Cannot get Let's Encrypt or Certbot to work

Currently reading
Cannot get Let's Encrypt or Certbot to work

5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
Hello, I recently acquired a DS918+ and am trying to get SSL certificates up and running. I just can't get get it to work.

I have my port forwarding and DNS records configured correctly. I am able to access DiskStation from my custom domain sub.domain.com:1234, and I correctly encounter a web server which runs inside a Docker. So all that configuration is good. It's the SSL certification process in particular that won't work here. I have also confirmed that the ports are forwarded correctly, as I am redirected correctly sub.domain.com:80 --> sub.domain.com:4000 and https://sub.domain.com:443 --> sub.domain.com:4001. ( I changed the ports for the Synology web interface).

Here's what I've tried:
- In the DSM: Control Panel > Security > Certificate > Add > ... > "Failed to connect to Let's Encrypt. Please make sure the domain name is valid."
- Running certbot on the host network (inside a Docker container). I get this error: Problem binding to port 80: Could not bind to IPv4 or IPv6.
-
Running certbot on its own network (inside a Docker container). "Local port 443,80 conflicts with other ports used by other services."

I looked inside the /etc/nginx.conf and I see that the DS is already listening on ports 80 and 443, for some reason. So that explains why I can't bind a Docker to those ports in the second and third attempts. This means I have to rely on the webserver and method that DSM already provides, in the first option above. But that isn't working!

I would appreciate help getting this to work. I know I can clobber the /etc/nginx.conf but I don't want a solution which will break the next time I update the machine. Thanks.
 
5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
For LE, forward 80>80. Keep it simple.

Tell that to Synology. I did not change the port redirection. The software performs this redirection automatically. I have since tampered with the settings on the device to change anything happening on port 80 to port 81, and port 443 to port 444, clearing the way for certbot to run unimpeded. It seems to have done something, however now it complains about a timeout.
 

Rusty

Moderator
NAS Support
2,370
703
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
DS is already listening on ports 80 and 443, for some reason
That reason is called nginx as you have noticed already for the use of reverse proxy options that DSM offeres.

I would appreciate help getting this to work
Would it be an option to use LE cert generation using DNS validation and not doing it over 80/443? If you are using a custom domain you can do this with ease and configure a wild card cert on top of it.


If you are using a Synology domain, then getting a cert this way might be a problem. Would also suggest having a look at /var/log/messages for more details on errors that you are getting.
 
5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
That reason is called nginx as you have noticed already for the use of reverse proxy options that DSM offeres.


Would it be an option to use LE cert generation using DNS validation and not doing it over 80/443? If you are using a custom domain you can do this with ease and configure a wild card cert on top of it.


If you are using a Synology domain, then getting a cert this way might be a problem. Would also suggest having a look at /var/log/messages for more details on errors that you are getting.

Thanks, I gave up with the former approaches and ended up using DNS validation about an hour ago. I think this is probably better anyway, as it doesn't require a webserver. Next I'll have to write a script to automatic the DNS validation.

I altered all the port 80 and 443 entries in nginx.conf with 81 and 444, still I could not get containers to attach to those ports. I even turned off the nginx service entirely and was still being redirected from http to https in a browser URL bar. So I think something else is messing with these ports too.

I will have to see if I can institute server_name rewrite rules in /etc/nginx/sites-enabled/ to redirect web traffic to Dockers running on different ports... it's just a shame Synology has locked down these standard ports.
 

Rusty

Moderator
NAS Support
2,370
703
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
/etc/nginx/sites-enabled/ to redirect web traffic to Dockers running on different ports
You can, but why not use your apps on lets say port 443 and redirect them to your local container ports using the built in nginx via app portal? Or am I missing the point here?
 
5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
You can, but why not use your apps on lets say port 443 and redirect them to your local container ports using the built in nginx via app portal? Or am I missing the point here?

I'm not sure, I haven't looked into that app yet. Is it possible to redirect traffic to different ports based on the domain name / contents of URL bar? Ultimately that's what I need to run app1.domain.com, app2.domain.com etc all on ports 80 and 443 as seen by the outside world.

Maybe I could have run certbot in this manner, too. Hmm.. I'll have to look into it later.
 

Rusty

Moderator
NAS Support
2,370
703
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Ultimately that's what I need to run app1.domain.com, app2.domain.com etc all on ports 80 and 443 as seen by the outside world.
I have almost 20 apps running this way (all docker containers) all on https/443
 
5
1
NAS
DS918+
Operating system
  1. Linux
Mobile operating system
  1. Android
I have almost 20 apps running this way (all docker containers) all on https/443
Okay, good to know! I suppose I was so used to doing things via reverse proxy text file editing I didn't think to look for a GUI approach... cheers.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top