How to update Lets Encrypt Root Certificate


Recommended Posts

Lets Encrypt's root certificate expired on October 1, 2021, which causes the cert renewal or creation to fail with a message "No response from destination server. Please try again later."

 

To Fix follow the following instruction which worked for me on my Xpenology box running DSM 6.2.2-24922

 

1.      Download root cert from LetsEncrypt website: https://letsencrypt.org/certificates/

a.      Download Active Root Cert “Pem” file,

b.      Open with text editor, and copy cert

2.      Log into Synolog box via ssh

3.      Back up CA cert file: cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG

4.      Edit CA cert file : sudo vi /etc/ssl/certs/ca-certificates.crt

5.      “ESC” “G” to go to end of file

6.      “o” to insert new line

7.      Paste new cert into file.

8.      “ESC”, “w”, “q”, “!” to save and close.

 

This will update the root CA cert and should allow you to now install or renew Lets Encrypt certificates

 

  • Like 2
  • Thanks 5
Link to post
Share on other sites

Can be scripted, see: 

note: the "add certificates to ca-certifactes" part is relevant.

 

@Dingo  Generate the new certificates using the UI.  Then execut this script to detect which folder holds the files for that particular certificate:

domain=the-domain-the-certificate-is-issued-for.com
for current_domain_cert in /usr/syno/etc/certificate/_archive/*; do
    if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ];then
        openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${domain} > /dev/null 2>&1
        domain_found=$?
        if [ "${domain_found}" = "0" ]; then
			echo "certificate for ${domain} found in ${current_domain_cert}"
        fi
    fi
done

 

Edited by haydibe
Link to post
Share on other sites

Thank you!

 

I tried to run your script. It ran fine except the cat command which failed with "Permission denied", even with sudo.

Not sure how to run the for loop. Can it be copy and pasted (right click) into ssh (I'm using Putty on Windows)?

 

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

My SABnzbd is also failing with "Server news.usenetserver.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

 

It would be great if someone could post a step-by-step guide on how to resolve the issue with community packages and SABnzbd.

 

I'm using DSM 6.2.3-25426 Update 3

 

Edited by Dingo
Link to post
Share on other sites

Good catch, both scripts assume that you run them s root. Copy/paste should work. 

 

2 hours ago, Dingo said:

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

 

The problem consists of two factors 1) the certicates themself (fixed by the script in the first link if run as root), 2) an openssl library that is able to handle the used algorithms of the new issued Letsencrypt certificates, which at least requires openssl libraries v1.1.0 - DSM6.2.3u3 has 1.0.2-k.  Sorry to disapoint -> there is no way to fix this, except Synology fixes it.

 

 

 

Edited by haydibe
Link to post
Share on other sites

Thank for your reply! It explains very well why things are not working.

I will try to run your script as root (If I can find the correct password).

 

I see that Let's Encrypt issues are on the fix list for Version: 6.2.4-25556 Update 2 (number 10 under Fixed Issues - I hope this will fix the issue).

https://www.synology.com/en-global/releaseNote/DSM?model=DS3615xs#6_2

 

We will have to wait and see if someone in this community can get this update successfully installed and working.

Edited by Dingo
Link to post
Share on other sites

Please do NOT update to 6.2.4 or greater with any of Jun's bootloader -> it is not going to work.

 

You either have to use redpill in it's current state, which is kind of beta-ish and is aimed toward advanced users and developers skilled in linux.

I would advice non advanced users to wait until the beta is official and the approach to build a bootloader image is beginner friendly. 

Link to post
Share on other sites

 

Quote

You either have to use redpill in it's current state, which is kind of beta-ish and is aimed toward advanced users and developers skilled in linux

 

Presumably the certificate feature on DSM is using some programs like curl to download and validate the certificates. Is it possible to just build new statically linked versions of these tools and replace the stock binaries just to get Let's Encrypt certificates working again on older DSM versions?

Link to post
Share on other sites

I doubt that replacing curl with a static compiled version will solve much issues, other than maybee with custom scripts that depend on curl. You can prebuild static compiled curl binaries from github right away and test it...

 

Without having identified what exact dependcy an affected application requires, it is hard to figure out what needs to be replaced. ..

 

All 3rd party spk packages should come with updated version of openssl - but those are private to the package. Is it safe to replace the system libraries with those of the packages? I highly doubt that...

 

What might be worth investigating is, if replacing the runtime environment that servs the DSM UI: I guess nginx could be replaced with a static compiled version, but what about synocgid - on of both must be responsible to execute the package manager's certificate cheks...

 

If you feel bold, you can download this cli tool to check the dependencies of a binary:

wget -L https://github.com/haampie/libtree/releases/download/v2.0.0/libtree_x86_64
chmod +x libtree_x86_64
# example usage:
./libtree_x86_64 $(which curl)

 

It will provide an output like this on DSM6.2.3u3:

Quote

haydibe@dsm:~$ ./libtree_x86_64  $(which curl)
curl
└── libcurl.so.4 [default paths]
    ├── libcares.so.2 [default paths]
    ├── libnghttp2.so.14 [default paths]
    ├── libssh2.so.1 [default paths]
    │   ├── libssl.so.1.0.0 [default paths]
    │   │   └── libcrypto.so.1.0.0 [default paths]
    │   └── libcrypto.so.1.0.0 (collapsed) [default paths]
    ├── libssl.so.1.0.0 (collapsed) [default paths]
    ├── libcrypto.so.1.0.0 (collapsed) [default paths]
    ├── liblber-2.4.so.2 [default paths]
    │   ├── libsasl2.so.3 [default paths]
    │   ├── libcrypto.so.1.0.0 (collapsed) [default paths]
    │   ├── libssl.so.1.0.0 (collapsed) [default paths]
    │   ├── libsynocore.so.6 [default paths]
    │   └── libsynosdk.so.6 [default paths]
    ├── libldap-2.4.so.2 [default paths]
    │   ├── liblber-2.4.so.2 (collapsed) [default paths]
    │   ├── libsynocore.so.6 (collapsed) [default paths]
    │   ├── libsynosdk.so.6 (collapsed) [default paths]
    │   ├── libsasl2.so.3 (collapsed) [default paths]
    │   ├── libssl.so.1.0.0 (collapsed) [default paths]
    │   └── libcrypto.so.1.0.0 (collapsed) [default paths]
    └── libsynoproxy.so.6 [default paths]
 

 

Edited by haydibe
Link to post
Share on other sites
On 10/14/2021 at 12:59 PM, Dingo said:

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

My SABnzbd is also failing with "Server news.usenetserver.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

 

It would be great if someone could post a step-by-step guide on how to resolve the issue with community packages and SABnzbd.

 

I'm using DSM 6.2.3-25426 Update 3

 

ssh into your dsm, once logged in paste this scrip;

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

 

your synocommunity packages will work again.

Edited by merve04
  • Like 4
  • Thanks 3
Link to post
Share on other sites

I don't understand WHY it works, but appearently it does!

 

The Synocommunity repository can be added/accessed from the ui by replacing  /etc/ssl/certs/ca-certificates.crt with the most recent file from https://curl.se/ca/cacert.pem.

 

update:

So apparently the explenation is that the older openssl libs requires ALL certificate chains it verifies to be valid, while newer openssl libs (> v1.1.0) only require at least one certificate chain it verifies to be valid. 

 

What's the difference with the cacert.pem of curl.se?

Unlike the Synology cacert.pem's (regardless wether dsm 6.x or current 7.x) It does not include the expired CA.

Thus, the verification that led to an invalid chain due to the expired CA certificate is not included. 

 

So after all it was not the algorithms that LE used to sign the certificates, but rather a suffering from an openssl implementation detail in combination with outdated CA's.

 

Edited by haydibe
Link to post
Share on other sites

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Edited by MiracleYueYue
  • Like 2
  • Thanks 3
Link to post
Share on other sites
El 31/10/2021 a las 2:08, MiracleYueYue dijo:

Solo con un comando y todo se hará por ti ... 

Recuerde: su máquina se reiniciará después de ejecutar este comando

 



 

 

hola buenas noches. ¿Me podrías ayudar? no consigo que me funcione, me dice que no encuentra el directorio

Link to post
Share on other sites
On 10/24/2021 at 7:37 PM, merve04 said:

ssh into your dsm, once logged in paste this scrip;

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

 

your synocommunity packages will work again.

Thank you so much for this easy fix for the SynoCommunity! It worked great!

Link to post
Share on other sites

Dear all!

Thanks a lot for the command lines

I've used those command line and it solves my issue to add synocommunity package to package center

sudo -i

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak1

curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem 

curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

then I reboot

syno-letsencrypt renew-all

 

(last command did not provide (as before) any error line

I hope  let'sencrypt certificate will update automaticaly, DSM interface do not show anything new)

I will reboot tomorrow to see if it helps, HDD are under RAID5 pairing cheks

 

 

 

  • Thanks 2
Link to post
Share on other sites
1 hour ago, hubogoss62 said:

Dear all!

Thanks a lot for the command lines

I've used those command line and it solves my issue to add synocommunity package to package center

sudo -i

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak1

curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem 

curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

then I reboot

syno-letsencrypt renew-all

 

(last command did not provide (as before) any error line

I hope  let'sencrypt certificate will update automaticaly, DSM interface do not show anything new)

I will reboot tomorrow to see if it helps, HDD are under RAID5 pairing cheks

 

 

 

 

Why do you replace the cert twice? 

Link to post
Share on other sites
  • 2 weeks later...
On 10/12/2021 at 6:17 PM, Mustyone said:

Lets Encrypt's root certificate expired on October 1, 2021, which causes the cert renewal or creation to fail with a message "No response from destination server. Please try again later."

 

To Fix follow the following instruction which worked for me on my Xpenology box running DSM 6.2.2-24922

 

1.      Download root cert from LetsEncrypt website: https://letsencrypt.org/certificates/

a.      Download Active Root Cert “Pem” file,

b.      Open with text editor, and copy cert

2.      Log into Synolog box via ssh

3.      Back up CA cert file: cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG

4.      Edit CA cert file : sudo vi /etc/ssl/certs/ca-certificates.crt

5.      “ESC” “G” to go to end of file

6.      “o” to insert new line

7.      Paste new cert into file.

8.      “ESC”, “w”, “q”, “!” to save and close.

 

This will update the root CA cert and should allow you to now install or renew Lets Encrypt certificates

 

Thank you so very much! Worked like a charm :)

Link to post
Share on other sites
  • 2 weeks later...
On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 


sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Quick and Easy, thanks a lot!

  • Like 1
Link to post
Share on other sites
  • 2 weeks later...
  • 2 months later...
On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 


sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

You made my Day ! Thanks !

Link to post
Share on other sites
  • 1 month later...
On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 


sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

First of all thanks for the information.
I'm on 6.2.3 and today my certificate expires, use the command but it doesn't work, I have ports 80 and 443.
do you know why it could be?
Thank you

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.