Synology Certificate Renewal

systematic · October 4, 2019, 11:10am

I have reviewed other questions before posting my issue. I am unable to renew the certificate on my Synology NAS. Ports 80 / 443 are forwarded on the router, and confirmed to be open by an external scan. I am unable to create a new certificate either.

I have tried reseting the network, rebooting router and NAS, manually entering the DNS server as the router IP. Nothing has worked.

Logs relating to renewal

2019-10-04T12:03:57+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[30878]: certificate.cpp:1448 handle le renew. [F6n9t2]
2019-10-04T12:03:57+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[30878]: certificate.cpp:1454 call le tool.
2019-10-04T12:03:59+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[30878]: certificate.cpp:973 syno-letsencrypt failed. 1 [syno-letsencrypt output is not a json: ]
2019-10-04T12:03:59+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[30878]: certificate.cpp:1458 Failed to renew Let'sEncrypt certificate. [1][syno-letsencrypt output is not a json: ]

My domain is: ds.systematicprint.com

I ran this command: Renew Certificate

It produced this output: The operation failed. Please log in to DSM and retry.

My web server is (include version): Apache HTTP Server 2.2

The operating system my web server runs on is (include version): Synology DSM 6.2.2-24922 Update 3

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DSM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not sure

JuergenAuer · October 4, 2019, 11:50am

Hi @systematic

I can't see your port 80 / port 443. Both have a timeout - https://check-your-website.server-daten.de/?q=ds.systematicprint.com

Domainname	Http-Status	Sec.	G
• http://ds.systematicprint.com/ 81.143.170.25	-14	10.027	T
Timeout - Timeout für Vorgang überschritten

• https://ds.systematicprint.com/ 81.143.170.25	-14	10.033	T
Timeout - Timeout für Vorgang überschritten

• http://ds.systematicprint.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 81.143.170.25	-14	10.023	T
Timeout - Timeout für Vorgang überschritten

So creating a Letsencrypt certificate via http validation can't work.

Which tool did you used to check your ports?

systematic · October 4, 2019, 1:17pm

Hello, thanks for reviewing. I am using https://www.yougetsignal.com/tools/open-ports/ The firewall was blocking international inbound, which I removed but there is still the same issue even with the ports open.

JuergenAuer · October 4, 2019, 1:30pm

There is a new check - 15:00 - https://check-your-website.server-daten.de/?q=ds.systematicprint.com - again a timeout.

But checked now with my browser - port 80 is open, now checked 15:23, port 80 answers.

So try it again.

PS: The other tool may only check, if port 80 answers. But not, if there is a running webserver with a http status.

systematic · October 4, 2019, 1:36pm

I rebooted the NAS and attempted to renew the certificate, still getting The operation failed. Please log in to DSM and retry.

JuergenAuer · October 4, 2019, 1:39pm

If there is no more information, you should ask in the Synology forum.

Your port 80 answers correct, so this isn't the problem. And the error message is too unspecific.

systematic · October 4, 2019, 1:46pm

These are the logs when trying to add a new certificate

2019-10-04T14:44:06+01:00 apollo syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://ds.systematicprint.com/.well-known/acme-challenge/wCE297ZCRP8ZpLRWSwQure6n496ryCfJchGJYy-5YB8 [81.143.170.25]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""}
]
2019-10-04T14:44:07+01:00 apollo syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"do new auth by path: failed to do challenge."}
]
2019-10-04T14:44:07+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[25797]: certificate.cpp:973 syno-letsencrypt failed. 102 [Failed to new certificate.]
2019-10-04T14:44:07+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[25797]: certificate.cpp:1392 Failed to create Let'sEncrypt certificate. [102][Failed to new certificate.]
2019-10-04T14:44:17+01:00 apollo syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://ds.systematicprint.com/.well-known/acme-challenge/6imJb2DFPlajKj_vt_WDvateSca1K89KixBBnpUyWD0 [81.143.170.25]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""}
]
2019-10-04T14:44:19+01:00 apollo syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"do new auth by path: failed to do challenge."}
]
2019-10-04T14:44:19+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[25994]: certificate.cpp:973 syno-letsencrypt failed. 102 [Failed to new certificate.]
2019-10-04T14:44:19+01:00 apollo synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[25994]: certificate.cpp:1392 Failed to create Let'sEncrypt certificate. [102][Failed to new certificate.]

ferdiS · October 4, 2019, 6:15pm

Look like the challenge fails because there is some redirect that outputs a webpage instead of the challenge.

ferdiS · October 4, 2019, 6:28pm

It looks like the .well-known/acme-challenge/xxxxx does not exist trying to renew your certificate. The Synology has a custom 404 page that is sent back as response.
(just from looking at your logs)

Can you create that directory on your nas?

schoen · October 4, 2019, 9:09pm

It shouldn't be necessary to do that manually, because the Synology Let's Encrypt client should take care of it.

systematic · October 7, 2019, 8:27am

So I have managed to add a new certificate to replace the previous by creating the folder. Renewal still wasn’t working.

I re-created the /.well-known/acme-challenge folder as per the instructions below

You will need to ssh into the nas…

Create .well-known in the web root (/volume1/web)
mkdir /volume1/web/.well-known
Create acme-challenge under .well-known
mkdir /volume1/web/.well-known/acme-challenge

Remove the file under letencrypt
sudo rm /var/lib/letsencrypt/.well-known

create a link
sudo ln -s /volume1/web/.well-known /var/lib/letsencrypt/.well-known

I also removed port forwarding on my router, originally I had 80 forwarding to 5000 and 443 forwarding to 5001 but clearly it didn’t like this, so swapped to 80 > 80 and 443 > 443 instead.

Thank you for your suggestions.

system · November 6, 2019, 8:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.