Unable to renew certificate on Synology DSM


#1

Hi all, hope you can help. I used Let’s Encrypt on my Synology NAS for a while now. I always used standard ports (5000 and 5001 for HTTP and HTTPS respectively), but recently changed this to HTTPS-only on port 443 for security + convenience since a lot of corporate firewalls block the standard ports. This works fine, I am very happy with this.
DNS is (afaik) correctly configured. Port 80 and 443 are open and accessible.

My domain is:
nas.clubweltevree.nl

I ran this command:
DSM Control Panel > Security > Certificate. Add/replace certificate > Let’s Encrypt.
Domain name: nas.clubweltevree.nl
Alternative name: none

It produced this output: Failed to connect to Let’s Encrypt, make sure the domain name is valid. I also tried with
Domain name: clubweltevree.nl
Alternative name: nas.clubweltevree.nl
this produced the same error.

My web server is (include version):
Synology DS NAS

The operating system my web server runs on is (include version):
DSM 6.0.2 (latest update)

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, DSM UI

I hope someone can help me to solve this problem!


#2

Hi @tijn2

is there a firewall? Looks like you have closed outgoing connections.

So your DSM can’t connect Letsencrypt.

PS: Check if you can create other outgoing connections (to google etc.).


#3

Dear Jurgen,
Thanks for your reply. Indeed is the NAS behind a firewall. When I check if the port settings (https://www.yougetsignal.com/tools/open-ports/) I find both port 80 and 443 open. Is this what you meant? How could I check whether I am able to create outgoing connections?
Best,
Tijn


#4

These are ingoing connections.

Is there a console or a browser / telnet?

telnet community.letsencrypt.org 80

should answer.


#5

I just tried with a SSH tunnel, but Telnet is not enabled and “ping community.letsencrypt.org” does not work. I’m sorry for my shallow knowledge, do you have any other ideas?


#6

If Ping doesn’t work, try

Ping 127.0.0.1

If that works, then this is exact the problem: Outbound-connections
are blocked. Looks like a firewall rule.


#7

Turns out that ping community.letsencrypt.org works fine. I just didn’t ping as root. Now I did, it works (to any remote address).

However, still when I try to create a new certificate at Let’s Encrypt, I get the error Failed to connect to Let's Encrypt. Please make sure the domain name is valid.


#8

Is your DSM installation corrupted?

Is it possible to repair that?

There

is a big PDF. There is a configuration page “Traffic control”

Traffic control aims to control the outgoing traffic of services running on Synology NAS.

There you have to create outgoing rules.


#9

Hi Jürgen,

Thanks again for thinking about a possible solution with me.

  1. How could I find out whether my DSM is corrupted? Never happened before. Plus, this problem occured just at th expiration date of the certificate. Previous renewals were no problem.
  2. I created outgoing rules, did not solve the problem. Also, I never (since 8 years now that I own Synology NAS’s) created these rules under “Traffic control”. I believe leaving it blank just allows everything with maximum bandwidth.

I’m getting a little bit desperate. Of course I could try to reinstall DSM, but there is a lot of data of various people on it, really don’t want to run the risk of data loss. Also, I think it’s a bit of a long shot, since as noted under 1. I was able to renew certificates via DSM with Let’s Encrypt a couple of times before. Something must have changed, but I cannot find out what’s the problem.
Do you have any other ideas to solve this puzzle?

Best, Tijn


#10

To be sure, I just manually updated DSM to the latest version (6.2.1-23824). The OS should be non-corrupt for sure. However, the problem persists.


#11

There

https://forum.synology.com/enu/viewtopic.php?t=131518

are some users with the same problem (I don’t use Synology).

One time, a restart helped:

The weirdness continues. I had tried restarting the NAS yesterday a few times without success. Now, after a restart, it worked. I can’t say that I understand these things.

Other time, there is a feature named

BT WebProtect

Special settings -> problems. Standard settings -> all ok.

If your ping works as root, not as user -> that may be the key.


#12

Rebooting the NAS and router did not work.

The error message appears to point to a outgoing connection problem. The forum seems to refer to a common problem, with outgoing connections in general. The situation seems different: I can download new packages and view online help topics on the NAS.
I cannot find anything about BT WebProtect except for the forum post you linked to. Sounds like bluetooth or bittorrent, neither of which I have enabled on my NAS…

Could it be something different, and how to find out in which direction I should be looking?

I tried fiddling with the DNS as well (was pointing to 8.8.8.8, now back to default) without solving the issue.


#13

Another part of information: I accessed the log, and this message is displayed at the moment I try to create a certificate.

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[20318]: certificate.cpp:1392 Failed to create Let'sEncrypt certificate. [102][Invalid response from http://nas.clubweltevree.nl/.well-known/acme-challenge/3dN218mLzczhsBWCX6FRmXQ11k9bJ9RjOiAMJg2qlN4: "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig"]

To be sure that there was not an old certificate in the way, I removed the folder /usr/syno/etc/letsencrypt/ as well. No difference again.


#14

This is a completely different situation.

Fetching your root there is a redirect port 4999.

D:\temp>download http://nas.clubweltevree.nl/ -h
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 154
Content-Type: text/html
Date: Sat, 06 Oct 2018 14:23:58 GMT
Location: http://nas.clubweltevree.nl:4999/

Status: 302 Redirect

171,99 milliseconds
0,17 seconds

But fetching the validation file under /.well-known/acme-challenge/ there is no redirect:

D:\temp>download http://nas.clubweltevree.nl/.well-known/acme-challenge/3dN218mLzczhsBWCX6FRmXQ11k9bJ9RjOiAMJg2qlN4 -h
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (404) Nicht gefunden.
ProtocolError
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Content-Length: 11939
Content-Type: text/html
Date: Sat, 06 Oct 2018 14:24:05 GMT
ETag: “5b9242a8-2ea3”

Status: 404 NotFound
404

221,01 milliseconds
0,22 seconds

So there are two different webserver, one port 80, one port 4449.

So perhaps your ACME-Client saves the validation file under the webroot running port 4449, but your port 80 instance doesn’t know that.

So try to remove / deactivate the exclusion “no redirect /.well-known/acme-challenge/” port 80, so that

http://nas.clubweltevree.nl/.well-known/acme-challenge/3dN218mLzczhsBWCX6FRmXQ11k9bJ9RjOiAMJg2qlN4

is redirected to

http://nas.clubweltevree.nl:4449/.well-known/acme-challenge/3dN218mLzczhsBWCX6FRmXQ11k9bJ9RjOiAMJg2qlN4

Conclusion: Check your port 80 configuration.


#15

Dear Jürgen,

You are right again. After my last post, I changed the port forwarding settings in my router.
How it was:
80 -> 4999 (synology custom HTTP port, since 80 is not allowed)
443 -> 4998 (custom HTTPS port, since 443 is not allowed).

This had the effect that https://nas.clubweltevree.nl was accessible, also from places where all other ports except 80 and 443 are blocked. This worked fine, but apparently not for Let’s Encrypt.

Would you have any idea how to arrange it, so I can have both? That is,

  1. using port 443 for HTTPS
  2. not allow unencrypted HTTP access
  3. allow Let’s Encrypt automatic renewal

Best,
Tijn


#16

You must allow http / port 80 if you want to use http-01 - validation. So the first try of Letsencrypt is to load something like

http://nas.clubweltevree.nl/.well-known/acme-challenge/1234

via port 80.

Then you can redirect that to https or to another port. But it looks that / is redirected, but /.well-known/acme-challenge/ not.

Perhaps your router settings are wrong. There are curious redirects:

Non-existent file /1234 - redirect to /

D:\temp>download http://nas.clubweltevree.nl/1234 -h
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 154
Content-Type: text/html
Date: Sun, 07 Oct 2018 12:02:56 GMT
Location: http://nas.clubweltevree.nl/

Status: 302 Redirect

159,98 milliseconds
0,16 seconds

Non-existent file /1234.html - redirect to /

D:\temp>download http://nas.clubweltevree.nl/1234.html -h
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 154
Content-Type: text/html
Date: Sun, 07 Oct 2018 12:03:10 GMT
Location: http://nas.clubweltevree.nl/

Status: 302 Redirect

179,24 milliseconds
0,18 seconds

But non-existent file /.well-known/acme-challenge/1234 - http - status 404, no redirect.

D:\temp>download http://nas.clubweltevree.nl/.well-known/acme-challenge/1234 -h
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (404) Nicht gefunden.
ProtocolError
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Content-Length: 11939
Content-Type: text/html
Date: Sun, 07 Oct 2018 12:04:49 GMT
ETag: “5b9242a8-2ea3”

Status: 404 NotFound
404

201,16 milliseconds
0,20 seconds


#17

The settings I use now are:

Router:
forward port 80 -> 80
forward port 4998 -> 4998

NAS:
Auto-redirect all HTTP to HTTPS
(Port 4999 for HTTP)
Port 4998 for HTTPS

So what should happen, is port 80 being accessible for HTTP webrequests, these are forwarded to HTTPS port 4998 which is opened. Let’s Encrypt is able to access the NAS through port 80. The only thing that does not work in this fashion, is the ability to reach the NAS through port 443.

Do you think this combination is possible?


#18

You have created two certificates yesterday.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:nas.clubweltevree.nl&lu=cert_search

So this part is done.


#19

Yes, the certificate is installed now. However, my remaining question from my previous post is not solved, and this is I think the most interesting part.

Would you have any idea how to arrange it, so I can have both? That is,
1. using port 443 for HTTPS
2. not allow unencrypted HTTP access
3. allow Let’s Encrypt automatic renewal

#20

If you want to use http-01 - validation, you must allow a http connection via port 80.

So this is impossible.

This is a problem of your special settings. I don’t see what’s the real error and why it’s not possible to change that.

Everyone who uses Letsencrypt uses automation, because certificates are only 90 days valide.

If you use the Synology-integrated solution, this solution may have some limits (not working with other ports then 5000 / 5001). But every client is free to manage such things.

So you should ask (1) and problems with (3) when changing the standard ports in the Synology - Forum.