bughatti Posted December 9, 2019 Share #1 Posted December 9, 2019 All, I am trying to issue a lets encrypt on my nas, and it does not want to work. Below is the error 2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] 2019-12-09T14:57:58-06:00 LiquidXPe synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode] I am running DSM 6.1.7-15284 Update 3 I hav found a few articles and tried all the fixes that worked for others but no luck. I have my domain at namecheap, I have A records pointing the hostname to my ip I have web station installed using nginx and php7.3, a virtual host setup and ports forwarded. I have validated I can reach http://host.domain.com and https://host.domain.com When requesting the lets encrypt cert, I have set default checked and also tried unchecked. In domain name I am using the domain at namecheap, email is admin@domain and subject alternative is host@domain.com both subject alternative and web station virtual host are exactly the same. Any help would be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
Polanskiman Posted December 10, 2019 Share #2 Posted December 10, 2019 Just a quick question, did you open port 80 on your router? Quote Link to comment Share on other sites More sharing options...
bughatti Posted December 10, 2019 Author Share #3 Posted December 10, 2019 (edited) 1 hour ago, Polanskiman said: Just a quick question, did you open port 80 on your router? Yes, 80 and 443 are both open in my router to my xpenology. I have verified with open port checker, also Web STation responds with a page on both from outside my network root@LiquidXPe:~# sudo syno-letsencrypt new-cert -d domain.com -m email@gmail.com -v DEBUG: ==== start to new cert ==== DEBUG: Server: https://acme-v01.api.letsencrypt.org/directory DEBUG: Email:email@gmail.com DEBUG: Domain: domain.com DEBUG: ========================== DEBUG: setup acme url https://acme-v01.api.letsencrypt.org/directory DEBUG: GET Request: https://acme-v01.api.letsencrypt.org/directory DEBUG: Not found registed account. do reg-new. DEBUG: Post JWS Request: https://acme-v01.api.letsencrypt.org/acme/new-reg DEBUG: Post Request: https://acme-v01.api.letsencrypt.org/acme/new-reg {"error":200,"file":"client.cpp","msg":"new-req, unexpect httpcode"} Edited December 10, 2019 by bughatti Quote Link to comment Share on other sites More sharing options...
ichel Posted January 19, 2020 Share #4 Posted January 19, 2020 Is there a solution to the problem? Quote Link to comment Share on other sites More sharing options...
cool2004 Posted January 30, 2020 Share #5 Posted January 30, 2020 + I have the same problem Quote Link to comment Share on other sites More sharing options...
safonov_ivan Posted February 10, 2020 Share #6 Posted February 10, 2020 There was also this problem. The solution in my case is to disable SPI Firewall Quote Link to comment Share on other sites More sharing options...
NiGGaZ Posted February 26, 2020 Share #7 Posted February 26, 2020 text.txt Quote Link to comment Share on other sites More sharing options...
NiGGaZ Posted February 26, 2020 Share #8 Posted February 26, 2020 (edited) Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Edited February 26, 2020 by NiGGaZ Changed text 6 Quote Link to comment Share on other sites More sharing options...
ma3x Posted March 14, 2020 Share #9 Posted March 14, 2020 On 2/26/2020 at 1:13 PM, NiGGaZ said: Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Thank you! 1 Quote Link to comment Share on other sites More sharing options...
50l3r Posted April 17, 2020 Share #10 Posted April 17, 2020 On 2/26/2020 at 11:13 AM, NiGGaZ said: Synology DSM 6.1 (xpenology) Lets Encrypt ACMEv1 to ACMEv2 If you get messages like: synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:957 syno-letsencrypt failed. 200 [new-req, unexpect httpcode] synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[5038]: certificate.cpp:1359 Failed to create Let'sEncrypt certificate. [200][new-req, unexpect httpcode]Then you need to upgrade your DSM up to version 6.2 or replace execution (syno-letsencrypt) file and some changes in configuarion file: 1. Download file syno-letsencrypt (this file from DSM v6.2) link https://drive.google.com/drive/folders/1-LgjOAU3dBtNk2WKZ1KJY88Lklf12RPp?usp=sharing 2. If not enabled SSH, please enable in settings 3. Copy downloaded file syno-letsencrypt in any folder on you NAS 4. Connect to NAS with SSH (Putty) using admin account 5. Make backup of original syno-letsencrypt (sudo cp /usr/syno/sbin/syno-letsencrypt usr/syno/sbin/syno-letsencrypt.bck) 6. Copy downloaded syno-letsencrypt file to directory /usr/syno/sbin/ (ex.: sudo cp /volume1/sharedFolder/syno-letsencrypt /usr/syno/sbin/) 7. Change attributes (sudo chmod 755 /usr/syno/sbin/syno-letsencrypt) to execute new file 8. Now change default address for syno-letsencrypt, using ssh (sudo vi /usr/syno/etc.defaults/letsencrypt/letsencrypt.default) 9. Fine string "server": "https://acme-v01.api.letsencrypt.org/directory", press i and change 01 to 02 10. Press escape, enter :wq and reboot your NAS. Much thanks. It works for me Quote Link to comment Share on other sites More sharing options...
NiGGaZ Posted April 17, 2020 Share #11 Posted April 17, 2020 1 час назад, 50l3r сказал: Much thanks. It works for me Enjoy! What hardware are you use? Quote Link to comment Share on other sites More sharing options...
50l3r Posted April 17, 2020 Share #12 Posted April 17, 2020 11 minutes ago, NiGGaZ said: Enjoy! What hardware are you use? HP ProLiant MicroServer Gen10 AMD Opteron X3216 RAM 8GB I recieved notifications about ACME 1.0 client deprecation 1 Quote Link to comment Share on other sites More sharing options...
NiGGaZ Posted April 17, 2020 Share #13 Posted April 17, 2020 2 минуты назад, 50l3r сказал: HP ProLiant MicroServer Gen10 AMD Opteron X3216 RAM 8GB I recieved notifications about ACME 1.0 client deprecation Why I’m asking, because I’ve updated my HP Compaq Elite 8300 CMT to 6.2.2, but that was not so smooth. 😁 Quote Link to comment Share on other sites More sharing options...
50l3r Posted April 17, 2020 Share #14 Posted April 17, 2020 24 minutes ago, NiGGaZ said: Por qué lo pregunto, porque actualicé mi HP Compaq Elite 8300 CMT a 6.2.2, pero eso no fue tan sencillo.😁 i done a fresh install. Not update from older version. Quote Link to comment Share on other sites More sharing options...
tfboy Posted May 10, 2020 Share #15 Posted May 10, 2020 I'm having issues with getting a LE cert for my domain. It's similar to the ones above, but I get a different error message. I've checked and am using ACME v2 so it's not that. Having been unsuccessful using the DSM interface, I've tried within SSH to get more detailed information. sudo /usr/syno/sbin/syno-letsencrypt new-cert -d test.xavierwalker.co.uk -m email@xavierwalker.co.uk -s https://acme-staging-v02.api.letsencrypt.org/directory -v The /var/log/messages suggests an invalid response from the ./well-known/acme-challenge url. I've tried that and get the Synology "Sorry the page you're looking is not found" message. I don't know whether that's correct or not, I guess not ? syno-letsencrypt: syno-letsencrypt.cpp:116 Failed to do new authorization, may retry with another type. [{"error":200,"file":"client_v2.cpp","msg":"Invalid response from http://test.xavierwalker.co.uk/.well-known/acme-challenge/2PVDi0NX5lW4PH2q0K2jSKQ_RF_fwUtGIMdj1M9DPkI [82.13.19.134]: \"<!DOCTYPE html>\\n<html>\\n<head>\\n<meta charset=\\\"utf-8\\\">\\n<style>body{font-family:Arial,Helvetica,sans-serif;font-size:12px;text-alig\""} Port forwarding from 80->5000 and 443->5001 is working OK and I have Web Station installed. Of course, I don't know where the problem lies. It could be a DNS problem (I've updated my DNS entry to point to the correct IP) as I have a different certificate under a different IP for the primary domain. Or a Synology problem. Or a Let's Encrypt issue? Any ideas? Quote Link to comment Share on other sites More sharing options...
tfboy Posted May 10, 2020 Share #16 Posted May 10, 2020 Found the issue for me. I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443. My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation. 1 Quote Link to comment Share on other sites More sharing options...
Cr4z33 Posted August 22, 2020 Share #17 Posted August 22, 2020 Since a week or so I am desperately trying to renew my certificates, but none of the above solutions have worked for me so far. All of them fail reporting probably firewall related issues, but DSM firewall and various blocks have been disabled Router firewall and various blocks have been disabled No DSM update / upgrade has been run (still sitting on v6.2.2-24922 Update 4) to avoid problems What on Earth is going on? Quote Link to comment Share on other sites More sharing options...
Donatello Posted May 21, 2021 Share #18 Posted May 21, 2021 On 5/11/2020 at 12:45 AM, tfboy said: Found the issue for me. I hadn't thought that the website you need for the authorisation and verification to work (writes a file to your webspace/.well-known/acme-challenge/) is from the normal web service (nginx or apache2) running via Web Station which of course responds on ports 80 and 443. My initial redirecting and port forwarding from my public WAN to private LAN was forwarding to ports 5000 and 5001 for DSM. Whilst I need this to access DSM remotely, I actually need it to forward to the standard 80 and 443 for the certificate generation. Same issue for me, the router configuration should forward: External port Internal port 80 80 443 443 5001 5001 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.