Trying to register/renew using DDNS

damacus · August 17, 2017, 1:44pm

My domain is: X.damacus.io

I ran this command: syno-letsencrypt new-cert -d subdomain.damacus.io -m @damacus.io -vv

It produced this output:

Generic error message failed to open port 80.

The most relevant bit of the debug output is
DEBUG: [x.damacus.io] is not a subdomain of [x.synology.me]

My web server is (include version): nginx/1.11.10

The operating system my web server runs on is (include version): synology diskstation 6.1.3

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Tried both the Synology control panel & CLI.

Extra Information:
I’m using DDNS provided by synology to make my disk stations dynamic IP reachable. However that means that my DNS entry for x.damacus.io actually points to x.synology.me which is then resolvable, and does get resolved by the CLI tool.

This has been working for 3 renewals. So I don’t quite know what’s going on.

Port forwarding for both 443 & 80 are still on.
I can reach the webpage via curl -L

rg305 · August 17, 2017, 4:29pm

Probable CAA issue.
Try issuing the sinology.me FQDN cert (just for test)

damacus · August 17, 2017, 5:18pm

Yep, that seems to have worked.

Now I’m rather confused how it worked 6/9 months ago.

jared.m · August 17, 2017, 6:07pm

Let’s Encrypt starting refusing issue in the event of CAA lookup failures about a month ago in preparation for the CA/Browser Forum deadline requiring CAA checks of September 8. It would have stopped working at this point.

damacus · August 17, 2017, 6:32pm

Yeah that sounds about the time it stopped renewing.

Thanks for your help on this one!

Does this mean I’ll need to switch my DNS to one that also supports DDNS? Or is there another way?

rg305 · August 17, 2017, 6:43pm

If you own a domain, you could create a dedicated CNAME entry (like: special.mydomain.tld) from it that resolves to the sinology.me FQDN and obtain a cert for the FQDN from your domain.

damacus · August 17, 2017, 7:47pm

That’s actually what I’ve got right now.

mydomain.tld --> synology.me (DDNS) --> NAS

that’s what’s giving the error DEBUG: [x.damacus.io] is not a subdomain of [x.synology.me]

rg305 · August 18, 2017, 1:45am

can you give the actual FQDN?
“x.damacus.io” doesn’t resolve to any IP.

wuotr · September 2, 2017, 8:13am

@damacus I’m curious… Did you find a solution already? I’m experiencing exactly the same problem on my Synology. And I do have the same setup as you describe (using the Synology DDNS)

subdomain.mydomain.tld --> subdomain.synology.me (DDNS) --> NAS

Previously renewal worked just fine.

wuotr · September 2, 2017, 9:08am

@damacus (and everyone else looking for a solution).

I have resolved the issue for now by executing these steps:

Log in to your domain provider > DNS configuration.
Remove the CNAME record pointing to your subdomain.mydomain.tld (temporarily).
Configure an A record for subdomain.mydomain.tld pointing to your public IP address.
Make sure port 80 in your router config is forwarded to port 80 on the NAS.
SSH into the NAS and execute this command: sudo syno-letsencrypt renew-all -v
Reset the DNS configuration again by removing the A record and adding the CNAME again.

Kind regards ;-).

system · October 2, 2017, 9:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.