Synology fails to get certificate

synologydva · April 20, 2023, 4:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

When I run the wizard to get a new certificate I get the following error: Please check if your IP address, reverse proxy rules, and firewall settings are correctly configured and try again.
My domain is:kildare.mooo.com

I ran this command:curl -I https://acme-v02.api.letsencrypt.org

It produced this output:HTTP/2 200
server: nginx
date: Thu, 20 Apr 2023 16:15:23 GMT
content-type: text/html
content-length: 1540
last-modified: Thu, 23 Jun 2022 21:17:41 GMT
etag: "62b4d875-604"
x-frame-options: DENY
strict-transport-security: max-age=604800

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):The Synology naitively does not have certbot. However the Synology DSM version is 7.1.1-42962 Update 5

I have run this command from the unit : curl -Iki http://dns.thelazyfox.xyz/.well-known/acme-challenge/test

I got this result : HTTP/1.1 522
Date: Thu, 20 Apr 2023 16:26:37 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store, no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=2GGJVCigNzxI87zh5ACpgkNQDMh9S4EVI4C3P8GI5OooftfQHzNdxpcw0N4ZuXqPwTuhCBgdGL2Lob1UKu814jSYHKOoeVWrrkB7RH%2F0GZ4lnSPFYzKH3oWZAqFWQNhjn4DmUfg%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7baebf41f8c08dae-MIA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

when I run certbot renew --dry-run
I get this result : -sh: certbot: command not found

I don't believe that the synology has the option to install certbot, so I am stuck with the GUI only option...

MikeMcQ · April 20, 2023, 6:35pm

Which domain name are you trying to get a cert for? The domain names you show are configured very differently. One is using Cloudflare's proxied DNS (their CDN) and the other is an IP with Spectrum.

rg305 · April 20, 2023, 6:50pm

Hi @synologydva, and welcome to the LE community forum

I don't quite follow the curl troubleshooting...
What does "dns.thelazyfox.xyz" have to do with "kiledare.mooo.com"?

Is there any update available?

synologydva · April 20, 2023, 7:12pm

I was just following the example. THe domain I'm trying to get a cert for is kildare.mooo.com

synologydva · April 20, 2023, 7:13pm

I have the latest update as of yesterday!

synologydva · April 20, 2023, 7:24pm

I am able to verify that port 80/443 are open via hostname or IP. However, it still fails to get the certificate. I watch the traffic going both ways with no denies and it still fails??

Bruce5051 · April 20, 2023, 7:28pm

Here is what I see

$ curl -Ii http://kildare.mooo.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 20 Apr 2023 19:26:19 GMT
Content-Type: text/html
Content-Length: 11939
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "62a83cc4-2ea3"

synologydva · April 20, 2023, 8:06pm

That might be firewall related. Depending on the packet sent it may autoblock. Give it 5 minutes and try again. I will manually remove all of the blocks. However, it fills up pretty fast..

Bruce5051 · April 20, 2023, 8:19pm

Right now

$ curl -Ii http://kildare.mooo.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 20 Apr 2023 20:18:04 GMT
Content-Type: text/html
Content-Length: 11939
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "62a83cc4-2ea3"

I the certificate being served is a self signed certficate.

$ openssl s_client -showcerts -servername kildare.mooo.com -connect kildare.mooo.com:443 < /dev/null
CONNECTED(00000003)
depth=0 C = TW, L = Taipel, O = Synology Inc., CN = synology
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = TW, L = Taipel, O = Synology Inc., CN = synology
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = TW, L = Taipel, O = Synology Inc., CN = synology
verify return:1
---
Certificate chain
 0 s:C = TW, L = Taipel, O = Synology Inc., CN = synology
   i:C = TW, L = Taipel, O = Synology Inc., CN = Synology Inc. CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 20 18:03:53 2023 GMT; NotAfter: Apr 20 18:03:53 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIHFoIBODPWzDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQG
EwJUVzEPMA0GA1UEBwwGVGFpcGVsMRYwFAYDVQQKDA1TeW5vbG9neSBJbmMuMRkw
FwYDVQQDDBBTeW5vbG9neSBJbmMuIENBMB4XDTIzMDQyMDE4MDM1M1oXDTI0MDQy
MDE4MDM1M1owSTELMAkGA1UEBhMCVFcxDzANBgNVBAcMBlRhaXBlbDEWMBQGA1UE
CgwNU3lub2xvZ3kgSW5jLjERMA8GA1UEAwwIc3lub2xvZ3kwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDI0rZdBOjF3JKxZIB8o9KOtSP2ZBaNDCyvV5UT
LX1dTSx8pOa6eBId7SPj3+oN8vauyHS8RX1ILgUCo2iT28q4i9tbZFLdmf6eTI7I
ePHvdJKwF1xJGQXFk7DNLYuu0ArGxgR/9EWpYhS6q6TNXtnjEc7ZeTB7WGK3M7/A
EqI3IhbzR2Jjty/TbPhXXorEY7L+R45msEBil69ltNdIXZEFgQx09CSL7S+mUNOR
BGtWtQLK3Mxtj5J2tOFEPsJkm9VlwF0pVL0e6GgiMldzfV6y2l4c2Csgbp0agJzP
Ly9okWxBK27hpZ31Cwguw+5yOZqQFaZWEOhdq8gnt2TjbD1/AgMBAAGjgZYwgZMw
OgYJYIZIAYb4QgENBC0WK21vZF9zc2wgZ2VuZXJhdGVkIGN1c3RvbSBzZXJ2ZXIg
Y2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEwYDVR0RBAwwCoIIc3lub2xv
Z3kwDQYJKoZIhvcNAQELBQADggEBAABCw5pMA41SH/c/Q9LClWi90cuSMLJGBAmg
qxs1rZHwJ1V1zVNYgDz8xdYaO+TV99MOsJ1jB8/5lD698tBeQcu4ABleli/uhjRl
nuWYWovRaWjxYxN43v2mF25ZVZvWp55CBKXEFCpTrkG3ChulLLYi/JtFmRKJPqHA
VDHjXNgelWfFXyix4DvDoO8iKlJPlVSAzs6OkFsE1eQFZ0bmQOgFKpDvRS5UiXie
7XFmHjdlv45E2i+caPFljMNzjs8eP70uGzW3LD3KT1elWooJNXVwIbRdMFJqMEpp
wkhoYT/f9+kANu5TmhlvChvcc/dUJOkrf/MKEQ3e0b/Nhfou4T0=
-----END CERTIFICATE-----
---
Server certificate
subject=C = TW, L = Taipel, O = Synology Inc., CN = synology
issuer=C = TW, L = Taipel, O = Synology Inc., CN = Synology Inc. CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1510 bytes and written 398 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE

rg305 · April 20, 2023, 8:26pm

In what system/software?

synologydva · April 20, 2023, 8:27pm

In my firebox. I'm seeing a 100-fold increase in penetration attempts. So for now I am going to close the ports , do more reading and see what I can come up with.

rg305 · April 20, 2023, 8:30pm

Can you "teach" it to allow specific URL [paths]?
Like:
http://your.domain/.well-known/acme-challenge/*

synologydva · April 20, 2023, 8:33pm

I believe so. Currently there are ony 2 ports open 80/443. However, if it receives what it considers an unhandled packet, it auto-blocks. Interestingly enough, I am only having issue with getting a cert - go figure.

system · May 20, 2023, 8:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.