Synology DSM 5 - Renew Certificate failed

Matimat · June 1, 2020, 5:56pm

I can’t renew my certicate with acme.sh script (version 2.8.1). I get this message :

Date: Mon, 01 Jun 2020 17:52:37 GMT
Content-Type: application/problem+json
Content-Length: 173
Connection: keep-alive
Boulder-Requester: 79442763
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 00025iwmlrf7S1i_VNA_eIJUqaBGgux_LJbVU-KHQBGlhcI
’
[Mon Jun 1 19:52:42 CEST 2020] code=‘400’
[Mon Jun 1 19:52:42 CEST 2020] original=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0001BwfNbXJUeYQM5e68kdDkzHubj37fVjBd11h_sQFnOao””,
“status”: 400
}’
[Mon Jun 1 19:52:42 CEST 2020] response=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0001BwfNbXJUeYQM5e68kdDkzHubj37fVjBd11h_sQFnOao””,
“status”: 400
}’
[Mon Jun 1 19:52:42 CEST 2020] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.

90 days ago I have used this command without problem to genrate certificate :

./acme.sh --issue -d home.rolland.net --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd ‘/usr/syno/sbin/synoservicecfg --reload httpd-sys’

If the acme.sh doesn’t works, can I generate my certificate on an other machine (ubuntu on virtual machine) and import to my NAS Synology ?

My domain is: home.rolland.net
I ran this command: ./acme.sh --cron --home /volume1/.acme.sh --debug 3
It produced this output:
My web server is (include version): DSM 5
The operating system my web server runs on is (include version): apache 2.2
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is : acme.sh v2.8.1

rg305 · June 1, 2020, 6:13pm

The latest version of acme.sh is 2.8.6
First try:
./acme.sh --upgrade

rg305 · June 1, 2020, 6:16pm

Then as a compliment to the initial issuance:

Try:
./acme.sh --renew -d home.rolland.net
or (the full load)

./acme.sh --renew -d home.rolland.net --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/server.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd ‘/usr/syno/sbin/synoservicecfg --reload httpd-sys’

Matimat · June 1, 2020, 6:54pm

It seems it doesn’t works.

- I have updgrade acme.sh :

DiskStation> ./acme.sh --upgrade
[Mon Jun 1 21:20:01 CEST 2020] Installing from online archive.
[Mon Jun 1 21:20:01 CEST 2020] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Mon Jun 1 21:20:10 CEST 2020] Extracting master.tar.gz
[Mon Jun 1 21:20:28 CEST 2020] It is recommended to install socat first.
[Mon Jun 1 21:20:28 CEST 2020] We use socat for standalone server if you use standalone mode.
[Mon Jun 1 21:20:28 CEST 2020] If you don’t use standalone mode, just ignore this warning.
[Mon Jun 1 21:20:28 CEST 2020] Installing to /volume1/homes/admin/acme
[Mon Jun 1 21:20:31 CEST 2020] Installed to /volume1/homes/admin/acme/acme.sh
[Mon Jun 1 21:20:52 CEST 2020] OK
[Mon Jun 1 21:20:52 CEST 2020] Install success!
[Mon Jun 1 21:20:52 CEST 2020] Upgrade success!

DiskStation> cd /volume1/homes/admin/acme
DiskStation> ./acme.sh --version

v2.8.6

I have copied the subdirectory home.rolland.net in the new install dir :

DiskStation> cp -p -R home.rolland.net/ /volume1/homes/admin/acme

- Same message during the renew of the certificate :

[Mon Jun 1 21:27:41 CEST 2020] responseHeaders=‘HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 01 Jun 2020 19:27:40 GMT
Content-Type: application/problem+json
Content-Length: 173
Connection: keep-alive
Boulder-Requester: 79442763
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101zToWqAuE4RnYi7ThpkPPvUjiwkIDyS2OjSM7URNk-Yc
’
[Mon Jun 1 21:27:42 CEST 2020] code=‘400’
[Mon Jun 1 21:27:42 CEST 2020] original=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0102MQqNt-zgQJl14_f4S7gJqOuPPBIF-F3aXieP_wNqDXw””,
“status”: 400
}’
[Mon Jun 1 21:27:42 CEST 2020] response=’{
“type”: “urn:ietf:params:acme:error:badNonce”,
“detail”: “JWS has an invalid anti-replay nonce: “0102MQqNt-zgQJl14_f4S7gJqOuPPBIF-F3aXieP_wNqDXw””,
“status”: 400
}’
[Mon Jun 1 21:27:42 CEST 2020] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.

With the renew command (dosn’t works):

DiskStation> ./acme.sh --renew -d home.rolland.net
[Mon Jun 1 21:40:04 CEST 2020] Renew: ‘home.rolland.net’
[Mon Jun 1 21:41:15 CEST 2020] Create account key ok.
[Mon Jun 1 21:41:16 CEST 2020] Registering account
[Mon Jun 1 21:41:30 CEST 2020] Registered
[Mon Jun 1 21:41:30 CEST 2020] ACCOUNT_THUMBPRINT=‘UlU9T1HawyYHP4KCETXYYnT18gtV8BjDECbNXNbpcAc’
[Mon Jun 1 21:41:33 CEST 2020] Single domain=‘home.rolland.net’
[Mon Jun 1 21:41:44 CEST 2020] Getting domain auth token for each domain
[Mon Jun 1 21:41:58 CEST 2020] Getting webroot for domain=‘home.rolland.net’
[Mon Jun 1 21:41:58 CEST 2020] Verifying: home.rolland.net
[Mon Jun 1 21:42:09 CEST 2020] Pending
[Mon Jun 1 21:42:15 CEST 2020] home.rolland.net:Verify error:Fetching http://home.rolland.net/.well-known/acme-challenge/Tlw3ncT2p_Suz2Fju1mA4Dr3EoIeZZi6gHZuv3cTuiU: Timeout during connect (likely firewall problem)
[Mon Jun 1 21:42:16 CEST 2020] Please add ‘–debug’ or ‘–log’ to check more details.
[Mon Jun 1 21:42:16 CEST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

With full reload (dosn’t works) :

[Mon Jun 1 21:29:00 CEST 2020] ‘home.rolland.net’ is not a issued domain, skip.
DiskStation> ./acme.sh --renew -d home.rolland.net --webroot /var/lib/letsencrypt --certpath /usr/syno/etc/ssl/ssl.crt/serv
er.crt --keypath /usr/syno/etc/ssl/ssl.key/server.key --capath /usr/syno/etc/ssl/ssl.intercrt/server-ca.crt --reloadcmd ‘/u
sr/syno/sbin/synoservicecfg --reload httpd-sys’
[Mon Jun 1 21:30:51 CEST 2020] Renew: ‘home.rolland.net’
[Mon Jun 1 21:30:51 CEST 2020] ‘home.rolland.net’ is not a issued domain, skip.

rg305 · June 1, 2020, 7:52pm

To verify your "ownership" (of that domain name), the Internet needs to access the IP of that name (your DiskStation) via HTTP (port 80).

Matimat · June 1, 2020, 7:55pm

But my site is in HTTPS and not HTTP

rg305 · June 1, 2020, 7:56pm

I repeat myself:

You can keep your site HTTPS.
But something needs to do the HTTP authentication.

Matimat · June 1, 2020, 8:36pm

I have to create this path that response on http://home.rolland.net:80 ?

.well-known/acme-challenge/Tlw3ncT2p_Suz2Fju1mA4Dr3EoIeZZi6gHZuv3cTuiU

On my web root path I haven’t a .well-known directory

rg305 · June 1, 2020, 9:13pm

That will be created and deleted afterwards (when needed).

Matimat · June 1, 2020, 10:12pm

the name “Tlw3ncT2p_Suz2Fju1mA4Dr3EoIeZZi6gHZuv3cTuiU” change each time I execute the renew command.

Matimat · June 1, 2020, 10:46pm

When I try to access to the file create by the acme.sh (http://home.rolland.net/.well-known/acme-challenge/file_create_by_acme.sh) I have a 404.

When I copy this file into the parent directory (.well-known), I can access to the file http://home.rolland.net/.well-known/file_create_by_acme.sh)

The rights on the server are good (test with 777 permissions for simplicity), my problem is that the webstation has a bug : I have to contact Synology for this problem.

WebStation of Synology is the webserver (apache) for NAS on DSM 5.

rg305 · June 2, 2020, 6:16am

The is normal and expected.

rg305 · June 2, 2020, 6:18am

Me too, but LE gets error 400.

That path is missing /acme-challenge/

Matimat · June 2, 2020, 8:00am

the path /acme-challenge is missing for a test to show that my NAS has a problem to reply with the acme-challenge but no problem if I put the file to the parent directory (without the acme-challenge directory)

I create last night the issue to Synology, I’m waitting for response.

rg305 · June 2, 2020, 3:11pm

Then just create it.
[to simulate the test as close as possible]

If you can, please show the output of:
apachectl -S

Matimat · June 2, 2020, 6:30pm

the acme-challenge exists but when I try to access a file into this directory I have a 404. It’s for this Reason I have open an issue on Synology.

apachectl doens’t works :

DiskStation> apachectl -S
-ash: apachectl: not found

I use httpd command :

DiskStation> httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:80 * (/etc/httpd/conf/httpd.conf:188)
Syntax OK

rg305 · June 3, 2020, 12:55am

Can we have a look at this file?:

Matimat · June 4, 2020, 6:04am

Voici le fichier :

ServerRoot "/etc/httpd"

Listen 80

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

User http
Group http

ServerAdmin admin
ServerName *:80

<Directory />
    Options FollowSymLinks
    AllowOverride All

    RewriteEngine on
    RewriteCond %{HTTP:Transfer-Encoding} chunked
    RewriteRule ^(.*)$ http://localhost:412/$1 [P]
</Directory>

<Directory "/var/services/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

<Directory "/usr/syno/synoman/phpsrc/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory "/usr/syno/synoman/empty/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
<Directory /var/lib/letsencrypt/.well-known/acme-challenge>
Order allow,deny
Allow from all
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.htm index.cgi index.php index.php5
</IfModule>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

ErrorLog /var/log/httpd/user-error_log
#ErrorLog /dev/null
TraceEnable off

LogLevel error

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog /dev/null combined
    #CustomLog /var/log/httpd/user-access_log combined
</IfModule>

<IfModule alias_module>
    Alias /webman/pingpong.php /usr/syno/synoman/phpsrc/pingpong.php
</IfModule>

ScriptSock /run/httpd/user-cgisock

DefaultType text/plain

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType image/x-icon .ico
    AddHandler cgi-script .cgi
</IfModule>

MIMEMagicFile conf/magic

<IfDefine HAVE_PHP>
    Alias /webdefault/ "/usr/syno/synoman/phpsrc/web/"
</IfDefine>
<IfDefine !HAVE_PHP>
    Alias /webdefault/ "/usr/syno/synoman/empty/web/"
</IfDefine>

<IfDefine HAVE_PHP>
    ErrorDocument 403 /webdefault/error.html
    ErrorDocument 404 /webdefault/error.html
    ErrorDocument 500 /webdefault/error.html
    Include conf/extra/mod_fastcgi.conf
</IfDefine>

EnableMMAP off

Include conf/extra/httpd-mpm.conf-user
Include conf/extra/httpd-autoindex.conf-user
Include conf/extra/httpd-languages.conf-user
Include conf/extra/httpd-default.conf-user

<IfDefine SSL>
    LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-ssl.conf
</IfDefine>

<IfModule deflate_module>
    DeflateCompressionLevel 2
    AddOutputFilterByType DEFLATE text/html text/plain text/xml
    AddOutputFilter DEFLATE js css
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.[0678] no-gzip
    BrowserMatch \bMSIE\s7  !no-gzip !gzip-only-text/html
</IfModule>


<Files *.js>
    Header unset Etag
</Files>

<Files *.css>
    Header unset Etag
</Files>

# For CVS-2001-1446
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

# For @eaDir
<DirectoryMatch "@eaDir">
    Order allow,deny
    Deny from all
    Satisfy All
</DirectoryMatch>

# For CVE-2003-1418
FileETag MTime Size

<VirtualHost *:80>
    Include sites-enabled-user/*.conf
</VirtualHost>

include conf/extra/mod_xsendfile.conf-user
Include conf/extra/httpd-reqtimeout.conf
Include conf/extra/httpd-proxy-autoconf.conf-user
Include /etc/httpd/sites-enabled-user/httpd-vhost.conf-user
DocumentRoot "/var/services/web"

rg305 · June 4, 2020, 6:21am

OK I think we need to look at the included files:

Please show:
ls -l /etc/httpd/sites-enabled/*.conf

and then the contents of the very few files that should be there.

Matimat · June 4, 2020, 6:52am

DiskStation> ls -l /etc/httpd/sites-enabled/*.conf

-rw-r--r--    1 root     root           336 Mar 20  2014 /etc/httpd/sites-enabled/SYNO.SDS.App.FileStation3.Instance.alt_port.conf
-rw-r--r--    1 root     root           515 Mar 20  2014 /etc/httpd/sites-enabled/SYNO.SDS.App.FileStation3.Instance.alt_port_ssl.conf
-rw-r--r--    1 root     root           337 Oct 26  2013 /etc/httpd/sites-enabled/SYNO.SDS.AudioStation.Application.alias.conf
lrwxrwxrwx    1 root     root            79 Jun  4 02:15 /etc/httpd/sites-enabled/ssliveview.alias.conf -> /var/packages/SurveillanceStation/target/ui/apache_module/ssliveview.alias.conf
lrwxrwxrwx    1 root     root            75 Jun  4 02:15 /etc/httpd/sites-enabled/ssrtsp.alias.conf -> /var/packages/SurveillanceStation/target/ui/apache_module/ssrtsp.alias.conf

SYNO.SDS.App.FileStation3.Instance.alt_port.conf

Listen 7000
NameVirtualHost *:7000
<VirtualHost *:7000>
SetEnv REWRITE_APP SYNO.SDS.App.FileStation3.Instance

RewriteEngine on
RewriteOptions Inherit
Include conf/extra/httpd-alt-port-rewrite-default.conf
</VirtualHost>

SYNO.SDS.App.FileStation3.Instance.alt_port_ssl.conf

Listen 7001
NameVirtualHost *:7001
<VirtualHost *:7001>
SetEnv REWRITE_APP SYNO.SDS.App.FileStation3.Instance

SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key
SSLEngine on

RewriteEngine on
RewriteOptions Inherit
Include conf/extra/httpd-alt-port-rewrite-default.conf
</VirtualHost>

SYNO.SDS.AudioStation.Application.alias.conf

RewriteEngine on

RewriteRule ^/audio$ /usr/syno/synoman/webman [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]
RewriteRule ^/audio/(.*) /usr/syno/synoman/webman/$1 [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]

ssliveview.alias.conf

RewriteEngine on

RewriteRule ^/audio$ /usr/syno/synoman/webman [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]
RewriteRule ^/audio/(.*) /usr/syno/synoman/webman/$1 [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]

/etc/httpd/sites-enabled/ssliveview.alias.conf

<IfModule !ssliveview_module>
        LoadModule ssliveview_module modules/mod_ssliveview.so
</IfModule>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files liveview_src.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files get_camstatus.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files cmsRedirect.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

ssrtsp.alias.conf

<IfModule !ssrtsp_module>
        LoadModule ssrtsp_module modules/mod_ssrtsp.so
</IfModule>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files rtsp.cgi>
                SetHandler ssrtsp_handler
        </Files>
</Directory>