Can’t access my NAS via browser

Currently reading
Can’t access my NAS via browser

2,279
956
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
I have a problem accessing my DS118. Something to do with the certificate maybe.
Safari and Firefox give the usual warning, however, no option to choose to visit the site.

Safari on the Mac says the certificate is revoked! This is the first time I see such a message!

4573BCDA-2CA8-452C-8B6B-9F47B28190F1.jpeg



The certificate was showing in orange color (meaning it’s still valid for a month or less).
I usually renew manually. I turn off the firewall, run the renew task, it renews for another 3 months, turn on the firewall. Done. I intended to do that within the next few days.

I can SSH. I did a shut down (shutdown -h now) and waited for a few minutes, pressed the power button and after a while it comes up. Still, the same problem!
But I can SSH to it!

HTTP is redirected to HTTPS so I can’t use it.

Any suggestions?
 
Sorry to hear that you are having trouble with this. Could it be that your domain provider has something to do with it? I don't think LE would revoke any cert on their own unless there was a reason for it. Maybe it would be an idea to contact your domain provider and ask them a bit?
 
Thanks @Rusty.

I checked the DNS propagation and it's fine. I'll try to open a support ticket but I'm sure they'll come back and say it's your certificate (although that shouldn't have anything to do with it). Not even sure what to ask for!

But it's highly likely that it has something to do with them :)
I've had a few problems with them before! Maybe I should consider moving the domain somewhere else.
 
It seems this has something to do with DSM 6.2.2-24922 Update 3. I found this.
I tried the suggested add and replace, but now it says:

4407C45C-701C-4B8D-B13A-F006AA3D72F5.jpeg


So in my case it might be more than one thing causing the problem.
But take note if you’re still on update 3, this might happen to you. They’re saying it’s fixed in update 4!

So my problem is still not resolved yet.
 
Yes. My 216 updated the LE certificate by itself as usual with no problems (and it’s on update-3, same as the 118). I’m guessing maybe because the 118 was “not allowed” to auto update the certificate (firewall rules), this happened because of the highlighted bug (above) with update-3.

Another strange thing is that when I tried to delete the LE certificate, the option was dimmed.
I updated to update-4 and moved the services (configure button) to the Synology certificate (I still have it), tried again to delete the LE certificate, the delete option is still dimmed.

I moved the services back to the LE certificate. Out of curiosity, I tested with TLS Inspector and voila, it says it’s a “trusted chain”! Browsers can access with no problems and the mail service is back to normal!

So the problem is solved. Don’t ask me how!
Did it take a while after the update (and moving the services from one certificate to another and back) to sort things out! Not sure. I have no idea what went on and I hate it when things don’t make any sense!

Now, I’d like to recreate the certificate to add some subject alternative names and it still says: failed to connect... (the message in the shot above)! That’s one thing that’s remaining.
Maybe I shouldn’t mess up with it now since everything’s working and leave it until I’m back.

I have a ticket with Synology.
 
I'm sure the DNS propagation is fine, otherwise, you wouldn't even get to your services, but maybe they are flagged from LE side or are flagging LE certs as "unwanted"... Who knows.
BTW, I was on LAN using the IP address to access the DS. So it doesn’t matter even if the DNS propagation was faulty– it wasn’t. And that’s what was confusing because I couldn’t access anything validated via the certificate because it’s “revoked “!

And as expected, my domain name and DDNS service provider (changeip.com), replied saying: “check with your web service provider, we only manage the domain“ and closed the ticket. How rude :ROFLMAO:

I‘ve used their support a few times and they’re not exactly helpful. Avoid.

Anyway, things are working now. I’ll see what will Synology say.
 
@WST16 have you tried going into Keychain Access and deleting the saved certificates assigned to the NAS LAN IP? I've seen that Safari and Firefox decide not to offer the option to add an exception and think I played with removing old cruft from this app. Might be worth a shot.
 
@WST16 have you tried going into Keychain Access and deleting the saved certificates assigned to the NAS LAN IP? I've seen that Safari and Firefox decide not to offer the option to add an exception and think I played with removing old cruft from this app. Might be worth a shot.
No I didn’t. My focus was to make the services reachable for my “external“ colleagues. I used TLS inspector and it was saying the certificate is revoked.
But on a second thought that might‘ve been useful (if it works) to gain access when it was not allowing me because http was redirected by DSM (as I configured it) to https. I doubt it though. But a good suggestion to keep in mind. Thanks :)
 
this story is better than from Stephen King
It’s a waste of time. I just kept documenting it here in case someone faces the same. Unfortunately, it makes no sense, and the result is not a proven fix because I don’t know what’s the problem to begin with and how it was fixed (or if it’s truly fixed).

We might as well delete this thread :ROFLMAO:

maybe (if possible) it’s a time to use fixed IP and your own domain
What do you mean by “own domain”?
I’m using my own domain, unless there is another thing I don’t know about!
 
Below is Synology’s response to my raised ticket.
At last some sense amid all the chaos!
Note that (as they said) this happens if the certificate fails to renew, which is exactly my case.


Any idea why it was showing as revoked in the first place?

-> Yes, that was a known issue with DSM 6.2.2 Update 3. It was actually from Let's Encrypt official document design that if the renewal of the certificate failed for whatever reason, then revoke the certificate automatically. In DSM 6.2.2 Update 4, we changed the renewal process, so instead of revoking the failed renewed certificate right the way, it will let the users continue to use it until it expired or successfully updated.
 
The certificate on my 118 always fails to renew. Something to do with the firewall according to the log in messages:
Timeout during connect (likely firewall problem)

I’m not sure what (didn’t spend time investigating). So any suggestions are welcome :)
A logical test would be to switch off the firewall and see, but I can’t afford doing that, so I’m letting it drag.
What’s puzzling me is that the 216 has more restrictive firewall rules, yet renews by itself successfully every time.
So the need to renew the 118 certificate manually is not new to me.

However, what’s new, is that this time when it tried to renew and failed, it didn’t simply continue as before, it decided to do a “Seppuku” and take its own life (revoking) according to the “new” way of handling the certificate in update-3, as was mentioned.

With update 4, Synology claim’s that they’ve put back everything as it was before the introduction of the “Seppuku” stunt :D
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

A few days ago overnight I lost wireless access from my two laptops to my Synology. My Synology DS411 is...
Replies
0
Views
757
That's the way I currently use. However without using a ssh key but typing in a password.
Replies
7
Views
3,197
  • Question
Aah, that's it. Thank you so much. I had been looking at the three dots at the top right nit the correct...
Replies
4
Views
4,640
Hi, you need to use a SRV record in the dns zone for your domain name, with this you can add ports to A...
Replies
26
Views
5,013
  • Solved
oh man... Ed J? I want you for president in 2024. I'm serious. You really saved me from being committed...
Replies
8
Views
8,720
If you set a different network and assign a port to it I don't see why the firewall will not allow you to...
Replies
1
Views
1,539

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top