Unable to renew my certificates

I know I had this issue (unable to validate) retrieving the original certificates. After days of searching and trying I finally made it work, but didn't know how. Now, my certificates are about to expire and I have the same issue when I try to renew them. I have tried almost everything, which resulted in a new error "Maximal certificate requests reached for this domain name" for one of the two domains I'm trying to renew (te one stated below). The two domains are exactly the same, except that the other is .be instead of .com.

Tried disabling all firewalls, didn't work. Tried different methods of port forwarding, didn't work. Tried changing security settings on my NAS, didn't work. Tried disabling HSTS in my web service portal, didn't work.

Checked on Open Port Check Tool - Test Port Forwarding on Your Router if port 80 is open for the domain name and IP address. That seems okay.
Also checked letsdebug.net using http-01 ass well as dns-01 and tls-alpn-01. All gave a positive result with 0 fatal errors, 0 errors and 0 warnings.

My certificates expire in a couple of hours and I have no idea what to do to fix this.

My domain is: daviddk.com

I ran this command:
Renew certificate

It produced this output:
"Let's Encrypt is unable to validate this domain name. Please make sure your Synology NAS and router have port 80 open to Let's Encrypt domain validation from the internet. All the other communications with Let's Encrypt go over HTTPS to keep your Synology NAS secure."

My web server is (include version):
Nginx / Apache HTTP Server 2.4

The operating system my web server runs on is (include version):
Synology DSM 7.0.1-42218 Update 2

My hosting provider, if applicable, is

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Synology Web Station 3.0.0-0308

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

There seems to be a problem with the IPv6 address:

Name:      synasappel.myds.me
Addresses: 2a02:1810:a59d:fc00:211:32ff:fefa:e589
Aliases:   nas.daviddk.com

IPv4 works:

curl -Ii4 nas.daviddk.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Jan 2022 10:29:10 GMT
Content-Type: text/html
Content-Length: 1991
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Vary: Accept-Encoding
Last-Modified: Fri, 01 Oct 2021 17:37:10 GMT
ETag: "7c7-5cd4e03540c2b"
Accept-Ranges: bytes

IPv6 fails:

curl -Ii6 nas.daviddk.com
curl: (56) Recv failure: Connection reset by peer

Thanks for your fast reply.

synasappel.myds.me is the DDNS hostname of my NAS. All of my subdomains (like for example nas.daviddk.com) point towards that DDNS name using CNAME-records.

I did try this hostname as well on letsdebug.net and it indeed gave me an error concerning the AAAA record which points towards the IPv6 address (see screenshot below). I checked the IPv6 address on my NAS and that matched the one in the error (and in your output). I tried checking port 80 using this hostname on yougetsignal.com as well and that gave me a positive result. So the port is available.

I have a different certificate for that hostname (I think Synology did that for me, it's the default certificate for my NAS). So when I saw this error, I tried renewing that certificate as well, and that worked without any issues. That's why I thought this wasn't the cause of my issue with the other (purchased) domains.

The error on letsdebug.net suggests to remove the AAAA record, but I have no ability to change the DNS settings for that hostname, so that's not an option. Is there a way for me to force the use of IPv4 for validation?

Disabling IPv6 on my NAS did the trick. My certificates are renewed and letsdebug.net returns a positive result.

Good to know, but maybe not the most desirable solution. Is there an explanation to why IPv6 caused this issue and could there be another method to solving this iso completely banning IPv6 from the server?

1 Like

Impossible to say from where I'm sitting.

Perhaps; How do the synasappel.myds.me get set?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.