Unable to validate this domain name but port 80 is open

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:conant.com

I ran this command:get a certificate from Let's Encrypt on Synology DSM 7.1.1 (latest)

It produced this output:Let's Encrypt is unable to validate this domain name...

My web server is (include version):Wordpress custom install on Synology, latest version as of Jan '23

The operating system my web server runs on is (include version):DSM 7.1.1

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):n/a

I got it working back in January. Not sure where the hangup is. Currently using eero as the router and both 80 and 443 are forwarded (TCP and UDP) to the synology's local IP.

Does DSM provide a more helpful error message perhaps?


Your IPv6 Address is not configured properly (possibly remove it).

Using the online tool Let's Debug yields these results https://letsdebug.net/conant.com/1481626

conant.com has an AAAA (IPv6) record (2600:1700:b770:515f:211:32ff:fed4:15dd) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with conant.com/2600:1700:b770:515f:211:32ff:fed4:15dd: Get "http://conant.com/.well-known/acme-challenge/letsdebug-test": dial tcp [2600:1700:b770:515f:211:32ff:fed4:15dd]:80: i/o timeout

@0ms: Making a request to http://conant.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2600:1700:b770:515f:211:32ff:fed4:15dd)
@0ms: Dialing 2600:1700:b770:515f:211:32ff:fed4:15dd
@10004ms: Experienced error: dial tcp [2600:1700:b770:515f:211:32ff:fed4:15dd]:80: i/o timeout 
An internal error occurred while checking the domain
An unknown issue occurred when performing a test authorization against the Let's Encrypt staging service: acme: challenge update timeout 
1 Like

Also it looks like the it is configured for for the domain name conant.synology.me instead of conant.com base off of the certificate presently being served.

Common Name: 	conant.synology.me
SANs: 	        DNS:conant.synology.me 
                Total number of SANs: 1

Thanks all! It started working, but not sure what I changed to make it so:

  • @Bruce5051 I had added the AAAA record last night while trying to debug. I just removed it. Also, last night I deleted the expired conant.com certificate and tried to recreate (but wasn't able to). the Synology settings defaulted my conant.synology.me certificate in place of the conant.com one when I did so. I've now switched it back.
  • I turned off "deny incoming ICMP echo requests from WAN" on my router, not sure if that was a factor

So, all is good for now! Again, not sure why it stopped working, or what I did to fix it, but thanks for the debugging help!


I suspect the AAAA was part of the problem.
And removing the expired cert triggered it into renewing it - and this time it was able to do so.

ICMP has nothing to do with certs - LOL


Sure, ICMP has nothing to do with certs, but it was the only other thing I changed.. Registration/rereg had failed before I even added the AAAA record

Then this may have been the key to the solution:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.