Hi,
just a quick question. Im trying to change the domain for my LE certificate on a Synology server.
Everytime i try to change it or create a new one, i get the error message that the server is not reachable (probably mine?).
So just as a test I tried renewing the old one and it went through in about two seconds…
Anyone have an idea why i cant replace the certificate or maybe how i can just change the domain?
Thanks
tail of my /var/log/messages :
2019-05-20T16:35:31+02:00 RS-Research synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[29549]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from http://transfer.briese-research.de/.well-known/acme-challenge/KmIGPPaKLwnoy9hch-tICADUWobbc1Wvibf2YSvFaiI [2001:8d8:100f:f000::28d]: “\n\nThe page is temporarily unavailable\n\nbody { font-family: Tahoma, Verdana, Arial, sans-serif;”]
2019-05-20T16:35:31+02:00 RS-Research synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[29549]: certificate.cpp:1392 Failed to create Let’sEncrypt certificate. [102][Invalid response from http://transfer.briese-research.de/.well-known/acme-challenge/KmIGPPaKLwnoy9hch-tICADUWobbc1Wvibf2YSvFaiI [2001:8d8:100f:f000::28d]: “\n\nThe page is temporarily unavailable\n\nbody { font-family: Tahoma, Verdana, Arial, sans-serif;”]
2019-05-20T16:38:37+02:00 RS-Research synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[30019]: certificate.cpp:973 syno-letsencrypt failed. 102 [Invalid response from http://transfer.briese-research.de/.well-known/acme-challenge/Mjof43ruV-hHMOkbsuBAO_FgV8oMriFJHkCKu0dLKLQ [2001:8d8:100f:f000::28d]: “\n\nThe page is temporarily unavailable\n\nbody { font-family: Tahoma, Verdana, Arial, sans-serif;”]
2019-05-20T16:38:37+02:00 RS-Research synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[30019]: certificate.cpp:1392 Failed to create Let’sEncrypt certificate. [102][Invalid response from http://transfer.briese-research.de/.well-known/acme-challenge/Mjof43ruV-hHMOkbsuBAO_FgV8oMriFJHkCKu0dLKLQ [2001:8d8:100f:f000::28d]: “\n\nThe page is temporarily unavailable\n\nbody { font-family: Tahoma, Verdana, Arial, sans-serif;”]
Hi @briese
checking your domain there is a problem ( https://check-your-website.server-daten.de/?q=transfer.briese-research.de ):
You have ipv4- and ipv6 - addresses:
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| transfer.briese-research.de | A | 217.6.47.139 | yes | 1 | 0 |
| AAAA | 2001:8d8:100f:f000::28d | yes | |||
| www.transfer.briese-research.de | A | 217.160.0.140 | yes | 1 | 0 |
| AAAA | 2001:8d8:100f:f000::28d | yes |
But your ipv6 doesn't work. http has a timeout, https isn't configured:
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://briese-group.de/ | 301 | http://briese.de | 0.090 | D |
| • http://www.briese-group.de | 301 | http://briese-group.de/ | 0.090 | D |
| • http://transfer.briese-research.de/ | ||||
| 217.6.47.139 | 302 | https://transfer.briese-research.de:5001/ | 0.504 | A |
| • http://transfer.briese-research.de/ | ||||
| 2001:8d8:100f:f000::28d | 302 | http://www.briese-group.de | 0.100 | D |
| • http://www.transfer.briese-research.de/ | ||||
| 217.160.0.140 | 302 | http://www.briese-group.de | 0.127 | D |
| • http://www.transfer.briese-research.de/ | ||||
| 2001:8d8:100f:f000::28d | 302 | http://www.briese-group.de | 0.090 | D |
| • http://briese.de | 200 | 0.957 | H | |
| • https://transfer.briese-research.de/ | ||||
| 217.6.47.139 | 200 | 2.200 | N | |
| Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors | ||||
| • https://transfer.briese-research.de/ | ||||
| 2001:8d8:100f:f000::28d | -10 | 0.043 | P | |
| SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel. | ||||
| • https://www.transfer.briese-research.de/ | ||||
| 217.160.0.140 | -10 | 0.050 | P | |
| SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel. | ||||
| • https://www.transfer.briese-research.de/ | ||||
| 2001:8d8:100f:f000::28d | -10 | 0.044 | P | |
| SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel. | ||||
| • https://transfer.briese-research.de:5001/ | -14 | 10.027 | T | |
| Timeout - The operation has timed out | ||||
| • http://transfer.briese-research.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 217.6.47.139 | 403 | 0.040 | M | |
| Forbidden | ||||
| Visible Content: © 2018 Synology Inc. | ||||
| • http://transfer.briese-research.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 2001:8d8:100f:f000::28d | -14 | 10.027 | T | |
| Timeout - The operation has timed out | ||||
| Visible Content: | ||||
| • http://www.transfer.briese-research.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 217.160.0.140 | -14 | 10.027 | T | |
| Timeout - The operation has timed out | ||||
| Visible Content: | ||||
| • http://www.transfer.briese-research.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 2001:8d8:100f:f000::28d | -14 | 10.026 | T | |
| Timeout - The operation has timed out |
The timeout is critical because Letsencrypt checks a file via http + /.well-known/acme-challenge and prefers ipv6.
So
Removing the AAAA entry did the trick… Thanks for the suggestion! I wasn’t aware that v6 takes precedent over v4 with LE
Cheers mate
Yep, ipv6 is the future. So if a client has both addresses, Letsencrypt uses ipv6.
Now try to fix the ipv6.
Perhaps only a
Listen [::]:80
Listen [::]:443
directive is missing. You can check the configuration without creating a new AAAA record.
Use the ipv6 directly - https://check-your-website.server-daten.de/?q=2001%3A8d8%3A100f%3Af000%3A%3A28d
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.