Solved LE cert failed to auto renew

Currently reading
Solved LE cert failed to auto renew

259
28
NAS
DS1019+
Mobile operating system
  1. Android
my lets encrypt certficiate failed to auto-renew last night, and it's not expired.
when i try to manually renew it thinks about it a short while then says "the operation failed, please log into DSM again and retry".
can't see anything in the logs about this either.

any suggestions?
 

Rusty

Moderator
NAS Support
2,891
878
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
my lets encrypt certficiate failed to auto-renew last night, and it's not expired.
when i try to manually renew it thinks about it a short while then says "the operation failed, please log into DSM again and retry".
can't see anything in the logs about this either.

any suggestions?
Log into NAS via SSH and open up /var/log/messages to check for more details. Of the bat, I would say that port 80 or 443 was not open that LE needs to renew certs.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
port 80 and 443 are definitely open, the sites were working fine yesterday before the cert expired, and no port changes have been made.

the sites also load in HTTP mode (albeit chrome complains a LOT about that).
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
anything in particular to look for in messages? that file has a LOT of stuff in it that is mostly meaningless to me
 

Rusty

Moderator
NAS Support
2,891
878
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
anything in particular to look for in messages? that file has a LOT of stuff in it that is mostly meaningless to me
Well just open it up, scroll to the bottom and try and renew the cert again, then just look at the time stamp from that point forward and see if there will be anything related to a specific error.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
well i opened it with vi, is there a quick way to scroll to the bottom?
 

Rusty

Moderator
NAS Support
2,891
878
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Page down? Or End button?
 

fredbert

Moderator
NAS Support
Subscriber
1,859
756
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
259
28
NAS
DS1019+
Mobile operating system
  1. Android
sorted.
i just deleted the cert and re-created it. seems fine now.

although it's showing as valid on the main site but not the sub-domains, even though i added the sub-domains to the new cert (via CSR).
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
i created the cert for my base domain.
then once it was created and active (set as default) i clicked on "configure" and set all the sub-domains (and everything else) to use that new cert.

chrome is showing that the sub-domains are trying to use that cert (correct valid from date), but says the cert is invalid.
 

Rusty

Moderator
NAS Support
2,891
878
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
is your main cert a wild card cert or does it have SAN fields populated with sub domain names? If not, then you will not be able to use your cert with your subdomains and get a valid response.
 
259
28
NAS
DS1019+
Mobile operating system
  1. Android
when creating the cert in the "domain name" field i just entered "blah.co.uk", it doesn't let you put "*.blah.co.uk" in there.
 

Rusty

Moderator
NAS Support
2,891
878
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
when creating the cert in the "domain name" field i just entered "blah.co.uk", it doesn't let you put "*.blah.co.uk" in there.
Then you dont have a root cert and if you skipped entering SAN values in the wizard, you will have to create a new cert that has all the subdomain names (new and future). Only then will you have a valid cert.

Other option if this is custom domain name (not a Syno ddns) is to run your own LE docker container and create a valid wild card cert there, and then import it.

You can read a bit about the process here:
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top