bughatti

Cannot issue Lets Encrypt

Recommended Posts

All, I am trying to issue a lets encrypt on my nas, and it does not want to work.  Below is the error

 

2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]

I am running   DSM 6.1.7-15284 Update 3

 

I hav found a few articles and tried all the fixes that worked for others but no luck.

I have my domain at namecheap, I have A records pointing the hostname to my ip

I have web station installed using nginx and php7.3, a virtual host setup and ports forwarded.  I have validated I can reach http://host.domain.com and https://host.domain.com

 

When requesting the lets encrypt cert, I have set default checked and also tried unchecked.  In domain name I am using the domain at namecheap, email is admin@domain and subject alternative is host@domain.com  both subject alternative and web station virtual host are exactly the same.

 

 

Any help would be greatly appreciated.

 

 

Share this post


Link to post
Share on other sites
1 hour ago, Polanskiman said:

Just a quick question, did you open port 80 on your router?

 

Yes, 80 and 443 are both open in my router to my xpenology.  I have verified with open port checker, also Web STation responds with a page on both from outside my network

 

root@LiquidXPe:~# sudo syno-letsencrypt new-cert -d domain.com -m email@gmail.com -v
DEBUG: ==== start to new cert ====
DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Email:email@gmail.com
DEBUG: Domain:  domain.com
DEBUG: ==========================
DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory
DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory
DEBUG: Not found registed account. do reg-new.
DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg
{"error":200,"file":"client.cpp","msg":"new-req, unexpect httpcode"}

Edited by bughatti

Share this post


Link to post
Share on other sites

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

Edited by NiGGaZ
Changed text
  • Like 3

Share this post


Link to post
Share on other sites
On 2/26/2020 at 1:13 PM, NiGGaZ said:

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

Thank you!

  • Like 1

Share this post


Link to post
Share on other sites
On 2/26/2020 at 11:13 AM, NiGGaZ said:

Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2
If you get messages like:

synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode]
synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]
Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file:

1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing

2. If not enabled SSH, please enable in settings

3. Copy downloaded file syno-letsencrypt in any folder on you NAS

4. Connect to NAS with SSH (Putty) using admin account

5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck)

6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/)

7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file

8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default)

9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02

10. Press escape, enter :wq and reboot your NAS.

 

Much thanks. It works for me

Share this post


Link to post
Share on other sites
1 час назад, 50l3r сказал:

 

Much thanks. It works for me

Enjoy! What hardware are you use?

Share this post


Link to post
Share on other sites
11 minutes ago, NiGGaZ said:

Enjoy! What hardware are you use?

 

HP ProLiant MicroServer Gen10

AMD Opteron X3216

RAM 8GB

 

I recieved notifications about ACME 1.0 client deprecation

  • Like 1

Share this post


Link to post
Share on other sites
2 минуты назад, 50l3r сказал:

 

HP ProLiant MicroServer Gen10

AMD Opteron X3216

RAM 8GB

 

I recieved notifications about ACME 1.0 client deprecation

Why I’m asking, because I’ve updated my HP Compaq Elite 8300 CMT to 6.2.2, but that was not so smooth. 😁

Share this post


Link to post
Share on other sites
24 minutes ago, NiGGaZ said:

Por qué lo pregunto, porque actualicé mi HP Compaq Elite 8300 CMT a 6.2.2, pero eso no fue tan sencillo.😁

 

i done a fresh install. Not update from older version.

Share this post


Link to post
Share on other sites

I'm having issues with getting a LE cert for my domain. It's similar to the ones above, but I get a different error message.

 

I've checked and am using ACME v2 so it's not that.

 

Having been unsuccessful using the DSM interface, I've tried within SSH to get more detailed information.

sudo /usr/syno/sbin/syno-letsencrypt new-cert -d test.xavierwalker.co.uk -m email@xavierwalker.co.uk -s https://acme-staging-v02.api.letsencrypt.org/directory -v

 

The /var/log/messages suggests an invalid response from the ./well-known/acme-challenge url. I've tried that and get the Synology "Sorry the page you're looking is not found" message. I don't know whether that's correct or not, I guess not ?

syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://test.xavierwalker.co.uk/.well-known/acme-challenge/2PVDi0NX5lW4PH2q0K2jSKQ_RF_fwUtGIMdj1M9DPkI [82.13.19.134]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""}

 

Port forwarding from 80->5000 and 443->5001 is working OK and I have Web Station installed.

Of course, I don't know where the problem lies. It could be a DNS problem (I've updated my DNS entry to point to the correct IP) as I have a different certificate under a different IP for the primary domain. Or a Synology problem. Or a Let's Encrypt issue?

 

Any ideas?

Share this post


Link to post
Share on other sites

Found the issue for me.

I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443.

My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation.

Share this post


Link to post
Share on other sites

Since a week or so I am desperately trying to renew my certificates, but none of the above solutions have worked for me so far.

 

All of them fail reporting probably firewall related issues, but

  1. DSM firewall and various blocks have been disabled
  2. Router firewall and various blocks have been disabled
  3. No DSM update / upgrade has been run (still sitting on v6.2.2-24922 Update 4) to avoid problems

What on Earth is going on?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.