Synology letsencrypt certificate renewal

Help
1

Domain: kalmiya.com, can log into a root shell.

Updating the letsencrypt certificate through the synology webinterface, clicking "renew" leads to "Please check if your IP address, reverse proxy rules and firewall settings are correctly configured and try again". I don't have any reverse proxy rules, firewall disabled and "all allowed".

Updating the letsencrypt certificate from the shell:

sudo syno-letsencrypt new-cert -d www.kalmiya.com -m site@kalmiya.com -vvv

gives:

...
"challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "xx.xx.xx.xx: Invalid response from http://www.kalmiya.com/.well-known/acme-challenge/xyz: 404", "status": 403 },
...

Copied a file to /var/lib/letsencrypt/.well-known/acme-challenge#/index.html and verified opening of with both http and https in a browser (e.g. (https://www.kalmiya.com/.well-known/acme-challenge/index.html ) shows the content of the index.html.

Running letsdebug.net on www.kalmiya.com.com gives a green box with "All OK!" No issues were found"

Checking /var/log/messages it contains:

syno-letsencrypt[23362]: client_v2-disk.cpp:117 Failed to open port
cortana syno-letsencrypt[23362]: client_v2-base.cpp:603 Failed to do new authorization, may retry with another type. [{"error":110,"file":"client_v2-base.cpp","msg":"83.86.147.193: Invalid response from http://www.kalmiya.com/.well-known/acme-challenge/xyz: 404"}

Additional info:

  • Router forwards ports 80, 443 and 5001 to the NAS (80->80, 443->443, 5001->5001)
  • Websites are accessible with old certificates (which are still valid), and those were originally fetched by the dsm webfrontend
  • Auto-redirect HTTP connection to HTTPS for DSM Desktop (Login Portal, DSM) -> disabled
  • Latest DSM 7.2.1
  • curl https://community.letsencrypt.org/ -> works (contents listed)
  • Cleared the ip-blocklist, to rule out that (somehow) the letsencrypt ip ended up on it.

So there seems to be a permissions issue, but I'm not sure how to fix it.

Any ideas anyone?

2

Please use example.com or example.org if you need placeholders :smiley:

Another option is whatever.example

3 Likes
3

I'm afraid it doesn't. I'm getting a 404 file not found.

I only see a self-signed certificate issued by "CN=e16a87c49c132b9a370ac2bf60072beb; OU=embeddedsofteware"? Not a valid certificate.

Are you sure external port 80 is mapped to your NAS? When I go to your website, I'm getting a login screen for "Hikvision"..

3 Likes
4

Ports look Open.

$ nmap -Pn -p80,443 www.kalmiya.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-28 22:27 UTC
Nmap scan report for www.kalmiya.com (83.86.147.193)
Host is up (0.20s latency).
rDNS record for 83.86.147.193: 83-86-147-193.cable.dynamic.v4.ziggo.nl

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

Connection to Port 80 seems to work.

$ curl -Ii http://www.kalmiya.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 28 Nov 2023 23:27:11 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 215
Content-Type: text/html
Connection: close

Connection to Port 443 seems to work.

$ curl -k -Ii https://www.kalmiya.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 28 Nov 2023 23:33:31 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 215
Content-Type: text/html
Connection: close

The certificate being served is a self-signed certificate.

$ openssl s_client -showcerts -servername www.kalmiya.com -connect www.kalmiya.com:443 < /dev/null
CONNECTED(00000003)
depth=0 C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
verify return:1
---
Certificate chain
 0 s:C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
   i:C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  5 09:25:21 2022 GMT; NotAfter: Mar  4 09:25:21 2025 GMT
-----BEGIN CERTIFICATE-----
MIIDejCCAmICAQEwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAkNOMQswCQYD
VQQIDAJaSjELMAkGA1UEBwwCSFoxKTAnBgNVBAMMIGUxNmE4N2M0OWMxMzJiOWEz
NzBhYzJiZjYwMDcyYmViMRowGAYDVQQLDBFlbWJlZGRlZHNvZnRld2FyZTESMBAG
CSqGSIb3DQEJARYDY29tMB4XDTIyMDMwNTA5MjUyMVoXDTI1MDMwNDA5MjUyMVow
gYIxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJaSjELMAkGA1UEBwwCSFoxKTAnBgNV
BAMMIGUxNmE4N2M0OWMxMzJiOWEzNzBhYzJiZjYwMDcyYmViMRowGAYDVQQLDBFl
bWJlZGRlZHNvZnRld2FyZTESMBAGCSqGSIb3DQEJARYDY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHzQI8CuEPy+n2Kb+7MQgbPohMAa+71Q9Rf1
Pb3FXMtjmq0MC5AYAzx5bY/k7bsrIvhqFdWTWhruOeEx5jyFiHeQHwvp6KOxn3wR
7dxhFZbekGDLcGYtDygUYKMVx7IccKucVxL9ekiSYDbqr5cqHmKlA0Rf9qKxmHGf
ZX9Mwr3x0kWdOLSm+SOUpTI8GaB38sAZDLOKsve4jtyRoYxCLJWTXzMflD0N4fX9
v72Mm2U54DyqZgw/K/uRkg/3JaxAUUL139bWBUF9WbbNB2L4j7hZs6el4wrEnwB6
ORPMxruoUETkuVMmfrUbtYX11BYcy5frBIKjhfSSUulV/GlFoQIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQBFaRAYG3Mya3cmedLW65U3orucIV398QGUVDTldLX9OO9A
Wm8qhGGeOdvZQ+EzIZPtf9RAxHYfx+tNbCe5lCatTzD8ieYGGqtT02Gt/MNDPDGL
Ms4HgnL172k3dP4SFnUNGFBRwAy2QKnEv19qyNsLU/psLKWHncAUHhTZBSIfRfSh
/ee4sE+CssVZRcgGyeGATK+DLYap1qySSECGvFjNrv/NNom9g93wu57/cEtYVT3W
klgwEzPibCpsnvut+2qS7q5kzpjlIUJZ0nDDnI96cBTINWKUeVyuxx1vzyDxqvTm
01NxDONjq5wkwXUtFcrr4LoGfb9Bi2cqEBJRAool
-----END CERTIFICATE-----
---
Server certificate
subject=C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
issuer=C = CN, ST = ZJ, L = HZ, CN = e16a87c49c132b9a370ac2bf60072beb, OU = embeddedsofteware, emailAddress = com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1576 bytes and written 747 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
DONE
1 Like
5

I do have a hikvision camera, but when I go to kalmiya.com I get this for certificate and challenge

image
image1807×1203 122 KB

So for some reason I get to see something different than you...

6

I note that http://www.kalmiya.com/ yields this screen shot with a copyright date of 2021.

image
image1209×727 92.8 KB

Whereas that https://www.kalmiya.com/ yields this screen shot with a copyright date of 2023.

image
image1208×726 95.2 KB

Clearly there is a difference.

1 Like
7

Yet I see this certificate

image
image1920×1040 29.1 KB

2 Likes
8

I connected to a vpn, went to kalmiya.com and indeed I now get the hikvision...
Going to try and figure out what's up with that.

2 Likes
9

So the hikvisions are directly connected to the cablemodem, and in the settings it looked like this:

image
image2865×1630 211 KB

So interestingly it looks like multiple devices claimed port 80 and 443 :open_mouth:.

I guess coming from inside my network it looped back and I got the correct site, but coming from the outside it didn't work (or maybe randomly works)...

Went into the settings of the hikvisions and disabled uPnP, which got these entries to disappear from the cablemodem settings, then went to the new / renew certificates and it works.

Thanks guys!

5 Likes
10

Looks like success for you @rboerdijk :slight_smile:
A+ SSL Server Test: www.kalmiya.com (Powered by Qualys SSL Labs)
A+ SSL Server Test: kalmiya.com (Powered by Qualys SSL Labs)

4 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.