Unable to create certificate Nimbustor NAS, unable to apply settings 5401

Asustor Server Nimbustor AS5304. If I try to use the program to install let's encrypt certificates, it fails with the error message

Unable to apply settings error 5401

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: steve-paul.org

I ran this command: Using ADM 4.1.0.RKM 1, I tried to create a certificate. I previously had a certificate issued in my domain but although I set the settings to auto-update, it didn't. I tried to update it - it failed to update. I then deleted the certificate and tried to start from scratch.

It produced this output: unable to apply settings (error 5401)

My web server is (include version):

The operating system my web server runs on is (include version): ADM 4.1.0.RKM.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @Steve6443,

Here a a couple of changes recently on Let's Encrypt domain validation:

1. Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs
2. Email feedback: TLS 1.0/1.1 deprecation and SHA-1 deprecation

And here are a couple links to ASUSTOR information (that you probably have already found)

1. Using HTTPS to Secure NAS Communication - ASUSTOR NAS
2. Community - ASUSTOR Inc.

It looks like you got a cert about an hour ago. See crt.sh log display here

But, your server is sending out a self-signed-cert from Asusstor. This is likely some sort of default for your system. I don't know Asus ADM well enough to advise how to fix this. Hopefully this helps you focus on what is wrong. You can check the cert your server sends out using a SSL Test site like this one.

Another helpful site is LetsDebug.net which shows you should not have problems getting a cert. (sometimes you might still have problems, but, like I noted it looks like you just got a cert)

Let's Debug shows fine for:

1. http-01 Let's Debug
2. dns-01 Let's Debug

Also SSL Server Test: steve-paul.org (Powered by Qualys SSL Labs) shows your device is using TLSv1.0 & TLSv1.1, as well as the desirable TLSv1.2 & TLSv1.3. I realize that you likely don't have much control over the low level details of your device.

Since you can login as root please show openssl version output.

I have just set the minimum security level to TLS v1.2 so that shouldn't be an issue.

Unfortunately I'm also having an issue with logging in to the Shell as the system rejects non secure communication so can't call up openssl version yet but will do so asap.

We'll have to check back on that once your site can be reached [correctly].

OpenSSL 1.1.1q 5 Jul 2022

That is the output.

Well openssl shouldn't be a problem, that is as new as the 1.1.1 line goes https://www.openssl.org/

And now SSL Server Test: steve-paul.org (Powered by Qualys SSL Labs) only shows the desirable TLSv1.2 & TLSv1.3.

But http-01 Let's Debug Fails
Best Practice - Keep Port 80 Open

Now you might want to reconsider the allowed "weak ciphers":

image798×727 30.1 KB

I only looks like it is a Precertificate

image1174×703 15.5 KB

Let's Debug are passing now

1. http-01 Let's Debug
2. dns-01 Let's Debug

For now. There is often a delay for the Leaf posting to the logs. But, fair enough, worth watching. I am nearly certain you cannot get a Precert without satisfying challenges though. And, I am not certain how you could get a Precert without a Leaf but I vaguely recall that happening once or twice before.

Just saw a mild oddity and would mention it.

Still can't get it to work yet if I choose to create a certificate using the (sitename).myasustor.com domain, it all works fine.... driving me nuts.

What I have also seen is that if I add (eg) under google domains I add a resource such as www.steve-paul.org to my domain, I can get a certificate installed. If I leave the resources empty and want a certificate installed just for steve-paul.org, this fails.... any ideas?

I just saw another cert (precert for now) in crt.sh but this time for www.steve-paul.org

Does your Asus use the DNS Challenge? Because I don't see an A (or AAAA) record in your DNS that points to your IP that is required for the HTTP Challenge.

Wouldn't you need an A record to access your NAS even if you got this cert to work?

I'm trying all sorts to et it to work.... hence you can see the certificate with the www prefix but I want it to work directly off of steve-paul.org, if I can. It worked once, don't know why it won't any more....

I just saw another cert (precert for now) in crt.sh but this time for www.steve-paul.org
Does your Asus use the DNS Challenge? Because I don't see an A (or AAAA) record in your DNS that points to your IP that is required for the HTTP Challenge.
Wouldn't you need an A record to access your NAS even if you got this cert to work?

Forgive me if I'm wrong but if I am using google domains, have dyndns activated and an A entry in my resources for the domain itself, this should be ok?

as said, I've experimented with using www as a resource using an A record and can get the certificate installed but I need the site to work directly via the domain name itself hence much head scratching...

I see various problems right now. But, I'm signing off for night

I cannot reach your steve-paul site anymore. See Let's Debug

And, I don't see any A (or AAAA) record for your www domain name

nslookup www.steve-paul.org
** server can't find www.steve-paul.org: NXDOMAIN