Synology et domaine "non valide" (+ english version)

ENGLISH BELOW

  • Je peux lire des réponses en Anglais : oui
  • Mon nom de domaine est : nasdoury.ovh
  • J’ai exécuté cette commande : sur DSM synology
  • Elle a produit cette sortie : Echec de connection à Letsencrypt. Assurez vous que le nom de domaine est valide
  • Mon serveur Web est (inclure la version) : apache 2.4
  • Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : DSM
  • Mon hébergeur, le cas échéant, est : OVH (uniquement le nom de domaine)
  • Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : oui
  • J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : DSM 6.2.2-24922 Update 4

Depuis plusieurs jours je galère à installer un certificat LE afin de sécuriser l’accès à mon NAS.
J’ai commandé le nom de domaine nasdoury.ovh, ai ajouté une zone DNS A qui pointe vers mon adresse IP publique.

La connection en http fonctionne.

Lorsque j’utilise l’utilitaire de DSM pour créer un certificat LE, il m’indique l’erreur décrite ci-dessus.

J’ai ouvert les ports de ma box (80,443,778-888,5000,5001), désactivé le pare-feu de mon NAS

Je ne sais plus quoi faire… Quelqu’un pour m’aider ? Je n’arrive pas à comprendre les erreurs indiquées ici : https://check-your-website.server-daten.de/?q=nasdoury.ovh


ENGLISH VERSION

For several days I have been struggling to install an LE certificate in order to secure access to my NAS.
I ordered the domain name nasdoury.ovh, added a DNS A zone that points to my public IP address.

The http connection works.

When I use the DSM utility to create an LE certificate, it tells me the error :
Failed to connect to Letsencrypt. Make sure that the domain name is valid

I forwarded the ports on my box (80,443,778-888,5000,5001), disabled the firewall on my NAS, all those access ports seem to be reachable > https://www.yougetsignal.com/tools/open-ports/

I don’t know what to do anymore… Anyone to help me? I can’t figure out the errors listed here: https://check-your-website.server-daten.de/?q=nasdoury.ovh

1 Like

Can you please try clearing your “Allow/Block List” in Synology DSM?

More info here: https://www.synology.com/en-us/knowledgebase/SRM/help/SRM/RouterApp/security_autoblock

3 Likes

Thanks @_az for your suggestion, unfortunatly that didn’t made the trick :frowning:

Allways the same error message

Should I add some IP adress in the “white list” ? I don’t get how it would help but I’m looking for anything to help me ^^

Hi @guilhem

that’s curious:

Your http + / has a timeout. But http + /.well-known/acme-challenge/random-filename answers with a (wrong) Forbidden and a Synology page.

Same with your www version. There is no server header.

Looks like there is another instance that blocks /, but allows /.well-known/acme-challenge.

What says

nslookup acme-v02.api.letsencrypt.org
tracert acme-v02.api.letsencrypt.org
curl https://acme-v02.api.letsencrypt.org/

same with www.google.com or another domain?

1 Like

I’m currently uninstalling Apache / PhpMyadmin / Web station on my NAS, because I think that maybe a previous install of Nextcloud maybe made a mess ^^

Here the commands :

$ nslookup acme-v02.api.letsencrypt.org
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org	canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org	canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:	ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248



$ tracert acme-v02.api.letsencrypt.org
-sh: tracert: command not found


$ curl https://acme-v02.api.letsencrypt.org/
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content=
  "width=device-width, initial-scale=1">

  <title>Boulder: The Let's Encrypt CA</title>
  <link href=
  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"
  rel="stylesheet" type="text/css">
  <link href=
  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"
  rel="stylesheet" type="text/css">
</head>

<body>
  <div class="container-fluid">
<div class="row">
  <div class="col-xs-6 text-right">
    <p style="font-size: 90px;">
    <i class="fa fa-barcode"></i></p>
  </div>

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->
  </div>


</body>
</html>

If tracert doesn’t work, use traceroute.

That must be the same machine where your Letsencrypt client runs.

But curl says: You can connect the api.

1 Like

Here it is :

$ traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * po110.gra-z1g1-a75.fr.eu (92.222.62.181)  146.543 ms po110.gra-z1g2-a75.fr.eu (92.222.62.183)  146.455 ms
 7  be120.gra-d2-a75.fr.eu (37.187.232.78)  146.465 ms be121.gra-d1-a75.fr.eu (37.187.232.76)  146.543 ms be120.gra-d1-a75.fr.eu (37.187.232.74)  146.457 ms
 8  10.95.33.8 (10.95.33.8)  147.982 ms  147.952 ms 10.95.33.10 (10.95.33.10)  147.938 ms
 9  be100-1110.th2-1-a9.fr.eu (213.186.32.215)  150.682 ms  151.468 ms  151.442 ms
10  equinix-paris.cloudflare.com (195.42.144.143)  154.426 ms  154.312 ms be100-2.th2-1-a9.fr.eu (37.187.36.214)  152.100 ms
11  * equinix-paris.cloudflare.com (195.42.144.143)  154.353 ms *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
1 Like

Also I made some changes in my router but I can’t get it to work :

https://letsdebug.net/nasdoury.ovh/98489

And : https://check-your-website.server-daten.de/?q=nasdoury.ovh

That says: It works. http + /.well-known/acme-challenge/random-filename - there is a Synology answer.

No timeout.

May be you have additional regional blockings, so Berlin works, but other ip addresses not.

Letsdebug has a timeout -> regional filter.

1 Like

Ok… So now I’ll try to understand what it means :wink:

As I’m using OpenMPTCPRouter, all my traffic goes through a VPS, maybe the regional filter stands there ? I’ll make some tests right now

1 Like

So… I did not manage to understand the problem.
What could be this “regional filter” you are talking about @JuergenAuer ?

For example, this could happen if your Internet service provider, VPS provider, or router has a firewall which blocks connections from other countries.

1 Like

Thank you, I’ll investigate that way :wink: