Let's Encrypt Certificate Renewal

Currently reading
Let's Encrypt Certificate Renewal

Country - never thought of that; I will look into it.
Most likely the firewall is blocking it. You’ll never know where it’s coming from. My suggestion is to add a reminder on your calendar to renew manually 5-10 days before expiration. It’s not worth opening the ports for the whole world just for that one thing.
 
Most likely the firewall is blocking it. You’ll never know where it’s coming from. My suggestion is to add a reminder on your calendar to renew manually 5-10 days before expiration. It’s not worth opening the ports for the whole world just for that one thing.
I agree. Running with DNS validation is a lot better but if that is not an option then an on/off solution would do the trick.
 
To clarify, what I meant above by saying that you’ll never know where it’s coming from, is a reference to Let’s Encrypt connection request, otherwise we can add an “allow” for it in the firewall if we consider the risk acceptable (for example, hypothetically for me I’d be more inclined to add an “allow” for a country like Switzerland or Singapore but not China, because of size and other factors). However, the request might come from any Let’s Encrypt server around the world, so it’s hard to predict.

So I don’t mean that you’ll never be able to find out why whats happening is happening. Thought of clarifying it because when I re-read it I thought it might be understood in such a way (my fault) :)
 
Thanks WST16: I do not think that I am blocking any country as far as I know. I can renew manually, although renewal may come from anywhere.

I checked my ports with a utility from PC to NAS and ports seem OK. Ports in router seem OK, checked via external web-based utility.

I have found how to get to the logs mentined above. I started via Telnet to the logs, before realising that I could get them via Support Centre, which is somewhat easier and safer. Telnet gives an interesting view inside the NAS likely to cause nightmares not being a LINUX user. Useful to know how to access the 'insides'; I just have to be careful, obviously.

I may have to continue slowly, if not come to a stop, as I realised that I won't see another need for an automatic renewal for another 60 or so days, by which time I may well have cleared the problem and then inadvertantly set it back again!
 
I’m reflecting my own experience. That’s what it looked like to me. However, if you have 80 and 443 (or maybe just 443) open for the whole world as you say, it should renew automatically as this is my experience.

I think (not sure), when you do it manually the connection is initiated from the DiskStation, so it overcomes the firewall restrictions. I decided to renew manually a long time ago and didn’t look into it any further.

I think you’re making good progress, please keep us updated if you discover anything worth sharing. Thanks :)
 
Thanks WST16:
>>when you do it manually the connection is initiated from the DiskStation, so it overcomes the firewall restrictions

I assumed that the DiskStation always tries to initiate the renewal after say 60 days rather than the Let's Encrypt server, which simply sends out the renewal reminder after 60 days. Or could it be that accessing the certificate, as part of say a VPN process, 'says' to the the DiskStation 'time to renew'? If the DiskStation initiates renewal, then a log should be full of 'tried to renew but failed' type error messages. I have not found any such messages, unless they are error code numbers. I did find logs of when I renewed manually. That suggests that the problem may be the trigger for renewal not coming in from the Let's Encrypt server, wherever that is located, and hence incoming ports rater than outgoing ports. (I hope that makes sense, even if my thoughts may be quite wrong!)
 
Creation and renewal is the responsibility of the letsencrypt client. Though something on the machine must trigger the execution (on linux systems typicaly a cronjob takes care to trigger the renewal), the client does it's job and finishes.

When using the http01-challange, the client will create the certificate request, then delegates the verification to LE, which tries to access http://{yourdomain}/.well-known/acme-challenge/{current token}, which then creates your certificate, which the client must fetch in some mysterious ways. This is why proper dns name resolution fory our domains and an open port 80 is required during the challenge. I would assume the LE verification will originate in the US.
 
I assumed that the DiskStation always tries to initiate the renewal after say 60 days
That’s why I said. I think.
Strangely, I was checking my DS220+ and I found that the certificate was renewed despite all the restrictions I have on the firewall. While on another DS it fails. I gave up trying to understand how it works, It’s voodoo magic to me :)
 
Can we pretty please just have DNS-01 challenge supported by Synology out of the box?
Actually I was quite sure it will come in DSM 7. Well…

Is there a rather easy work around to use DNS challenge on DSM?

Thanks,
marko
For a custom domain, docker would be an easy way. One time setup and you are good.
 
I would need it for MailPlus Server using multiple sub-domains like imap.domain.com;mail.domain.com;… (dovecot, postfix, Webinterface)
Can you point me to some how-to documentation? There is probably no way, to assign this cert in the DSM GUI?
 
I would need it for MailPlus Server using multiple sub-domains like imap.domain.com;mail.domain.com;… (dovecot, postfix, Webinterface)
Can you point me to some how-to documentation? There is probably no way, to assign this cert in the DSM GUI?
Wild card solution would cover it.

 
Wild card solution would cover it.

Thank you very much for the good read!
On the down-side, it would require to move all DNS entries to cloudflare and manual cert updates every 90days… 🤔
 
manual cert updates every 90days
This can be automated ofc, but it is not part of the article as it's a separate element. Regarding CF hosting your domain, yes that might look like a problem, but IMHO, it was worth it.

Once you get the containers up and running you can leave them on and the cert will be renewed on the 29th day before it runs out. Also, the upside is that you do not have to have ports open (unless you use them for something else) to get the certs.

Ups and downs I guess.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

QuickConnect is always exposed to Synology. Disabling it removes that exposure.
Replies
5
Views
1,690
Ah ha right I'm with you, now, in that case I'll not worry as it's a very small private forum and we're...
Replies
4
Views
3,173
As I said above, in the log under /var/log messages it says: Timeout during connect (likely firewall...
Replies
10
Views
5,710
  • Solved
If it is of interest, when I got caught by the 143 character limit, I used an app 'Path Length Checker' on...
Replies
7
Views
2,644
  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
545
thanks a lot my friend, I will ask their costumer service on Monday /hug
Replies
4
Views
934

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top