Solved LE cert failed to auto renew

[chenks]

my lets encrypt certficiate failed to auto-renew last night, and it's not expired.
when i try to manually renew it thinks about it a short while then says "the operation failed, please log into DSM again and retry".
can't see anything in the logs about this either.

any suggestions?

 

[Rusty]

my lets encrypt certficiate failed to auto-renew last night, and it's not expired.
when i try to manually renew it thinks about it a short while then says "the operation failed, please log into DSM again and retry".
can't see anything in the logs about this either.

any suggestions?

Log into NAS via SSH and open up /var/log/messages to check for more details. Of the bat, I would say that port 80 or 443 was not open that LE needs to renew certs.

 

[chenks]

port 80 and 443 are definitely open, the sites were working fine yesterday before the cert expired, and no port changes have been made.

the sites also load in HTTP mode (albeit chrome complains a LOT about that).

 

[chenks]

anything in particular to look for in messages? that file has a LOT of stuff in it that is mostly meaningless to me

 

[Rusty]

anything in particular to look for in messages? that file has a LOT of stuff in it that is mostly meaningless to me

Well just open it up, scroll to the bottom and try and renew the cert again, then just look at the time stamp from that point forward and see if there will be anything related to a specific error.

 

[chenks]

well i opened it with vi, is there a quick way to scroll to the bottom?

 

[Rusty]

Page down? Or End button?

 

[fredbert]

G

 

[chenks]

sorted.
i just deleted the cert and re-created it. seems fine now.

although it's showing as valid on the main site but not the sub-domains, even though i added the sub-domains to the new cert (via CSR).

 

[Rusty]

added the sub-domains

How exactly did you add them?

 

[chenks]

i created the cert for my base domain.
then once it was created and active (set as default) i clicked on "configure" and set all the sub-domains (and everything else) to use that new cert.

chrome is showing that the sub-domains are trying to use that cert (correct valid from date), but says the cert is invalid.

 

[Rusty]

is your main cert a wild card cert or does it have SAN fields populated with sub domain names? If not, then you will not be able to use your cert with your subdomains and get a valid response.

 

[chenks]

when creating the cert in the "domain name" field i just entered "blah.co.uk", it doesn't let you put "*.blah.co.uk" in there.

 

[Rusty]

when creating the cert in the "domain name" field i just entered "blah.co.uk", it doesn't let you put "*.blah.co.uk" in there.

Then you dont have a root cert and if you skipped entering SAN values in the wizard, you will have to create a new cert that has all the subdomain names (new and future). Only then will you have a valid cert.

Other option if this is custom domain name (not a Syno ddns) is to run your own LE docker container and create a valid wild card cert there, and then import it.

You can read a bit about the process here:

Let's Encrypt + Docker = wildcard certs

lets encrypt docker wildcard SSL certificate dsm synology cloudflare

www.blackvoid.club