3

It seems that for some reason the certificates that are generated with LetsEncrypt are not renewed automatically by latest Synology DSM.

I tried the CLI, but it fails

sudo syno-letsencrypt renew-all -v

DEBUG: [syno.example.com] is not a subdomain of [my-syno.synology.me]
DEBUG: DDNS Curl: [https://ddns.synology.com/main.php?_=letsencrypt%2Fdelete&hostname=syno.example.com&myds_id=696423&auth_key=...&serial=1590MHN443201&txt=]
DEBUG: GET Request: https://ddns.synology.com/main.php?_=letsencrypt%2Fdelete&hostname=syno.example.com&myds_id=696423&auth_key=...&serial=1590MHN443201&txt=
DEBUG: Dns01 challenge: Teardown [{"code":"badparam"}].
DEBUG: DNS challenge failed, reason: { "error": 203, "msg": "Challenge setup is failed.", "file": "client.cpp:278"}
DEBUG: Normal challenge failed, reason: { "error": 107, "msg": "syno.example.com: Could not connect to syno.example.com", "file": "client.cpp:315"}
DEBUG: failed to open port 80.
DEBUG: close port 80.
DEBUG: Failed to renew /usr/syno/etc/certificate/_archive/8mSVmw/. { "error": 101, "msg": "failed to open port 80.", "file": "client.cpp:472"}

As a note, I checked and port 80 of "syno.example.com" is accessible from outside and is loading the Web Station.

I even tried stopping the Web Station before running the renew command but it seems that is has no effect on the execution of renew command. (/usr/syno/bin/synopkg stop WebStation).

One interesting remark was that once I stopped the Web Station, instead of not responding on port 80, Synology decided to redirect it to port 5000/5001.

Community
  • 1
sorin
  • 8,016
  • 24
  • 79
  • 103
  • 1
    Would be nice for future readers if you would specify the exact version of "latest Synology DSM" you were running since your "latest" is probably not my "latest" - knowing this might help in case this is related to a specific version of DSM. – kalmiya Feb 18 '18 at 12:15

1 Answers1

0

I had an issue updating the certificate also running DSM 6.1.5-15254, probably different though. Since there is not a single answer yet, adding some notes - which may or may not help in your case - but maybe it'll give you some ideas.

So, several websites mention that when updating through the CLI you do not need to open port 80/443. In my logs I got a "failed to open port 80" a few times but was still able to update my certificate. Note that I do have port 80 open and when going to <wan-ip>:80 I see the "Web Station has been enabled. To finish setting up your website, ..."-page.

You can view the logs like this:

sudo grep letsencrypt /var/log/messages

Try updating your specific site (instead of all). Note that I had the webserver running (I didn't stop it before running the following).

sudo syno-letsencrypt new-cert -d syno.example.com -m site@example.com -v

(try -vv) for more detailed info.

If you get to the "DEBUG: save to files" line in the output, then check if the certificate is valid in the DSM. If it's still invalid, download the certificate through the DSM and compare it to the path which is shown after "cert_path" in the debug-output (the last line should actually read "success" - but in my case it didn't).

If the certificates mismatch, it probably downloaded but did not update the 'copy' synology is using. To work around this, using the DSM, select "Add new certificate" then "Import" and select the 3 files shown in the "cert_path". Click ok and synology will restart the "WebStation" (it might have sufficed to only restart the webserver).

I had a subdomain aaa.mydomain.com for which it didn't want to generate a certificate. Eventually I removed the certificate for this one from the Synology DSM and only kept to the main www.mydomain.com - which did work.

Note: There is a limit of 20 certificate requests - after that let's encrypt blocks you for a week.

Community
  • 1
kalmiya
  • 101
  • 1