Cannot issue Lets Encrypt

[bughatti 0]

All, I am trying to issue a lets encrypt on my nas, and it does not want to work.  Below is the error

 

2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]

I am running   DSM 6.1.7-15284 Update 3

 

I hav found a few articles and tried all the fixes that worked for others but no luck.

I have my domain at namecheap, I have A records pointing the hostname to my ip

I have web station installed using nginx and php7.3, a virtual host setup and ports forwarded.  I have validated I can reach http://host.domain.com and https://host.domain.com

 

When requesting the lets encrypt cert, I have set default checked and also tried unchecked.  In domain name I am using the domain at namecheap, email is admin@domain and subject alternative is host@domain.com  both subject alternative and web station virtual host are exactly the same.

 

 

Any help would be greatly appreciated.

 

 

[Polanskiman 368]

Just a quick question, did you open port 80 on your router?

[bughatti 0]

1 hour ago, Polanskiman said:

Just a quick question, did you open port 80 on your router?

 

Yes, 80 and 443 are both open in my router to my xpenology.  I have verified with open port checker, also Web STation responds with a page on both from outside my network

 

root@LiquidXPe:~# sudo syno-letsencrypt new-cert -d domain.com -m email@gmail.com -v
DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email:email@gmail.com
DEBUG: Domain:  domain.com
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Not found registed account. do reg-new.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
{"error":200,"file":"client.cpp","msg":"new-req, unexpect httpcode"}

Edited December 10, 2019 by bughatti

[ichel 0]

Is there a solution to the problem?

 

[cool2004 0]

+ I have the same problem

[safonov_ivan 1]

There was also this problem. The solution in my case is to disable SPI Firewall

 

 

[NiGGaZ 2]

text.txt

[NiGGaZ 2]

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

Edited February 26 by NiGGaZ
Changed text

[ma3x 1]

On 2/26/2020 at 1:13 PM, NiGGaZ said:

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

Thank you!

[50l3r 1]

On 2/26/2020 at 11:13 AM, NiGGaZ said:

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

 

Much thanks. It works for me

[NiGGaZ 2]

1 час назад, 50l3r сказал:

 

Much thanks. It works for me

Enjoy! What hardware are you use?

[50l3r 1]

11 minutes ago, NiGGaZ said:

Enjoy! What hardware are you use?

 

HP ProLiant MicroServer Gen10

AMD Opteron X3216

RAM 8GB

 

I recieved notifications about ACME 1.0 client deprecation

[NiGGaZ 2]

2 минуты назад, 50l3r сказал:

 

HP ProLiant MicroServer Gen10

AMD Opteron X3216

RAM 8GB

 

I recieved notifications about ACME 1.0 client deprecation

Why I’m asking, because I’ve updated my HP Compaq Elite 8300 CMT to 6.2.2, but that was not so smooth.

[50l3r 1]

24 minutes ago, NiGGaZ said:

Por qué lo pregunto, porque actualicé mi HP Compaq Elite 8300 CMT a 6.2.2, pero eso no fue tan sencillo.

 

i done a fresh install. Not update from older version.

[tfboy 0]

I'm having issues with getting a LE cert for my domain. It's similar to the ones above, but I get a different error message.

 

I've checked and am using ACME v2 so it's not that.

 

Having been unsuccessful using the DSM interface, I've tried within SSH to get more detailed information.

sudo /usr/syno/sbin/syno-letsencrypt new-cert -d test.xavierwalker.co.uk -m email@xavierwalker.co.uk -s https://acme-staging-v02.api.letsencrypt.org/directory -v

 

The /var/log/messages suggests an invalid response from the ./well-known/acme-challenge url. I've tried that and get the Synology "Sorry the page you're looking is not found" message. I don't know whether that's correct or not, I guess not ?

syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://test.xavierwalker.co.uk/.well-known/acme-challenge/2PVDi0NX5lW4PH2q0K2jSKQ_RF_fwUtGIMdj1M9DPkI [82.13.19.134]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""}

 

Port forwarding from 80->5000 and 443->5001 is working OK and I have Web Station installed.

Of course, I don't know where the problem lies. It could be a DNS problem (I've updated my DNS entry to point to the correct IP) as I have a different certificate under a different IP for the primary domain. Or a Synology problem. Or a Let's Encrypt issue?

 

Any ideas?

[tfboy 0]

Found the issue for me.

I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443.

My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation.