Synology NAS cannot renew LE cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ubrs.ch

I ran this command: Synology NAS set up

It produced this output:

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): DSM 7.0.1-42218 Update 4

My hosting provider, if applicable, is: hostpoint.ch

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

I'm trying to renew (actually, now create new, see below) a cert for b3.ubrs.ch.

I had LE certs working until some extended shenanigans by my ISP left me offline during renewal. My router also died, so I have a new one installed. Steps that I've taken until now:

  • Checked that ports 80 and 443 are active and forwarded to my NAS via Redirect Checker | Check your Statuscode 301 vs 302

  • Checked that all relevant subdomains have the same IP. The root domain is hosted by hostpoint.ch, but three subdomains are redirected to my NAS through Synlogy DDNS, and it's these that the cert is for.

  • Deleted the old cert and tried to create a new one.

Hi @truffy, and welcome to the LE community forum :slight_smile:

I see IPv6 and IPv4 IP addresses:

Name:      b3ubrsch.dsmynas.com
Addresses: 2001:1715:9d9c:7500:80e3:cf33:582c:e52b
           89.217.199.80
Aliases:   b3.ubrs.ch

LE will prefer IPv6 over IPv4 when available.
Ensure the IPv6 path can also reach the NAS. OR remove AAAA record.
I get:

curl -Ii6 b3.ubrs.ch
curl: (56) Recv failure: Connection reset by peer

While IPv4 looks OK:

curl -Ii4 b3.ubrs.ch
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 07 Jun 2022 15:34:38 GMT
Content-Type: text/html
Content-Length: 157
Connection: keep-alive
Keep-Alive: timeout=20
Last-Modified: Tue, 07 Jun 2022 11:37:29 GMT
ETag: "9d-5e0da03745040"
Accept-Ranges: bytes
Vary: Accept-Encoding
2 Likes

Thank you, @rg305, switching IPv6 from automatic to manual in DSM's DDNS settings worked like a charm! :+1:t2:

2 Likes