Unable to get wildcard certificate but can get normal certificate

I'm unable to get a SNA wildcard certificate from Let's Encrypt using Synology certificate manager. I can get a certificate without the SNA wildcard just fine.

I'm happy to run any shell commands if that would be helpful.

My domain is:

fresh. quatrelle .synology. me

I ran this command:

DSM > Control Panel > Security > Certificate > Add > Replace Existing Certificate > quatrelle .synology .me > Get a vertificate from Let's Encrypt > Set as default certificate

Domain name: quatrelle .synology.me
Email: matt.sephton@ gmail .com
SNA: *.quatrelle. synology .me

It produced this output:

Failed to connect to Let's Encrypt. Please make sure the domain name is valid.

My web server is (include version):

nginx 1.16.1

The operating system my web server runs on is (include version):

Synology 6.2.4 (can't upgrade further)

Linux 3.10.105 #25426 SMP Mon Dec 14 18:47:46 CST 2020 x86_64 GNU/Linux synology_broadwell_3617xs

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

DSM 6.2.4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

n/a?

Does Synology provide any means or more verbose logging? Because with just that error I have absolutely no idea..

3 Likes

I know, I did look in the logs within the GUI but there's nothing at all at the time of the failure.

I'll try to find out where it logs at a unix level and check there.

There are a handful mentions of this error elsewhere on the forum (you've responded to some) but those other people are using their own domain pointing to their xxx .synology .me domain. But I'm just using the xxx .synology .me domain alone.

Did you type that?
From:

Can you upgrade?

I have:
image

for troubleshooting, look in Control Panel / Terminal and make sure SSH is enabled:
image

1 Like

No :slight_smile: it's a label for this forum only.

As stated in the OS question, no.

SSH is enabled and I can log in as root shell.

Some additional information:

I'm requesting a new cert because my previous (first!) one ran out Thursday 12th and renewed Friday 13th without the wildcard. So, this is my first renewal.

We can see the change from with wildcard before to without wildcard in the historical records. Why would this happen?

https://check-your-website.server-daten.de/?q=quatrelle.synology.me

6721571175
leaf cert CN=R3, O=Let's Encrypt, C=US
2022-05-13 10:42:09
2022-08-11 10:42:08
quatrelle .synology .me
1 entries
duplicate nr. 1

6163676873
leaf cert CN=R3, O=Let's Encrypt, C=US
2022-02-11 19:00:08
2022-05-12 18:00:07
*.quatrelle .synology .me, quatrelle .synology .me
2 entries

logging

tail -f /var/log/messages

gives:

2022-05-14T01:50:30+01:00 quatrelle syno-letsencrypt: syno-letsencrypt.cpp:121 Failed to do new authorization, may retry with another type. [{"error":202,"file":"client_v2.cpp","msg":"Failed to setup challegne for quatrelle .synology .me of dns-01"}
]
2022-05-14T01:50:31+01:00 quatrelle syno-letsencrypt: syno-letsencrypt.cpp:121 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"do new auth by path: failed to do challenge."}
]
2022-05-14T01:50:31+01:00 quatrelle synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5328]: certificate.cpp:966 syno-letsencrypt failed. 102 [Failed to new certificate.]
2022-05-14T01:50:31+01:00 quatrelle synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5328]: certificate.cpp:1400 Failed to create Let's Encrypt certificate. [102][Failed to new certificate.]

other info

  • IPv4 only (IPv6 off)
  • ports 80,443,5000,5001 open, forwarded
  • web pages are accessible at /.well-known/acme-challenge/...

see you next week

i have exhausted certificates this week trying to fix this, will resume next week.

1 Like

I grew impatient.

With no confidence this issue would be able to be resolved: I've switched to using acme.sh to issue a LE wildcard certificate on a subdomain of one of my own short domain names, which is hooked via CNAME record to a DDNS domain name. This gives me my own choice of domain as DDNS.

Everything is working well with this setup.

Thanks to everybody who responded in this thread. I won't be marking any reply as the solution as the original problem remains unresolved.

1 Like