Synology dsm 6 problem, cannot reach LE server

I’m trying to use the Synology DSM 6 built-in procedure for obtaining a certificate from Let’s Encrypt. But after entering the required details and clicking “Apply”, all I get is a circling cursor for a very long time, and finally a message saying “No response from the destination server. Please try again later.” Going into my NAS using ssh and looking at /var/log/messages, I find the error message is “certificate.cpp:1359 Failed to create Let’sEncrypt certificate. [100][Server is not reachable.]”. That sounds to me as though my request is never getting through to a Let’s Encrypt server, rather than that Lat’s Encrypt is failing to contact my server for challenges etc - but I am new to this area so may be misunderstanding. Any suggestions would be very welcome. I did read, elsewhere in this forum, that there might be some oddities with LE depending on where you’re located - I am in the UK. Thanks for any help.

1 Like

Without you posting full logs, it’s hard to tell, but your analysis sounds correct at first glance. Are you sure this system is able to connect to the internet and there aren’t any firewalls preventing access in either direction?

Thank you jared.m, that is helpful. If it is not too much trouble, can you tell me where to find the logs you’d need to know more? Although I am familiar with the unix cli, I am not used to looking around in the system areas. Many thanks.

Unfortunately, I’m not familiar enough with the internal workings of Synology to know where it puts those off the top of my head. If the “built-in” method is just calling Certbot for you (which is a very plausible possibility), then the logs will reside in /var/log/letsencrypt, but if it’s Synology’s own code you would need to figure that out from their documentation.

OK, I have had a fish around the /var/log directory to see what is getting updated. There isn’t any /var/log/letsencrypt directory. There’s a /var/log/synolog directory, and some files in it that are getting updated, but none of them seem to be human-readable. But then I found a file called /var/log/upstart/synoscgi.log, and that has an entry “500 Internal Server Error: cannot reset credential (/usr/syno/synoman/webman/csp_report.cgi)” corresponding to every time I have tried to run the Let’s Encrypt procedure. There’s a good reason why it can’t reset the credentials on that file, which is that it doesn’t exist. Does any of this lot mean anything, or is it just epiphenomenal? I’m beginning to think I need to raise a support ticket with synology - generally the last resort of the desperate.

Yeah, unfortunately at this point you’re entering Synology territory. I don’t have a Synology box to test on, nor does anyone else who normally helps here (to the best of my knowledge) and that error is definitely Synology-specific.

If you get an answer, it would be great if you updated the thread with it to help others experiencing this issue in the future!

Thanks for your help. I have already posted the query on the Synology forum, and if I can wring anything out of Synology before this post closes in a month’s time, I will certainly update here.
To go back to your first comment, I am pretty sure that all necessary ports are open (I have used on them), but I guess there might be some other way the firewall is blocking things, which I don’t understand. But even if there is, that looks like a Synology failure, since their wizard is supposed to do the whole Let’s Encrypt thing for you.

Can you see this URL in a web browser on a computer using the same Internet connection?

If it is working correctly, you should see a list of URLs for various functions of the Let’s Encrypt CA in JSON, a computer-readable format.

Can you ping that server from the Synology host’s command line?

ping -c5

If you’re not familiar with this command: a successful ping will show 0% packet loss at the end.

These steps will identify whether something is really blocking your connection to the Let’s Encrypt API servers. If both work, then you’re just experiencing some sort of bug with the Synology client.

Thank you Patches, that is really helpful. I have tried both the tests you suggest, and both succeed: I get the JSON list of URLs, and the ping works and gives 0% packet loss (so long as I am operating as root on an ssh session on the Synology). Looks more and more like a bug in the Synology code - not all that unlikely since their Let’s Encrypt wizard is a recently introduced feature.

I have now resolved this problem with the help of Synology support (whom I somewhat traduced in an earlier posting - they turned out to be extremely helpful and efficient). The issue was that the Synology network settings by default have IPv6 use set to “Auto”, and in my location (the UK) that causes problems because IPv6 is not in fact used. Setting IPv6 use to “Off” (for Synology users, go to Control Panel > Network > Network Interface > Edit > IPv6) resolved the problem and enabled me to reach LE and get a certificate issued. Thank you to all those on this forum who thought about this problem.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.