencrypt/test-file-1
mkdir /var/lib/letsencrypt/.well-known/
mkdir /var/lib/letsencrypt/.well-known/acme-challenge/
echo "test file #2" > /var/lib/letsencrypt/.well-known/acme-challenge/test-file-2
Then we can test if either is accessible form the Internet with:
http://thebiermans.ddns.net/test-file-1
http://thebiermans.ddns.net/test-file-2
http://thebiermans.ddns.net/.well-known/acme-challenge/test-file-1
http://thebiermans.ddns.net/.well-known/acme-challenge/test-file-2
permission denied even as sudo.
Well that's no bueno...
OK, we can always use a BIGGER hammer!
Try changing the line there that says:
root /var/lib/letsencrypt;
to
root /dedicated/challenge/path;
Then create that path:
mkdir /dedicated/
mkdir /dedicated/challenge/
mkdir /dedicated/challenge/path/
Then restart nginx.
[not too sure about how to do that in Synology]
Do the following:
echo "test file #1" > /dedicated/challenge/path/test-file-1
mkdir /dedicated/challenge/path/.well-known/
mkdir /dedicated/challenge/path/.well-known/acme-challenge/
echo "test file #2" > /dedicated/challenge/path/.well-known/acme-challenge/test-file-2
Then we can test if either is accessible form the Internet with:
http://thebiermans.ddns.net/test-file-1
http://thebiermans.ddns.net/test-file-2
http://thebiermans.ddns.net/.well-known/acme-challenge/test-file-1
http://thebiermans.ddns.net/.well-known/acme-challenge/test-file-2
Thanks, but I'm not sure I am willing to go nuts on my nas. That is the webserver that runs it. If we change a lot of permissions or break things it will be a mess to fix. None of this should be necessary.
You change one line of code in the nginx.
[which can be changed back once the test is done]
That's going nuts?
I'll just get back into bed.
Good luck.
Cheers from Miami 
What line are you referring to?
See line pointed at below:
Which is in what file?
rerun
nginx -T
look for that section
then scroll up
slowly
you will see
# configuration file ....... [FILE NAME]:
If might not be in a separate file.
Look in file:
# configuration file /etc/nginx/nginx.conf:
Do you know how to edit a file in Linux?
Do you know how to restart the nginx service?
Yes I know how to edit linux files. but there are two lines that match what you are saying in the config file. I appreciate you trying to figure this out, but Synology isn't out of the box linux. I'll post there and see if there is a straight forward solution.
1 Like
I showed exactly which one should be changed.
Although changing both is OK too.
If you are not up for going under the hood - I'm also OK with that.
I don't work for Synology.
I don't work for LE.
I don't work!
Cheeeeeeeers from Miami
Perhaps I have reached a limit. https://letsencrypt.org/docs/rate-limits/ Maybe letsencrypt will reset or, I will have to wait a week and see if that solves the issue.
No issues seen: Let's Debug
That site is pretty thorough, so I doubt things will change in a week [you'll be right where we are now].
But You are free to wait if that is what you want.
Until then, and if I had to guess, I would think that there is something missing in the equation.
Like why doesn't your device use the FQDN anywhere in the nginx config?
I would think that would be its' name now.
But I'm too logical sometimes...
This calls for some inside information - that might only be found within Synology.
I tend to agree with you, after thinking on it I don’t think waiting will solve anything with this particular error.
Because as I said, that is a ddns service. So it has nothing to do with my Synology. It merely gets me to the door.