Let’s Encrypt logs?

Currently reading
Let’s Encrypt logs?

1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
To my knowledge they’re under
/user/syno/etc/certificate
I’m looking for a log file with history of failed and successful renewals if possible.

I’m trying to check what’s going on when automatic renewal is not happening and I have to do it manually by running
/usr/syno/sbin/syno-letsencrypt renew-all

Thanks for any help.
 

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When this is happening all logs will be listed in /var/log/messages
 
1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Aha, thanks @Rusty. I was hoping I can find more details somewhere under the certificate directory!

Ok. Mind boggling. I’ll have to try to figure this one out!

DS118 has ports 80 and 443 forwarded to it.
DS216+II does not have ports 80 and 443 forwarded to it. Stating the obvious.

Firewalls are running on both. More blocking on the 216 in fact than the 118 and despite that the 216 renews automatically while the 118 fails.
Log under messages (for the 118) says “likely firewall problem”.
I turn off the firewall and I do it manually and it renews!

Hmm! I’ll go over the rules again.
 

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Port 80 is the problem here. Thats the only one le uses on syno by default. Definitely check the ports
 
1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
80 is open and forwarded to the 118
If there was a problem with the port then the 216 won’t auto renew (it is auto renewing!) Right?
 

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
True. Just saying. Has to be a fw rule there is no reason for it not to renew
 
1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Last edited:
Yes, must be the firewall. when I disable it and renew manually, it works. I’m still scratching my head. Of course, to my understanding, we don’t know where will the next connection to renew comes from, otherwise, I’ll have that allowed in the firewall!

I might try to disable the firewall (hate to do that) 31 days before the next expiration and see what happens.

So am I right in assuming that the renewal request is initiated from the DS outwards?
Because the 216 doesn’t have 80 forwarded to it, yet it renews.

I remember that there was a lot of discussions around the ports required and the mechanism with no agreement. it was like a voodoo secret that no one knows.

—Edit—
At this moment, I’m caught wishing for a stateful firewall, like @Shadow :(
 

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So am I right in assuming that the renewal request is initiated from the DS outwards?
It is initiated from the DS side but you need inbound port 80 open. Maybe your other DS has 443 inbound open and renewal is coming in that way?

On the whole topic of keeping it open or not. Personally I renew via dns validation not http but still I get a warning within the last 30 days that my cert is due to renew. So there is no real need for you to keep ports open until you get an email. After that just open it and renew it manually and then close it.
 
1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
80 is always open. Website running on the 118
Port 80 forwarded to 118. It does not auto renew. 216 auto renews!

It’s the firewall I believe. Hopefully it won’t kill me. I’m just curious. Thanks.
 

Rusty

Moderator
NAS Support
2,393
709
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When you try and renew and fail, check the messages log for a detail error. I’m sure it will report that there is a port problem especially if with few down it works.
 
1,477
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
As I said above, in the log under /var/log messages it says:
Timeout during connect (likely firewall problem)"}

But I’m confused why is it allowed on the 216 although the firewall there is more restrictive. I was hoping that there is a place for more descriptive logs. Alas, not the case.

I’ll try to figure it out. If I do, I’ll update here. Thanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top