Updating/Creating Certificate for Synology Disk Station

My domain is: …

I ran this command: I’m using the built in Function of the Synology Disk Station Manager (DSM 6.0.2). In the Task Planner, I tried to execute this command: /usr/syno/sbin/syno-letsencrypt renew-all.

It produced this output: None when I’m using above script. I then deleted the expired certificate and tried to create a new one. This doesn’t work either. I’m told that Let’s Encrypt didn’t succeed in validating my domain - I should check that port 80 is open in my router / disk Station, which it is. But Synology has set 5000 (HTTP) and 5001 (HTTPS) as standard. But that wasn’t a problem before.

My web server is (include version): I don’t know

The operating system my web server runs on is (include version): I don’t know

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My Synology Disk Station is behind a FritzBox Router and connected to the Internet via DynDNS (see URL above). I have successfully used Certificates before from StartSSL and since Oct. 2016 from Let’s Encrypt. I didn’t change anything. Only when I was notified per E-Mail that my Certificate would run out, I tried to renew it and ran into the issues as described.

Any help would be appreciated.

Hi @umbrella,

It is really not possible to connect to http://ids.rueckauer.de/ at all—the connection simply times out. This seems to show a likely problem with a router or firewall. You might want to check with your ISP and/or FritzBox, and also double-check that your DynDNS IP address is getting updated correctly.

thanks for you reply.
Sorry, when you were checking, I just closed port 5000 in my FritzBox.
If you go to https://ids.rueckauer.de you should be getting somewhere. So this rules out the DDNS being the source of the problem, right?
I opened Port 5000 again now. Do I need to activate http-https Forwarding to make it work?
So If you type http://ids.rueckauer.de:5000 (being the default http port defined by synology), you should get a result.

Neither of these worked for me at all, and both timed out. Is it possible that you get a different behavior from your own home network vs. elsewhere on the Internet? Can you try it from somewhere else?

I can try from my smartphone using GSM.
Do I need to activate forwarding from http to https?

Great, let us know what happens.

Probably not, unless the NAS is only willing to speak HTTPS or something.

When I disable http-https forwarding, I get a blank page but no error message, coming from http://ids.rueckauer.de.
When I enable http-https forwarding, it does exactly that. I get to https://ids.rueckauer.de with a custom https port.

I’m not really sure why I see different results, but it continues to time out for me and I can’t connect to either HTTP or HTTPS, which I assume is the same experience that the CA is having when trying to validate.

Also, I can ping your IP address with low packet loss, which suggests a firewall problem rather than a lack of network connectivity.

So it shouldn’t be a problem that I’m using a custom https port? The standard synology https port is 5001, being different from standard 443, anyway. I understand Let’s Encrypt to be checking for the domain via port 80, whereas it really is port 5000, right?

As to the firewall: In my FritzBox I have opened Ports 80, 5000, 5001 and others routing to my Synology Diskstation via IP/TCP. It used to work all the way and still does for me.
It’s really weird

Perhaps I should add: my ddns provider is selfhost.de (iru.selfhost.eu). iru.rueckauer.de is being redirected via CNAME. Does this make any difference?

Let's Encrypt isn't willing to check initially on a custom port, but is willing to follow an HTTP redirect, so if http://ids.rueckauer.de/ generates a 301 redirect to https://ids.rueckauer.de:5000/, Let's Encrypt is willing to follow that redirect, including the port.

Nope, we've got the correct IP address (currently 79.216.202.150).

Have you been able to connect to my domain adding port :5000?
It puzzles me if you shouldn’t.

Still, as I understand it, it should work without port :5000 added, expecting custom port 80 (or no port) to redirect to Port 5000. I don’t know where I can fix this.

No, it times out for me on all ports, including port 5000. I'm sure this timeout is the reason that you can't get your certificate. I would suggest checking the FritzBox configuration and then asking your ISP if there's any reason that you couldn't receiving incoming connections, for example from other countries.

Could you please give it another try? I have just been playing around with another internal firewall within the synology diskstation which I now turned off again. But this shouldn’t be the problem, since it was never turned on during the whole process of renewing the certificate, or before.

I checked the FritzBox config over and over and can’t seem to find a problem.

But it puzzles me that you can’t access my domain when I can (from my smartphone). I don’t have any restrictions active that I know of.

If in the FritzBox I uncheck the option “access to the FritzBox via Https from the internet” (translated), does this mean I can no longer access the Fritz OS itself or also any other devices behind the FritzBox?

After that change, I am now able to access your site on port 5000 (using HTTP, which forwards to https://ids.rueckauer.de:43210/) and 443 (using HTTPS). Both https://ids.rueckauer.de/ and https://ids.rueckauer.de:43210/ show an expired certificate. I can't connect on ports 80 or 5001.

Depending on how the NAS proves control over your domain name, it will need to accept incoming connections on either port 80 (which is still not working yet) or port 443 (which would be working now). I don't know which method it uses. Accepting connections on 5000 or 43210 is not sufficient by itself unless there is also an HTTP 301 redirect sent via an accessible HTTP listener on port 80.

it might have been an additional problem, but the underlying problem could still be whatever is preventing connections on port 80, if the IDS is trying to use the HTTP-01 validation method (which requires accepting a connection on port 80).

Ok, we’re getting somewhere.
I just don’t know how to make the ids accept port 80. The only place I know I can change custom http/https Ports in the Disk Station Manager, I can’t set them to 80 resp. 443. I then get the message that these ports are preserved for the “system”.

In the FritzOS I could set the IDS as an “Exposed host” at least to create the Certificate, but am reluctant to do that.