Hi all, hope you can help. I used Let’s Encrypt on my Synology NAS for a while now. I always used standard ports (5000 and 5001 for HTTP and HTTPS respectively), but recently changed this to HTTPS-only on port 443 for security + convenience since a lot of corporate firewalls block the standard ports. This works fine, I am very happy with this.
DNS is (afaik) correctly configured. Port 80 and 443 are open and accessible.
My domain is:
nas.clubweltevree.nl
I ran this command:
DSM Control Panel > Security > Certificate. Add/replace certificate > Let’s Encrypt.
Domain name: nas.clubweltevree.nl
Alternative name: none
It produced this output: Failed to connect to Let’s Encrypt, make sure the domain name is valid. I also tried with
Domain name: clubweltevree.nl
Alternative name: nas.clubweltevree.nl
this produced the same error.
My web server is (include version):
Synology DS NAS
The operating system my web server runs on is (include version):
DSM 6.0.2 (latest update)
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, DSM UI
Dear Jurgen,
Thanks for your reply. Indeed is the NAS behind a firewall. When I check if the port settings (https://www.yougetsignal.com/tools/open-ports/) I find both port 80 and 443 open. Is this what you meant? How could I check whether I am able to create outgoing connections?
Best,
Tijn
I just tried with a SSH tunnel, but Telnet is not enabled and “ping community.letsencrypt.org” does not work. I’m sorry for my shallow knowledge, do you have any other ideas?
Turns out that ping community.letsencrypt.org works fine. I just didn’t ping as root. Now I did, it works (to any remote address).
However, still when I try to create a new certificate at Let’s Encrypt, I get the error Failed to connect to Let's Encrypt. Please make sure the domain name is valid.
Thanks again for thinking about a possible solution with me.
How could I find out whether my DSM is corrupted? Never happened before. Plus, this problem occured just at th expiration date of the certificate. Previous renewals were no problem.
I created outgoing rules, did not solve the problem. Also, I never (since 8 years now that I own Synology NAS’s) created these rules under “Traffic control”. I believe leaving it blank just allows everything with maximum bandwidth.
I’m getting a little bit desperate. Of course I could try to reinstall DSM, but there is a lot of data of various people on it, really don’t want to run the risk of data loss. Also, I think it’s a bit of a long shot, since as noted under 1. I was able to renew certificates via DSM with Let’s Encrypt a couple of times before. Something must have changed, but I cannot find out what’s the problem.
Do you have any other ideas to solve this puzzle?
are some users with the same problem (I don't use Synology).
One time, a restart helped:
The weirdness continues. I had tried restarting the NAS yesterday a few times without success. Now, after a restart, it worked. I can't say that I understand these things.
Other time, there is a feature named
BT WebProtect
Special settings -> problems. Standard settings -> all ok.
If your ping works as root, not as user -> that may be the key.
The error message appears to point to a outgoing connection problem. The forum seems to refer to a common problem, with outgoing connections in general. The situation seems different: I can download new packages and view online help topics on the NAS.
I cannot find anything about BT WebProtect except for the forum post you linked to. Sounds like bluetooth or bittorrent, neither of which I have enabled on my NAS…
Could it be something different, and how to find out in which direction I should be looking?
I tried fiddling with the DNS as well (was pointing to 8.8.8.8, now back to default) without solving the issue.
You are right again. After my last post, I changed the port forwarding settings in my router.
How it was:
80 -> 4999 (synology custom HTTP port, since 80 is not allowed)
443 -> 4998 (custom HTTPS port, since 443 is not allowed).
This had the effect that https://nas.clubweltevree.nl was accessible, also from places where all other ports except 80 and 443 are blocked. This worked fine, but apparently not for Let’s Encrypt.
Would you have any idea how to arrange it, so I can have both? That is,
Router:
forward port 80 -> 80
forward port 4998 -> 4998
NAS:
Auto-redirect all HTTP to HTTPS
(Port 4999 for HTTP)
Port 4998 for HTTPS
So what should happen, is port 80 being accessible for HTTP webrequests, these are forwarded to HTTPS port 4998 which is opened. Let’s Encrypt is able to access the NAS through port 80. The only thing that does not work in this fashion, is the ability to reach the NAS through port 443.
Yes, the certificate is installed now. However, my remaining question from my previous post is not solved, and this is I think the most interesting part.
Would you have any idea how to arrange it, so I can have both? That is,
1. using port 443 for HTTPS
2. not allow unencrypted HTTP access
3. allow Let’s Encrypt automatic renewal
If you want to use http-01 - validation, you must allow a http connection via port 80.
So this is impossible.
This is a problem of your special settings. I don't see what's the real error and why it's not possible to change that.
Everyone who uses Letsencrypt uses automation, because certificates are only 90 days valide.
If you use the Synology-integrated solution, this solution may have some limits (not working with other ports then 5000 / 5001). But every client is free to manage such things.
So you should ask (1) and problems with (3) when changing the standard ports in the Synology - Forum.