Synology / Let's Encrypt certificate - Failed to connect to Let's Encrypt. Please make sure the domain is correct

I have a problem with getting a certificate from Let’s Encrypt via a Synology NAS (DS114).
It worked before (got working Let’s Encrypt certificates out of it), now it stopped working (both renew -and- request) and the certificates expired.
Since the renew didn’t work, I decided on advise from this forum to delete the old certificate and request a new one.

The error from Synology via the Let’s Encrypt message is:
Failed to connect to Let’s Encrypt. Please make sure the domain is correct.

My domain is: xsc.cloud

I ran this command:

• (Via SSH from Synology DSM) -> ping letsencrypt.org - succes
• (Via CMD from Windows PC) -> ping xsc.cloud - succes
• Enabled and/or disabled every checkbox on the Synology DSM - no change getting cert - same error
• Enabled and/or disabled Synology firewall - no change getting cert - same error

My web server is (include version): DSM 6.2

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes (SSH)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Synology DSM

Local configuration:
IP adress server: 80.57.207.79
Open ports on Synology: 887 (http) & 888 (https)
Open ports on Router: 80 (http) NAT to 887 & 443 (https) NAT to 888

Synology DSM forbids using port 80 and 443 directly, so NAT is the only option.

GoDaddy DNS configuration:
Domain name: xsc.cloud
A - @ - 80.57.207.79 - 1 hour
A - www - 80.57.207.79 - 1 hour
CNAME - _domainconnect - _domainconnect.gd.domaincontrol.com - 1 hour
MX - @ - smtp.secureserver.net (Priority: 0) - 1 hour
MX - @ - mailstore1.secureserver.net (Priority: 10) - 1 hour
NS - @ - ns39.domaincontrol.com - 1 hour
NS - @ - ns40.domaincontrol.com - 1 hour
SOA - @ Primary nameserver: ns39.domaincontrol.com. - 1 hour

I tried everything on the DSM, whatever I do, I keep getting the same message.

All DSM’s functionality is 100% operational by the way, it’s just the certificate.

My last solution would be a factory reset of the DSM, but before that I’ll give it a shot here

Hi @xsc

first step: Check, if there is an update.

There are some problems with DSM -> update -> the problem is gone.

Last topic:

I just updated to latest available DSM version (DSM 6.2.2-24922 Update 4) and now it works fine

PS: Checking your domain via https://check-your-website.server-daten.de/?q=xsc.cloud there are older checks, 4 hours old. There is no older certificate with that domain name, so it's your first certificate.

Thank you for your answer!

My DSM is already running version 6.2.2-24922-4 (auto update check every day)

The old certificate was on ds.xsc.cloud, which was a CNAME incread of an A record to xsc.cloud what it is now.

Via ds.xsc.cloud you can still see the old (expired) certificate via that website checker:
https://crt.sh/?q=ds.xsc.cloud

Do you have any other idea’s what I could do?

I don't use a DSM, but that may not work.

Knows the internal DSM, that port 887 is the http port?

Normally, DSM starts an own webserver and uses the standard ports.

And I don't know if the error message

is really a connection problem DSM -> Letsencrypt. Or if the error message is - simple - very unspecific.

So use port 80 extern -> port 80 intern.

Over 3 days I also run in trouble with getting a new certificate.
I know, it is nearly impossible. But, could it be a problem with the LetsEncrypt robot?

What I have done:
My linux laptop I #sudo apt install certbot
and try to get a certificate manually. Following the instructions there comes the request: Make the file ‘http://sub.domain.de/.well-known/acme-challenge/makedatei’ on your server available. I checked, it is available on port 80.
Enter for next step comes the error message: The file is not available followed by the link the LetsEncrypt robot looks for.

But, this link adds a ‘:’ , that means the LetsEncrypt robot looks at
‘http://sub.domain.de/.well-known/acme-challenge/makedatei:’
(please find the ‘:’). Of cause with the : at the end of line there is no file.

Is this behavior normal?

Ok, I got one certificate for my DNS A-record now, I forgot to port forward 887 and 888 in the router, alongside 80 and 443, after enabling this, I could get the certificate (it most likely originally failed due to HTTP > HTTPS forwarding)

Though this registering process only worked for the clean A record of xsc.cloud (no aliases).

If I would add any aliases, like ds.xsc.cloud in that same certificate request, the request would fail. Even when ds.xsc.cloud is a working CNAME adres, which redirects via a DDNS to the same IP adres as the A record xsc.cloud.

Also when I try to create a separate certificate for ds.xsc.cloud (which is a working CNAME adres), the request fails with the same old error: Failed to connect to Let’s Encrypt. Please make sure the domain is correct.

Anyone any idea why is this happening?

Sorry for delay. In case of an answer I thought an e-Mail will sent to me.
Port forwarding to 80->887, 443->888 do not solve the problem. Than I go back to the standard 80->80, 443->443.

My synology server is not registered to synology DDNS. So, the acme client have to use the challenge type http-01.

I found the hint: “In November of 2019 we will stop allowing new account registrations through our ACMEv1 API endpoint.” End of Life Plan for ACMEv1

At my synology I changed the first line in ‘/usr/syno/etc/letsencrypt/letsencrypt.default’ from ’ “server”: “https://acme-v01.api.letsencrypt.org/directory” ’ to ’ “server”: “https://acme-v02.api.letsencrypt.org/directory” '.

Running the command on my synology
$sudo /usr/syno/sbin/syno-letsencrypt new-cert -d sub.my-domain.de -m info@my-domain.de -v
comes with the error: {“error”:204,“file”:“client_v2.cpp”,“msg”:“No Nonce… Not Yet implement”}

How can I implement the client acme-v02 on synology DS?
Are there other solutions?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.