Cannot get Let's Encrypt or Certbot to work

Currently reading
Cannot get Let's Encrypt or Certbot to work

5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
Hello, I recently acquired a DS918+ and am trying to get SSL certificates up and running. I just can't get get it to work.

I have my port forwarding and DNS records configured correctly. I am able to access DiskStation from my custom domain sub.domain.com:1234, and I correctly encounter a web server which runs inside a Docker. So all that configuration is good. It's the SSL certification process in particular that won't work here. I have also confirmed that the ports are forwarded correctly, as I am redirected correctly sub.domain.com:80 --> sub.domain.com:4000 and https://sub.domain.com:443 --> sub.domain.com:4001. ( I changed the ports for the Synology web interface).

Here's what I've tried:
- In the DSM: Control Panel > Security > Certificate > Add > ... > "Failed to connect to Let's Encrypt. Please make sure the domain name is valid."
- Running certbot on the host network (inside a Docker container). I get this error: Problem binding to port 80: Could not bind to IPv4 or IPv6.
-
Running certbot on its own network (inside a Docker container). "Local port 443,80 conflicts with other ports used by other services."

I looked inside the /etc/nginx.conf and I see that the DS is already listening on ports 80 and 443, for some reason. So that explains why I can't bind a Docker to those ports in the second and third attempts. This means I have to rely on the webserver and method that DSM already provides, in the first option above. But that isn't working!

I would appreciate help getting this to work. I know I can clobber the /etc/nginx.conf but I don't want a solution which will break the next time I update the machine. Thanks.
 
For LE, forward 80>80. Keep it simple.

Tell that to Synology. I did not change the port redirection. The software performs this redirection automatically. I have since tampered with the settings on the device to change anything happening on port 80 to port 81, and port 443 to port 444, clearing the way for certbot to run unimpeded. It seems to have done something, however now it complains about a timeout.
 
DS is already listening on ports 80 and 443, for some reason
That reason is called nginx as you have noticed already for the use of reverse proxy options that DSM offeres.

I would appreciate help getting this to work
Would it be an option to use LE cert generation using DNS validation and not doing it over 80/443? If you are using a custom domain you can do this with ease and configure a wild card cert on top of it.


If you are using a Synology domain, then getting a cert this way might be a problem. Would also suggest having a look at /var/log/messages for more details on errors that you are getting.
 
That reason is called nginx as you have noticed already for the use of reverse proxy options that DSM offeres.


Would it be an option to use LE cert generation using DNS validation and not doing it over 80/443? If you are using a custom domain you can do this with ease and configure a wild card cert on top of it.


If you are using a Synology domain, then getting a cert this way might be a problem. Would also suggest having a look at /var/log/messages for more details on errors that you are getting.

Thanks, I gave up with the former approaches and ended up using DNS validation about an hour ago. I think this is probably better anyway, as it doesn't require a webserver. Next I'll have to write a script to automatic the DNS validation.

I altered all the port 80 and 443 entries in nginx.conf with 81 and 444, still I could not get containers to attach to those ports. I even turned off the nginx service entirely and was still being redirected from http to https in a browser URL bar. So I think something else is messing with these ports too.

I will have to see if I can institute server_name rewrite rules in /etc/nginx/sites-enabled/ to redirect web traffic to Dockers running on different ports... it's just a shame Synology has locked down these standard ports.
 
/etc/nginx/sites-enabled/ to redirect web traffic to Dockers running on different ports
You can, but why not use your apps on lets say port 443 and redirect them to your local container ports using the built in nginx via app portal? Or am I missing the point here?
 
You can, but why not use your apps on lets say port 443 and redirect them to your local container ports using the built in nginx via app portal? Or am I missing the point here?

I'm not sure, I haven't looked into that app yet. Is it possible to redirect traffic to different ports based on the domain name / contents of URL bar? Ultimately that's what I need to run app1.domain.com, app2.domain.com etc all on ports 80 and 443 as seen by the outside world.

Maybe I could have run certbot in this manner, too. Hmm.. I'll have to look into it later.
 
I have almost 20 apps running this way (all docker containers) all on https/443
Okay, good to know! I suppose I was so used to doing things via reverse proxy text file editing I didn't think to look for a GUI approach... cheers.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

While using the "admin" is a a security issue and that account should be disabled, it is odd that it works...
Replies
1
Views
1,278
  • Question
FWIW, I use WebDAV to map folders from my DS110j to a Win10 laptop. Perhaps importantly for this thread...
Replies
16
Views
5,556
See the message about multiple connections. That is your issue.
Replies
1
Views
1,274
I'm hoping someone can help confirm if this is an issue with my set up, or an issue introduced by DSM 7. I...
Replies
0
Views
1,200
Thanks Rusty. I'm going to research and try the reverse proxy in the meantime. I'll PM you as well...
Replies
17
Views
2,439
  • Question
Lots of good info here - am having problems of this sort, so will make my way through the various...
Replies
13
Views
12,149
Have you configured the new router to provide the same LAN subnet as the old router? How are IP addresses...
Replies
1
Views
2,695

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top