Unable to renew or create certificate via Synology NAS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jnrfalcon.studio

I ran this command: syno-letsencrypt new-cert -d jnrfalcon.studio -m myemail@gmail.com -v

It produced this output:

DEBUG: Dns01 challenge: Teardown [{ā€œcodeā€:ā€œbadparamā€,ā€œerrinfoā€:ā€œdelete.go:27ā€}].
DEBUG: DNS challenge failed, reason: {ā€œerrorā€:102,ā€œfileā€:ā€œclient.cppā€,ā€œmsgā€:ā€œno valid domain nameā€}

DEBUG: Normal challenge failed, reason: {ā€œerrorā€:107,ā€œfileā€:ā€œclient.cppā€,ā€œmsgā€:ā€œjnrfalcon.studio: Fetching https://jnrfalcon.studio/.well-known/acme-challenge/{hiden}: Timeout during connect (likely firewall problem)ā€}

DEBUG: failed to open port 80.
DEBUG: close port 80.
{ā€œerrorā€:101,ā€œfileā€:ā€œclient.cppā€,ā€œmsgā€:ā€œfailed to open port 80.ā€}

I own this domain and just rechecked that it is still current. Port 80 and 443 are both open and directed to the NAS. So no reason that the domain is not valid or the the port is not open. I also run the same for synology subdomain, works fine. So my guess is thereā€™s some problem with Letā€™s Encryptā€™s service that is discriminating *.studio. (Note: youā€™ll find the current cert is my synology subdomain because it automatically defaulted back to it when I deleted the unrenewable entry)

Please fix.

2

Hi @jnrfalcon

there is a check of your domain, there is a critical problem visible - https://check-your-website.server-daten.de/?q=jnrfalcon.studio

There are ipv4- and ipv6-addresses:

Host T IP-Address is auth. āˆ‘ Queries āˆ‘ Timeout
jnrfalcon.studio A 97.94.23.124 yes 1 0
AAAA 2600:6c54:7c00:2d2a:1691:82ff:fe6e:747e yes
www.jnrfalcon.studio Name Error yes 1 0

But ipv6 doesn't answer, not port 80, not port 443:

Domainname Http-Status redirect Sec. G
ā€¢ http://jnrfalcon.studio/
97.94.23.124 301 https://jnrfalcon.studio/ 1.056 A
ā€¢ http://jnrfalcon.studio/
2600:6c54:7c00:2d2a:1691:82ff:fe6e:747e -14 10.030 T
Timeout - The operation has timed out
ā€¢ https://jnrfalcon.studio/
97.94.23.124 302 https://jnrfalcon.studio/en/ 5.060 N
Certificate error: RemoteCertificateNameMismatch
ā€¢ https://jnrfalcon.studio/
2600:6c54:7c00:2d2a:1691:82ff:fe6e:747e -14 10.026 T
Timeout - The operation has timed out
ā€¢ https://jnrfalcon.studio/en/ -14 10.026 T
Timeout - The operation has timed out
ā€¢ http://jnrfalcon.studio/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
97.94.23.124 301 https://jnrfalcon.studio/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.814 A
Visible Content: 301 Moved Permanently nginx
ā€¢ http://jnrfalcon.studio/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:6c54:7c00:2d2a:1691:82ff:fe6e:747e -14 10.026 T
Timeout - The operation has timed out
Visible Content:
ā€¢ https://jnrfalcon.studio/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out
Visible Content:

That's a critical error because Letsencrypt prefers ipv6.

So

  • remove your ipv6 address, create a certificate, then fix your ipv6 (or)
  • fix your ipv6 directly.

You can use the online tool to check your ipv6 direct - https://check-your-website.server-daten.de/?q=2600%3A6c54%3A7c00%3A2d2a%3A1691%3A82ff%3Afe6e%3A747e

PS: That's

wrong. studio is a top level domain, so you can create a certificate.

3

Fixed by deleting AAAA record. Thanks!

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.