Unable to create new certificate for web page in Synology

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cerebral.cua.uam.mx

I ran this command: syno-letsencrypt new-cert -d cerebral.cua.uam.mx -vv

It produced this output:

DNS problem: query timed out looking up A for cerebral.cua.uam.mx; DNS problem: query timed out looking up AAAA for cerebral.cua.uam.mx"
DEBUG: Failed to do challenge for cerebral.cua.uam.mx with type http-01.
DEBUG: close port 80.

My web server is (include version): nginx/1.20.1

The operating system my web server runs on is (include version): DSM 7.1.1-42962

My hosting provider, if applicable, is: --

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): --

Hello everyone,

I am not an expert in web page configuration. However, some years ago I was able to get a certificate for my web page hosted in my Synology NAS.

Recently I tried to get a new certificate for a NEW domain (cerebral.cua.uam.mx) in the same Synology NAS and the same IP.
First, I tried the Synology GUI Tool to obtain a LetsEncrypt certificate, but this time I got a message with this error:

"Invalid domain. Please make sure this domain can be resolved into a public IP address".

Also, I tried the following command line from my NAS to get more information:
syno-letsencrypt new-cert -d cerebral.cua.uam.mx -vv

The final lines of the output were:

--------
DEBUG: Curl Reply: [200] Header: [HTTP/2 200 
server: nginx
date: Fri, 18 Aug 2023 04:43:02 GMT
content-type: application/json
content-length: 672
boulder-requester: 1253688086
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: v8C-B80Y-_RAhVSObDs_bq28yZqQ9DZJ61K-7uhEFkrhSbbdkD8
x-frame-options: DENY
strict-transport-security: max-age=604800

] Body: [{
  "identifier": {
    "type": "dns",
    "value": "cerebral.cua.uam.mx"
  },
  "status": "invalid",
  "expires": "2023-08-25T04:41:39Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: query timed out looking up A for cerebral.cua.uam.mx; DNS problem: query timed out looking up AAAA for cerebral.cua.uam.mx",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/255995631996/Isp0Og",
      "token": "_JHZpxA2nhjsSNfFk2iRBCSWm1y5jmQBF6WqGvHwSuk",
      "validated": "2023-08-18T04:42:31Z"
    }
  ]
}]
DEBUG: Failed to do challenge for cerebral.cua.uam.mx with type http-01.
DEBUG: close port 80.
{"error":109,"file":"client_v2-base.cpp","msg":"Failed to new certificate."}
--------

I also ran the LetEncrypt Debugging tool to check the status for the http-01 challenge, and I got:

A test authorization for cerebral.cua.uam.mx to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

DNS problem: query timed out looking up A for cerebral.cua.uam.mx; DNS problem: query timed out looking up AAAA for cerebral.cua.uam.mx

In some forums, I found that a possible problem was that port 80 was closed in the router or by the ISP. However, from my HOME (different network) I used this website https://www.yougetsignal.com/tools/open-ports/

and the result was that port 80 is open.

I also used check-host.net and the result is that my website is accessible through port 80 from several countries:

https://check-host.net/check-http?host=cerebral.cua.uam.mx&csrf_token=dc2d46888b4b2c8aae0a8cab2295c0ae6869c229

Finally, I checked the A record for my domain using this page:

and the A record is my domain: cerebral.cua.uam.mx

I don't know what other configuration in my NAS to check to find out what the problem is. I hope someone here can please help me to find the error.

Thanks in advance,

Antonio

2 Likes

Hi @ajaimes, and welcome to the LE community forum :slight_smile:

Thanks for all the detailed information.
The error is definitely DNS related; As both LE and LetsDebug show the same problem.
cerebral.cua.uam.mx | DNSViz shows:
warning message image

My guess is that there are DNS server along the path that are not RFC compliant.
OR
There are firewalls that are blocking some of the networks LE uses for DNS queries.

3 Likes

Interestingly UnboundTest doesn't have an issue with the DNS configuration: https://unboundtest.com/m/A/cerebral.cua.uam.mx/VIMK6LIZ

1 Like

OR
IPS type devices that don't like the number of requests [per second] that LE/LetsDebug produce.

3 Likes

Let's Debug's own simple DNS lookup worked fine. But, its test with Let's Encrypt Staging had the same DNS query timeout as Let's Encrypt production in post #1 (see here)

Unboundtest not only works but is very fast to respond so not showing a reason for a query timeout.

@ajaimes I agree with @rg305 that this looks a good possibility. I cannot reproduce the query timeout even with repeated requests but Let's Encrypt will issue many more requests and from various world-wide locations.

4 Likes

Maybe some geograpic difference or hosting provider difference?

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.