Unable to renew and install new Let's Encrypt Cert [Synology]

Help
1

Hi all, hope you can help. I used Let’s Encrypt on my Synology NAS for a while now. I use 1980 and 1981 ports for HTTP and HTTPS respectively. Port 80 and 443 are open and accessible on my router and I can acces my server both over http and https.

My domain is:
keuken.smeurko.es

I ran this command:
DSM Control Panel > Security > Certificate. Add/replace certificate > Let’s Encrypt.
Domain name: keuken.smeurko.es
Alternative name: none

It produced this output:
Failed to connect to Let’s Encrypt, make sure the domain name is valid.

I also tried with
Domain name: keuken.smeurko.es
Alternative name: nas
this produced the same error.

My web server is (include version):
Synology DS NAS

The operating system my web server runs on is (include version):
DSM 6.2.2-24922 (latest update)

My hosting provider, if applicable, is:
Greenhost (just for registering the domain)

I can login to a root shell on my machine (yes or no, or I don’t know):
no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, DSM UI

I hope someone can help me to solve this problem!

2

Hi @dosch

there are two parts. If you use http-01 validation, the client creates a file under /.well-known/acme-challenge, Letsencrypt checks that file.

Looks that this can't work ( https://check-your-website.server-daten.de/?q=keuken.smeurko.es ):

Domainname Http-Status redirect Sec. G
http://keuken.smeurko.es/
81.226.174.203 200 1.303 H
https://keuken.smeurko.es/
81.226.174.203 200 1.927 N
Certificate error: RemoteCertificateChainErrors
http://keuken.smeurko.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.226.174.203 403 0.067 M
Forbidden
Visible Content: © 2019 Synology Inc.

There is a http status 403 - Forbidden checking such a file. A http status 404 - Not Found is expected.

Second, the error

sounds that your DSM can't connect Letsencrypt. Does your system allow outgoing connections? Is it possible to test that?

If you have shell access, try something like

curl https://community.letsencrypt.org/
1 Like
3

thnx Juergen for your fast reply!

OK, that is weird... What can I best do to solve this?

Sadly I do not have shell access (the NAS is in a different location, and I did not set up portforwarding in that location for port 22 and I can't access the router from where I am to change that...)

Also; the weirdest part is that i want to renew a cert. This has worked in the past. and now doesn't... :frowning:

4

First idea: Check the rights of that folder.

Second idea - ignore it. Because checking that file in my browser there was an error message:

Sorry, the page you are looking for is not found.

That's the message with a http status 404 - Not Found, but the http status is 403. So it may not be a real problem.

I don't use DSM. But there are a lot of configuration options, so it's possible that outgoing connections are blocked.

No, that's not relevant. A change of the configuration is enough. Perhaps the internal DNS doesn't work, so your DSM doesn't find an ip address of Letsencrypt. But to check that you need a shell. Or another version of outgoing connections.

Perhaps try to update your DSM. If it is a DNS-problem, that may fail with the same error.

5

Ok, I had time to get back to this. Let's go through the step.

Yes, did that and it works: I can fetch that page.

Where can I find the file? I am a bit lost in the file-tree

I am on the latest version of the OS.

Would greatly appreciate your continued support and ideas.

One more thing. In the DSM tutorial it says:

  • Email : Enter the email address used for certificate registration.

Which email would this be? Can it be any email, like my email on another domain? Or does it have to be the webmaster/admin email on the very domain I am trying to get a certificate for?

another thing... could it be linked to the fact that I enables HSTS in the past?

6
Summary

Hey @JuergenAuer, could you maybe look at this and maybe help me out. Would be greatly appreciated!

7

The file is created from your client. And maybe the client delete that file, so you don't see it.

I don't use DSM, but I don't think this is critical.

No. HSTS is a browser decision. Tools like Letsencrypt or online checks should start fresh.

Rechecked your domain, it's the same picture ( https://check-your-website.server-daten.de/?q=keuken.smeurko.es ):

Domainname Http-Status redirect Sec. G
http://keuken.smeurko.es/
81.226.174.203 302 https://keuken.smeurko.es:443/ 0.457 A
https://keuken.smeurko.es/
81.226.174.203 200 1.640 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://keuken.smeurko.es:443/ 200 1.600 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://keuken.smeurko.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
81.226.174.203 403 0.064 M
Forbidden
Visible Content: © 2019 Synology Inc.

Checking /.well-known/acme-challenge there is a blocking http status 403 - Forbidden, not the expected http status 404 - Not found.

Perhaps start a thread in the Synology forum how to change the configuration.

1 Like
8

thnx for coming back to me.

Understood. But if the client does not delete the file. Where could I find it?

9

That's setup-specific. If there is no location-definition, it may be root + /.well-known/acme-challenge.

If there is a location definition -> check that. If there is a redirect http -> https, the https version is used.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.