Synology DSM - cannot update LE certificate anymore


#1

My domain is: camels.duckdns.org

I ran this command: Update Certificate / Create certificate in Synology DSM (NAS operating system)

It produced this output: none - my LE certificate expired and even trying to get something to run via SHELL I cannot produce any output anymore (tried syno-letsencrypt new-cert -camels.duckdns.org -[…]@gmail.com -v)

My web server is (include version): Synology NAS

The operating system my web server runs on is (include version): DSM 6.2.1-23824 Update 4

My hosting provider, if applicable, is: for DynDNS it’s duckdns.org

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DSM 6.2.1-23824 Update 4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): -

I updated my certificate every three months for like two years now, however with January 2019 the process failed. While being unable to change anything about the situation my certificate meantime expired.

Hope someone can help, pls?

PS: There is just the one “Honeypot” webpage with actually nothing behind it. Made it just to demo it works and can be reached.


#2

Hi @DCA

Synology DSM is a “closed world”. So it’s difficult to find errors.

There was a global switch: Tls-sni-01 is deprecated, support ends 2019-02-13. Perhaps your DSM has used the deprecated method and now hangs.

So first step: Check, if there are updates.

Now, the preferred method to validate a domain is http-01 validation. I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=camels.duckdns.org

That looks good:

Domainname Http-Status redirect Sec. G
http://camels.duckdns.org/
46.91.38.222 200 0.070 H
http://www.camels.duckdns.org/
46.91.38.222 200 0.064 H
https://camels.duckdns.org/
46.91.38.222 200 1.760 N
Certificate error: RemoteCertificateChainErrors
https://www.camels.duckdns.org/
46.91.38.222 200 1.494 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://camels.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.91.38.222 404 0.086 A
Not Found
http://www.camels.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.91.38.222 404 0.083 A
Not Found

Port 80 is open. An ACME-client creates a file in /.well-known/acme-challenge, Letsencrypt checks this file. So the answer http status 404 is good.


Mhm. Checking https://archive.synology.com/download/DSM/release/6.2.1/23824/ looks this is the newest version (I don’t use DSM). But it looks that there is an Update 5.


#3

Thanks for the reply. unfortunately this update is for a few dedicated NAS only. not for my DS214+…

seems I can only hope for an update to fix whatever is broken.


#4

Isn’t there an error log or something else with more information?


#6

My original certificate expired, so I cannot work on that one anymore. No old logs in the system (it’s actually not logging in depth, it seems).

I tried to create a new cert via SSH. This happend:

syno-letsencrypt new-cert -d camels.duckdns.org -m […]@gmail.com -v
DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email: […]@gmail.com
DEBUG: Domain: camels.duckdns.org
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Not found registed account. do reg-new.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/reg/51213672
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/reg/51213672
{“error”:202,“file”:“client.cpp”,“msg”:“Failed to create folder for account.”}

Is that a local error on my NAS?

(Sorry, needed to revoke original post, had my email in there… :frowning: )