LE Cert renewal failures

Currently reading
LE Cert renewal failures

3,979
1,369
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
I received LE renewal notification emails for NAS1 and NAS2 and attempted renewal by forwarding port 80 to NAS1 IP.
Renewal went fine.

Then I edited the port 80 forward to point to NAS2 IP. Renewal failed:

UtCBgwY.png


Restarted NAS2 with the same result (and now with port 443 open as well).

Then I tried to create a new LE cert with same "secret.synology.me" domain manually to replace the existing cert and I get this...

ig3GpLc.png


Doesn't seem like "Failed to connect" is an issue.

So, I'm stuck a bit trying to figure out how to proceed. Ideas?
 
Funnily enough I had exactly the same problem with my renewals recently.

In my case the DDNS IP address needed updating, then it worked. The second error you have received is when you make too many attempts to renew/create a certificate. I have had this in the past too. (There are daily and weekly limits I believe (I stress this is from odd forum posts in odd places over years, so it is not gospel) when working with Let's Encrypt.)
So try again in a couple of days... Hopefully it will work.
 
Upvote 0
Funnily enough I had exactly the same problem with my renewals recently.
Thanks for the encouragement. I'll wait a week.

I did read that if the SAN was modified, that I could circumvent the blocks... but that only resulted in a "failed to connect" notice. Fortunately this is a backup NAS, and not the primary which updated without incident.
 
Upvote 0
It seems I am doomed. I forwarded ports 80 and 443, tried both renew and replace certs and get a "no connection" popup from the Synology GUI.

I'm stuck. I even tried obtaining the cert from another Synology NAS, and got the no connection warning.

Is my only recourse to purchase a domain?
 
Upvote 0
Best to consult /var/log/messages for a more detailed info on the problem
Good call. When I did this I found repeated errors such as this
2021-07-14T10:02:52-05:00 NAS4 synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[19052]: certificate.cpp:969 syno-letsencrypt failed. 101 [Fetching http://xxxxxxxx.ddns.net/.well-known/acme-challenge/v44wye0rC1F-NBA8j6ovDx5pd2W5RqkwA0IjFictNL8: Timeout during connect (likely firewall problem)]

The problem is that xxxxxxxx.ddns.net is one of the SAN entries, instead of the xxxxxxxx.synology.me I was attempting to renew.
HnK8Efl.png


Why would it be using that URL?

In the past it had a related problem. When it failed because it used the Synology wildcard entry in SAN.

2021-02-15T11:30:16-05:00 NAS2 synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[3482]: certificate.cpp:966 syno-letsencrypt failed. 108 [*.xxxxxxxx.synology.me is not Synology ddns]

Is that last line not odd.

Or am I going about this all wrong?

Maybe I need to include the DDNS domain in the SAN field?
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

wildcard cert always, just use the Search tool on this forum regarding LE cert issues, and you will get...
Replies
7
Views
2,234
  • Question
When you login to the NAS and experience this issue of the certificate, check what is reported as the...
Replies
13
Views
2,377
M
i use the built-in function in DSM to get the certificate. There was nothing more to do and everything...
Replies
11
Views
1,935
makon
M
Wildcard domains require DNS verification. Synology have no control over other people's DNS records hence...
Replies
23
Views
4,531
Okeedokee... I guess it's off to explore Google Domains...
Replies
6
Views
2,920
Ok, that is reassuring. I didn't know if it was required should the NAS need to be reset at a future...
Replies
2
Views
3,394
I use google domains, but unsure of this is also considered google cloud. Yes there’s not much...
Replies
54
Views
11,601

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top