LE Certificate Renewal Issues

Currently reading
LE Certificate Renewal Issues

1,032
233
NAS
DS224+, RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Recently got a notification that my certificates are due to expired. This has been working for years with no issues and nothing has changed regarding firewall or port opening/closing. The only thing I can thing of is I use Google Domains and there is currently a transition period where that is being handed off to Squarespace due to acquisition. One thing they discontinued was their DDNS, so in the meantime I had pointed my DDNS subdomain name to the synology.me ddns name and everything was still working. If I can recall I believe I even did a test renewal on a cert to make sure that work and it did. For now I have set my ddns subdomain name to an A record pointing to my public ip address to rule out if that is the issue or not. I'm only about 10 hrs into that change, and still cannot renew. Not sure if this is due to the aforementioned or maybe now I'm in some sort of lockout period with LE for too many tries within a certain time.

When I attempt to renew the cert manually DSM UI throws a Notification "The operation failed. Please sign in to DSM again and retry," pretty generic.

I remember way back in the day when first setting this up @Rusty had pointed me to logging in via SSH and viewing some logs there. From there, there was a more specific error of what was going on. SSH is one of my weak points, if someone can help me with the commands and location of where these logs would be to take a look.
 
My firewall for ports 80 & 443 are setup as GEO block, both at the router of the network & Synology's NAS firewall. This has worked for years, but seems like I had to drop the firewalls and open it up to everything in order to get the CERTS to renew.
 
LE renewals that are not done using DNS as a validation method will default to 80/443. It made sense that if all was working for you and now started to fail could be a result of your firewall hardening.

In terms of SSH, /var/logs/messages is the file that lists most information in this particular situation.
 
Last edited:
LE renewals that are not done using DNS as a validation method will default to 80/443. It made sense that if all was working for you and now started to fail could be a result of your firewall hardening.

To clarify I've had ports 80 & 443 opened and the firewall hardened with GEO for the longest time, (since 2018 for DS718 rollout and 2020 for RS820 rollout) and wasn't something new.
In terms of SSH, /var/logs/messages is the file that lists most information in this particular situation.
I logged into SSH, I tried entering /var/logs/messages but it said Permission denied. Do I need to do a sudo -i to elevate?
 
You will need to elevate yes in order to get a look inside the file.

once you are in the root command line do this:

cat /var/logs/messages

This will allow you to view the file.

This is the response I'm getting: No such file or directory. Why is this?


Alternatively I found that I can go to Support Center, Support Services, under log generation - generate logs. This outputted a .DAT file. I then renamed the extension of this file to a .ZIP and uncompressed it. From there I could see the entire file structure including dsm/var/log messages
 

Attachments

  • 1712502193692.png
    1712502193692.png
    4.6 KB · Views: 7
Checked logs for both Synology's (which are running at two different sites). Can confirm on both of them the issue is "Failed to open port," But the last time I got this same error message was well over a year ago and at that time I was manually opening/closing port 80 for cert renewals. Since then I have left port 80 open and no problem until now. Unfortunately, I do not see anything in the logs of successful connections. It seems the last time the certificates were able to register was around January.

Either something was changed within the DSM software or at the LE level, to the point where GEO location based rules are now considered.

This also does not apply to the Synology ddns name/cert, that is renewing fine even with GEO on.
 
Hi guys. Anyone else here having a problem with renewing the (already existing, but expired) Let's Encrypt SSL certificate?
Today I found out that few LE certificates in my DSM expired, but they did not renew automatically (as usual in the past) and manual renewal just does not work - after a while it says that connection to the Let's Encrypt service has failed.

I didn't change anything in my DSM, don't know why it doesn't work now. I even disabled my firewall for a while just to test it again, but still have the same problem.

I also tried anothed NAS device (in a different location) and I get the same issue.
 
Hi guys. Anyone else here having a problem with renewing the (already existing, but expired) Let's Encrypt SSL certificate?
Today I found out that few LE certificates in my DSM expired, but they did not renew automatically (as usual in the past) and manual renewal just does not work - after a while it says that connection to the Let's Encrypt service has failed.

I didn't change anything in my DSM, don't know why it doesn't work now. I even disabled my firewall for a while just to test it again, but still have the same problem.

I also tried anothed NAS device (in a different location) and I get the same issue.

I had experienced the same, nothing changed my environment. I found I had to turn off my Geo filters on the firewall rules, in which I had been using for several years now.
 
Could be that:
  • The source of the DNS tests that LE performs during certificate creation/renewal has moved, or new locations added and these are within blocked locations.
  • The geolocation database has been updated and moved some IP ranges from unblocked to blocked locations.
  • The database may also not be 100% accurate, e.g. if large subnets are split and assigned across regions.
Every alternate name that you add in the certificate will be tested, so if you have an access control profile that is applied to a, e.g., reverse proxy that is blocking LE then this will fail the certificate creation process... and you really don't get told why. When one alternate name fails due to whatever reason then the whole certificate process fails.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top