Unable to renew cert on Synology NAS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ravensbourne.kaznmike.co.uk

I ran this command: On Synology NAS I ran the renew certificate operation as I have done many times before. I do not run a web site as I use certificate for https access to various NAS applications running on ports other than 80/443. Ports 80/443 are open but there is no web site there. This has NEVER been an issue. I have no issue accessing the services on the NAS via the given domain.

It produced this output: A pop up error which basically says it failed and I need to ensure ports 80/443 are open which they are.

My web server is (include version): ngnix

The operating system my web server runs on is (include version): Synology DSM

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No web site

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Do not know

2

Hello @m1kegibson, welcome to the Let's Encrypt community. :slightly_smiling_face:

Your Ports 80 & 443 are not Open, but filtered.

$ nmap -Pn -p80,443 ravensbourne.kaznmike.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-18 20:23 UTC
Nmap scan report for ravensbourne.kaznmike.co.uk (84.68.181.97)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.64 seconds
3

Sorry. I do not understand what that means; maybe you can explain what that means so I can look into it further. I have opened the ports on my router (as I have may times) and initiated the renewal from my NAS. Trouble is, I have little understanding of what my Synology NAS is doing behind the scenes.

4

You likely need to forward ports 80 and 443 to the NAS's IP address (and make sure the address is reserved so that it doesn’t change).

6

I am going to confess to being a complete d***head. I recently put some location based firewall rules in place on my NAS (after noticing a lot of probes that got through my router) and this filtered out the relevant requests originating outside UK. Sorry for wasting your time.

7

It means that nobody from the Public Internet is able to access your web site.
The HTTP-01 challenge of the Challenge Types - Let's Encrypt requires being able to access your web server via Port 80.