Synology NAS unable to open Port 80

My domain is: dickson.duckdns.org, have also tried m.duckdns.org, and nas.mix3dstudios.com

I ran this command:
I have tried both the visual GUI (which fails with the unable to open port 80 message) as well as through SSH:
sudo syno-letsencrypt new-cert -d dickson.duckdns.org -m juneku@gmail.com -v

It produced this output:
UI Logs in /var/log/messages

2019-03-11T16:10:10-07:00 Vault synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[2213]: certificate.cpp:973 syno-letsencrypt failed. 101 [failed to open port 80.]
2019-03-11T16:10:10-07:00 Vault synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[2213]: certificate.cpp:1392 Failed to create Let’sEncrypt certificate. [101][failed to open port 80.]

Manual SSH Result:

DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email: juneku@gmail.com
DEBUG: Domain: m.duckdns.org
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Found registed account. used old account. [/usr/syno/etc/letsencrypt/account/wHNT0s/]
DEBUG: strat to do new-authz for m.duckdns.org
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: new authz: setup challenge env.
DEBUG: ==> start new authz.
DEBUG: new authz: do new-authz.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-authz
DEBUG: new authz: setup challenge env.
DEBUG: new authz: http-01 challenge.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/challenge/YxZsNZpDVBqqb4GnqBXj8LzN-i-R6a3Lg3WME20nRAU/13538773913
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/challenge/YxZsNZpDVBqqb4GnqBXj8LzN-i-R6a3Lg3WME20nRAU/13538773913
DEBUG: new authz: http-01 check result.
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/acme/authz/YxZsNZpDVBqqb4GnqBXj8LzN-i-R6a3Lg3WME20nRAU
(Repeated 5 times, removed to meet url link post limit)
DEBUG: Not synology DDNS.
DEBUG: DNS challenge failed, reason: {"error":108,"file":"challenge.cpp","msg":"Not synology DDNS."}

DEBUG: Normal challenge failed, reason: {"error":107,"file":"client.cpp","msg":"m.duckdns.org: Fetching http://m.duckdns.org/.well-known/acme-challenge/AS0x4wEX5lo3lC_37BTGnTgHFviN71vzDjWdOt7JoGI: Timeout during connect (likely firewall problem)"}

My web server is (include version): Synology DS418Play

The operating system my web server runs on is (include version): DSM 6.2.1-23824 Update 6

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ??

Notes:
I have checked the .well-known/acme-challenge/ folder, and can fill a test file and access it on port 80, so I am unsure what the issue is. You can try curl http://m.duckdns.org/.well-known/acme-challenge/testing

I was able to create a certificate on the device once before, at dickson.duckdns.org, but it expired during a cross-country move and then I ran into this issue. Initially tried to renew it, it failed, so I instead removed it and tried to create a new one.

I have tried to follow numerous other posted issues, both here and on Synology forums, but none have seemed to help me get it to work.

Also of note: I ran into the request limit at some point while trying to get it to work, and switched to a different email address. Hope that didn’t screw things up.

I’ve also tried to manually create the file as requested by sslforfree.com, created curl http://nas.mix3dstudios.com/.well-known/acme-challenge/Gx924h7HIQJIxqYOuD0D70QDhhWF4rdar7BL9Bc7DQs and confirmed that it was retrievable, but it still failed the verification check.

This file/site doesn’t seem accessible from the Internet.

Suddenlink blocks port 80 externally.

You’ll need to use DNS validation, probably.

Well, that explains why it worked in NH and not in AZ. Bummer.

1 Like

Doesn’t Synology have a built-in LE option?

If you read my problem, I tried both the built in and the commandline options

as for DNS validation, I don’t own duckdns.org, it’s a DDNS service, so I may be out of luck there.

If you wanted a certificate for your DuckDNS domain, it’s actually supported directly by acme.sh, lego, etc. and it looks like some people already use that approach with Synology.

If you wanted a certificate for your main domain, you could always move your main domain to one of the free DNS hosts who are easy to use with Let’s Encrypt DNS validation, like Cloudflare: DNS providers who easily integrate with Let's Encrypt DNS validation

1 Like

I thought their latest release overcame port 80…
But I do read that it is still required. :frowning:

I didn’t think to check access while testing. I guess Suddenlink allows port 80 requests if the traffic comes from inside that same network?

Anyways, thanks for the link to acme.sh, the DNS API integration for duckdns.org worked perfectly. Certs made, now I just have to import them into DSM

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.