bughatti Posted December 9, 2019 #1 Posted December 9, 2019 All, I am trying to issue a lets encrypt on my nas, and it does not want to work. Below is the error 2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] 2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode] I am running DSM 6.1.7-15284 Update 3 I hav found a few articles and tried all the fixes that worked for others but no luck. I have my domain at namecheap, I have A records pointing the hostname to my ip I have web station installed using nginx and php7.3, a virtual host setup and ports forwarded. I have validated I can reach http://host.domain.com and https://host.domain.com When requesting the lets encrypt cert, I have set default checked and also tried unchecked. In domain name I am using the domain at namecheap, email is admin@domain and subject alternative is host@domain.com both subject alternative and web station virtual host are exactly the same. Any help would be greatly appreciated. Quote
polanskiman Posted December 10, 2019 #2 Posted December 10, 2019 Just a quick question, did you open port 80 on your router? Quote
bughatti Posted December 10, 2019 Author #3 Posted December 10, 2019 (edited) 1 hour ago, Polanskiman said: Just a quick question, did you open port 80 on your router? Yes, 80 and 443 are both open in my router to my xpenology. I have verified with open port checker, also Web STation responds with a page on both from outside my network root@LiquidXPe:~# sudo syno-letsencrypt new-cert -d domain.com -m email@gmail.com -v DEBUG: ==== start to new cert ==== DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory DEBUG: Email:email@gmail.com DEBUG: Domain: domain.com DEBUG: ========================== DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory DEBUG: Not found registed account. do reg-new. DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg {"error":200,"file":"client.cpp","msg":"new-req, unexpect httpcode"} Edited December 10, 2019 by bughatti Quote
safonov_ivan Posted February 10, 2020 #6 Posted February 10, 2020 There was also this problem. The solution in my case is to disable SPI Firewall Quote
NiGGaZ Posted February 26, 2020 #8 Posted February 26, 2020 (edited) Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Edited February 26, 2020 by NiGGaZ Changed text 6 Quote
ma3x Posted March 14, 2020 #9 Posted March 14, 2020 On 2/26/2020 at 1:13 PM, NiGGaZ said: Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Thank you! 1 Quote
50l3r Posted April 17, 2020 #10 Posted April 17, 2020 On 2/26/2020 at 11:13 AM, NiGGaZ said: Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Much thanks. It works for me Quote
NiGGaZ Posted April 17, 2020 #11 Posted April 17, 2020 1 час назад, 50l3r сказал: Much thanks. It works for me Enjoy! What hardware are you use? Quote
50l3r Posted April 17, 2020 #12 Posted April 17, 2020 11 minutes ago, NiGGaZ said: Enjoy! What hardware are you use? HP ProLiant MicroServer Gen10 AMD Opteron X3216 RAM 8GB I recieved notifications about ACME 1.0 client deprecation 1 Quote
NiGGaZ Posted April 17, 2020 #13 Posted April 17, 2020 2 минуты назад, 50l3r сказал: HP ProLiant MicroServer Gen10 AMD Opteron X3216 RAM 8GB I recieved notifications about ACME 1.0 client deprecation Why I’m asking, because I’ve updated my HP Compaq Elite 8300 CMT to 6.2.2, but that was not so smooth. 😁 Quote
50l3r Posted April 17, 2020 #14 Posted April 17, 2020 24 minutes ago, NiGGaZ said: Por qué lo pregunto, porque actualicé mi HP Compaq Elite 8300 CMT a 6.2.2, pero eso no fue tan sencillo.😁 i done a fresh install. Not update from older version. Quote
tfboy Posted May 10, 2020 #15 Posted May 10, 2020 I'm having issues with getting a LE cert for my domain. It's similar to the ones above, but I get a different error message. I've checked and am using ACME v2 so it's not that. Having been unsuccessful using the DSM interface, I've tried within SSH to get more detailed information. sudo /usr/syno/sbin/syno-letsencrypt new-cert -d test.xavierwalker.co.uk -m email@xavierwalker.co.uk -s https://acme-staging-v02.api.letsencrypt.org/directory -v The /var/log/messages suggests an invalid response from the ./well-known/acme-challenge url. I've tried that and get the Synology "Sorry the page you're looking is not found" message. I don't know whether that's correct or not, I guess not ? syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://test.xavierwalker.co.uk/.well-known/acme-challenge/2PVDi0NX5lW4PH2q0K2jSKQ_RF_fwUtGIMdj1M9DPkI [82.13.19.134]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""} Port forwarding from 80->5000 and 443->5001 is working OK and I have Web Station installed. Of course, I don't know where the problem lies. It could be a DNS problem (I've updated my DNS entry to point to the correct IP) as I have a different certificate under a different IP for the primary domain. Or a Synology problem. Or a Let's Encrypt issue? Any ideas? Quote
tfboy Posted May 10, 2020 #16 Posted May 10, 2020 Found the issue for me. I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443. My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation. 1 Quote
Cr4z33 Posted August 22, 2020 #17 Posted August 22, 2020 Since a week or so I am desperately trying to renew my certificates, but none of the above solutions have worked for me so far. All of them fail reporting probably firewall related issues, but DSM firewall and various blocks have been disabled Router firewall and various blocks have been disabled No DSM update / upgrade has been run (still sitting on v6.2.2-24922 Update 4) to avoid problems What on Earth is going on? Quote
Donatello Posted May 21, 2021 #18 Posted May 21, 2021 On 5/11/2020 at 12:45 AM, tfboy said: Found the issue for me. I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443. My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation. Same issue for me, the router configuration should forward: External port Internal port 80 80 443 443 5001 5001 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.