Unable to renew or get new cert on Synology: timeout error

My domain is: lietaert.ga;feeds.lietaert.ga;films.lietaert.ga;…

I ran this command: renew cert synology

It produced this output: dsm synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[1927]: certificate.cpp:1464 Failed to renew Let’sEncrypt certificate. [200][Fetching http://feeds.lietaert.ga/.well-known/acme-challenge/NOihvEoWGYg5lB1Z1eYJxRegGQtaRJFwEm_-4Lv-mzM: Timeout during connect (likely firewall problem)]

My web server is (include version): Synology DSM 6.2.3-25426 using nginx reverse proxy to publish docker containers to the web. Containers run internally on random ports, reverse proxy sends 443 to the internal port. Not all these internal ports are https.
I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Synology DSM interface

Port 80 and 443 are forwarded to 80 and 443 on the NAS IP.
Router is in DMZ from ISP router.
Output from https://check-your-website.server-daten.de/?q=feeds.lietaert.ga seems OK. 404 on acme challenge.

Used to be able to renew certs without a problem, I have searched all the forums but no solution…
I’m not able to renew, nor to get new certificates.
I have a certificate for each subdomain, the main cert for the lietaert.ga domain also has one alternative name.

Anybody an idea how to solve this?

Thanks!

1 Like

Hi @jullyjolls

that check is ok. There

Visible Content: © 2020 Synology Inc.

is the required Synology answer, so your DSM sees that request.

Is there an additional regional blocking / firewall?

Freenom name servers are sometimes bad, that’s

X Fatal error: Nameserver doesn’t support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns01.freenom.com

not good. But that’s not your error message.

PS: Yep, that - https://www.uptrends.com/tools/uptime

looks like a regional blocking. Los Angeles, San Diego, Seattle is blocked.

2 Likes

Hi, thanks for the quick reply! So if I understand correctly the DNS servers of Freenom are offline in the region that Let’s Encrypt uses to look up the IP address?
So this is completely out of my hands to be solved?

I was starting to pull my hair out… Luckily I’m not going mad and I know what I’m doing :slight_smile:

I’ll try again tomorrow, start with a check on the tool you provided.

1 Like

Or does region blocked mean that Let’s Encrypt is no longer accepting requests from domains using the Freenom name servers in these regions?

That’s not a problem of the (not good) freenom name servers.

These red servers can’t connect your domain feeds.lietaert.ga.

“Check your website” is from Berlin, that can connect your domain.

Same Amsterdam, Prag …

But your website blocks some countries. That’s your block, you have to find and remove it.

1 Like

Ofcourse! I just installed a new udm-pro from ubiquiti and I forgot all about the geoblocking that is added by the IPS. I’ll remove the blocks tomorrow to see what country is needed. I assume it is the USA.
I’ll report back with my results.

Thanks for providing the insight that made it all fall into place.

Unblocked the USA, renewing a cert and requesting a new works again. Thanks for the support!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.