Unable to create certificate Nimbustor NAS, unable to apply settings 5401

I see various problems right now. But, I'm signing off for night

I cannot reach your steve-paul site anymore. See [Let's Debug ](Let's Debug
paul.org/1200651)

And, I don't see any A (or AAAA) record for your www domain name

nslookup www.steve-paul.org
** server can't find www.steve-paul.org: NXDOMAIN

The first issue was because, for some reason, the NAS had closed the port forwarding. I removed the A record for www.steve-paul.org because it's not what I want. I added it just to see if using that prefix worked (and it did,) So why can I install a certificate for www.steve-paul,org but not for steve-paul.org???

Yes, DNS.

Name:    www.steve-paul.org
Address:  87.172.29.81
Name:    steve-paul.org
         [EMPTY]
1 Like

I did that deliberately because at the moment, when I set up DYNDNS to point the Address to steve-paul.org, it fails.... This is the only work around I have been able to find, by installing the certificate at www.steve-paul.org when I'd much rather prefer it being at steve-paul.org

Your DYNDNS problem is not our area of support. I see you have now posted on the Asus Community Forum. I think that is your best option.

If you haven't yet, you should look at other threads about that 5401 error (if you still have that)

https://forum.asustor.com/search.php?keywords=5401&terms=all&author=&sc=1&sf=all&sr=posts&sk=t&sd=d&st=0&ch=300&t=0&submit=Search

3 Likes

Second Precertificate without Leaf certificate

and this too

1 Like

It looks like to me that www.steve-paul.org is serving the Precertificate crt.sh | 7599205233

1 Like

In crt.sh. If you look at censys.io the Leaf is there. crt.sh may take up to 24 hours to post log data. We are getting close to that but not quite there yet. Might be worth an insider post if crt.sh log display not complete by then.

I don't think their www site is sending out a Precert. Browsers will not accept a Precert and right now on Chrome I can view https://www.steve-george.org. I see a big "Afraid of Flying" page

3 Likes

Thanks @MikeMcQ for the explanation, it helps me learn. :slightly_smiling_face:

And the serial number has changed now in Firefox.

2 Likes

Also, the pre-cert and actual cert have the same serial number :wink: So you can't use that to identify a pre-cert by itself.

4 Likes

@Steve6443 I see your quote below from the Asus forum

Let's encrypt sends a challenge to my NAS but the response is incorrect hence the verification only goes as far as a pre certificate.

At least in your case, if you see a Precert in the log you should conclude the challenge worked and a cert was issued. There is often a delay in posting the Leaf to the log as shown by crt.sh. And, looking at crt.sh now shows your Leaf's matching those earlier Precerts (see here). You still have a more recently issued cert that crt.sh is only showing the precert but I'm sure that will post later because it is visible in censys.io (which is much harder to use).

The better conclusion for what is happening is you got a cert but your Asus system did not properly integrate it into your system.

You were able to use a different name and get that to work. That proves your system can properly request and integrate certs. Why it can't just for that one name points to an internal issue in your Asus config / software.

I know this isn't helpful for a remedy. I just hope it helps identify the root cause.

4 Likes