Synology DSM 5 - Renew Certificate failed

Then just create it.
[to simulate the test as close as possible]

If you can, please show the output of:
apachectl -S

1 Like

the acme-challenge exists but when I try to access a file into this directory I have a 404. It’s for this Reason I have open an issue on Synology.

apachectl doens’t works :

DiskStation> apachectl -S
-ash: apachectl: not found

I use httpd command :

DiskStation> httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:80 * (/etc/httpd/conf/httpd.conf:188)
Syntax OK

1 Like

Can we have a look at this file?:

1 Like

Voici le fichier :

ServerRoot "/etc/httpd"

Listen 80

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

User http
Group http

ServerAdmin admin
ServerName *:80

<Directory />
    Options FollowSymLinks
    AllowOverride All

    RewriteEngine on
    RewriteCond %{HTTP:Transfer-Encoding} chunked
    RewriteRule ^(.*)$ http://localhost:412/$1 [P]
</Directory>

<Directory "/var/services/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

<Directory "/usr/syno/synoman/phpsrc/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory "/usr/syno/synoman/empty/web">
    Options MultiViews FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
<Directory /var/lib/letsencrypt/.well-known/acme-challenge>
Order allow,deny
Allow from all
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.htm index.cgi index.php index.php5
</IfModule>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

ErrorLog /var/log/httpd/user-error_log
#ErrorLog /dev/null
TraceEnable off

LogLevel error

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog /dev/null combined
    #CustomLog /var/log/httpd/user-access_log combined
</IfModule>

<IfModule alias_module>
    Alias /webman/pingpong.php /usr/syno/synoman/phpsrc/pingpong.php
</IfModule>

ScriptSock /run/httpd/user-cgisock

DefaultType text/plain

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType image/x-icon .ico
    AddHandler cgi-script .cgi
</IfModule>

MIMEMagicFile conf/magic

<IfDefine HAVE_PHP>
    Alias /webdefault/ "/usr/syno/synoman/phpsrc/web/"
</IfDefine>
<IfDefine !HAVE_PHP>
    Alias /webdefault/ "/usr/syno/synoman/empty/web/"
</IfDefine>

<IfDefine HAVE_PHP>
    ErrorDocument 403 /webdefault/error.html
    ErrorDocument 404 /webdefault/error.html
    ErrorDocument 500 /webdefault/error.html
    Include conf/extra/mod_fastcgi.conf
</IfDefine>

EnableMMAP off

Include conf/extra/httpd-mpm.conf-user
Include conf/extra/httpd-autoindex.conf-user
Include conf/extra/httpd-languages.conf-user
Include conf/extra/httpd-default.conf-user

<IfDefine SSL>
    LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-ssl.conf
</IfDefine>

<IfModule deflate_module>
    DeflateCompressionLevel 2
    AddOutputFilterByType DEFLATE text/html text/plain text/xml
    AddOutputFilter DEFLATE js css
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.[0678] no-gzip
    BrowserMatch \bMSIE\s7  !no-gzip !gzip-only-text/html
</IfModule>


<Files *.js>
    Header unset Etag
</Files>

<Files *.css>
    Header unset Etag
</Files>

# For CVS-2001-1446
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

# For @eaDir
<DirectoryMatch "@eaDir">
    Order allow,deny
    Deny from all
    Satisfy All
</DirectoryMatch>

# For CVE-2003-1418
FileETag MTime Size

<VirtualHost *:80>
    Include sites-enabled-user/*.conf
</VirtualHost>

include conf/extra/mod_xsendfile.conf-user
Include conf/extra/httpd-reqtimeout.conf
Include conf/extra/httpd-proxy-autoconf.conf-user
Include /etc/httpd/sites-enabled-user/httpd-vhost.conf-user
DocumentRoot "/var/services/web"

OK I think we need to look at the included files:

Please show:
ls -l /etc/httpd/sites-enabled/*.conf

and then the contents of the very few files that should be there.

DiskStation> ls -l /etc/httpd/sites-enabled/*.conf

-rw-r--r--    1 root     root           336 Mar 20  2014 /etc/httpd/sites-enabled/SYNO.SDS.App.FileStation3.Instance.alt_port.conf
-rw-r--r--    1 root     root           515 Mar 20  2014 /etc/httpd/sites-enabled/SYNO.SDS.App.FileStation3.Instance.alt_port_ssl.conf
-rw-r--r--    1 root     root           337 Oct 26  2013 /etc/httpd/sites-enabled/SYNO.SDS.AudioStation.Application.alias.conf
lrwxrwxrwx    1 root     root            79 Jun  4 02:15 /etc/httpd/sites-enabled/ssliveview.alias.conf -> /var/packages/SurveillanceStation/target/ui/apache_module/ssliveview.alias.conf
lrwxrwxrwx    1 root     root            75 Jun  4 02:15 /etc/httpd/sites-enabled/ssrtsp.alias.conf -> /var/packages/SurveillanceStation/target/ui/apache_module/ssrtsp.alias.conf

SYNO.SDS.App.FileStation3.Instance.alt_port.conf

Listen 7000
NameVirtualHost *:7000
<VirtualHost *:7000>
SetEnv REWRITE_APP SYNO.SDS.App.FileStation3.Instance

RewriteEngine on
RewriteOptions Inherit
Include conf/extra/httpd-alt-port-rewrite-default.conf
</VirtualHost>

SYNO.SDS.App.FileStation3.Instance.alt_port_ssl.conf

Listen 7001
NameVirtualHost *:7001
<VirtualHost *:7001>
SetEnv REWRITE_APP SYNO.SDS.App.FileStation3.Instance

SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key
SSLEngine on

RewriteEngine on
RewriteOptions Inherit
Include conf/extra/httpd-alt-port-rewrite-default.conf
</VirtualHost>

SYNO.SDS.AudioStation.Application.alias.conf

RewriteEngine on

RewriteRule ^/audio$ /usr/syno/synoman/webman [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]
RewriteRule ^/audio/(.*) /usr/syno/synoman/webman/$1 [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]

ssliveview.alias.conf

RewriteEngine on

RewriteRule ^/audio$ /usr/syno/synoman/webman [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]
RewriteRule ^/audio/(.*) /usr/syno/synoman/webman/$1 [L,E=REWRITE_APP:SYNO.SDS.AudioStation.Application]

/etc/httpd/sites-enabled/ssliveview.alias.conf

<IfModule !ssliveview_module>
        LoadModule ssliveview_module modules/mod_ssliveview.so
</IfModule>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files liveview_src.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files get_camstatus.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files cmsRedirect.cgi>
                SetHandler ssliveview_handler
        </Files>
</Directory>

ssrtsp.alias.conf

<IfModule !ssrtsp_module>
        LoadModule ssrtsp_module modules/mod_ssrtsp.so
</IfModule>

<Directory "/usr/syno/synoman/webman/3rdparty/SurveillanceStation/cgi/">
        <Files rtsp.cgi>
                SetHandler ssrtsp_handler
        </Files>
</Directory>

Let’s have a look at this file - not sure if that is where the secure site operates at.

That section seems to be missing a lot.
Plus I don’t see where it ends…
Try using 3 back ticks before and after your add text.
Like:
```
your text
```

I have edited my posts for insert 3 back ticks. I hope is helpfull

1 Like

I fail to find this location anywhere in your post:

I do see that is the cert path, no need to show the file.

Found it:

I guess you could put a test file in that location and see if it is accessible from the Internet.
echo "test" >> /var/lib/letsencrypt/.well-known/acme-challenge/test-file
http://your.domain/.well-known/acme-challenge/test-file

I test a file, on local network I access to them without problem.
From the internet I’ve a timeout, my NAS is very slowly. So i reboot it but after from internet i always a timeout.

Which internal IP does your router port forward ports 80 and 443 to?
Is that the same IP as the NAS?
[be sure your ISP is not blocking port 80]

I get this for port 80 from outside:

curl -Iki http://home.rolland.net/
curl: (7) Failed to connect to home.rolland.net port 80: No route to host

and these for port 443:

curl -Iki https://home.rolland.net/
curl: (7) Failed to connect to home.rolland.net port 443: Connection refused

curl -Iki https://home.rolland.net/
HTTP/1.1 403 Forbidden
Date: Thu, 04 Jun 2020 08:17:01 GMT
Server: Apache
Last-Modified: Tue, 26 Apr 2016 09:33:13 GMT
ETag: "1e5-5315ffb666840"
Accept-Ranges: bytes
Content-Length: 485
Vary: Accept-Encoding
Content-Type: text/html

I checked le nat configuration, internet port 80 is translate to a wrong IP on my local network
I changed the config and execute again the renew of the certificate

Now HTTP access changed but is still unable to find the test file:

curl -Iki http://home.rolland.net/.well-known/acme-challenge/test-file
HTTP/1.1 404 Not Found
Date: Thu, 04 Jun 2020 08:24:07 GMT
Server: Apache
Last-Modified: Tue, 26 Apr 2016 09:33:13 GMT
ETag: "1e5-5315ffb666840"
Accept-Ranges: bytes
Content-Length: 485
Vary: Accept-Encoding
Content-Type: text/html

The file name is : testMR.html

Don’t end it with .html
That doesn’t match the file type that will be used.

ok, the acme.sh script is in progress and I passed sucessfuly the check

Then the problem has been fixed.
You’re welcome.

Yes :

[Thr Jun  4 10:25:13 CEST 2020] Cert success.
[Thr Jun  4 10:25:13 CEST 2020] Your cert is in  /volume1/homes/admin/acme/home.rolland.net/home.rolland.net.cer
[Thr Jun  4 10:25:13 CEST 2020] Your cert key is in  /volume1/homes/admin/acme/home.rolland.net/home.rolland.net.key
[Thr Jun  4 10:25:13 CEST 2020] APP
[Thr Jun  4 10:25:13 CEST 2020] Your cert is in  /volume1/homes/admin/acme/home.rolland.net/home.rolland.net.cer
[Thr Jun  4 10:25:13 CEST 2020] Your cert key is in  /volume1/homes/admin/acme/home.rolland.net/home.rolland.net.key
[Thr Jun  4 10:26:04 CEST 2020] Run reload cmd: /usr/syno/sbin/synoservicecfg --reload httpd-sys
[Thr Jun  4 10:26:07 CEST 2020] Reload success

To resume :

  • my server wasn’t served the HTTP 80 requests => I launch webserver on port 80
  • The NAT on my Freebox haven’t translation port on 80 => I add it on Freebox admin console
  • I upgraded the acme.sh by command : ./acme.sh --upgrade
  • I copied my domain directory to the new directory of acme : cp -p -R home.rolland.net/ /volume1/homes/admin/acme
  • I renew my certificate with this command : ./acme.sh --renew -d home.rolland.net