How to update Lets Encrypt Root Certificate

[Mustyone]

Lets Encrypt's root certificate expired on October 1, 2021, which causes the cert renewal or creation to fail with a message "No response from destination server. Please try again later."

 

To Fix follow the following instruction which worked for me on my Xpenology box running DSM 6.2.2-24922

 

1.      Download root cert from LetsEncrypt website: https://letsencrypt.org/certificates/

a.      Download Active Root Cert “Pem” file,

b.      Open with text editor, and copy cert

2.      Log into Synolog box via ssh

3.      Back up CA cert file: cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG

4.      Edit CA cert file : sudo vi /etc/ssl/certs/ca-certificates.crt

5.      “ESC” “G” to go to end of file

6.      “o” to insert new line

7.      Paste new cert into file.

8.      “ESC”, “w”, “q”, “!” to save and close.

 

This will update the root CA cert and should allow you to now install or renew Lets Encrypt certificates

 

[Dingo]

Thank you for your instructions.

 

But how do I install or renew Let's Encrypt certificates?

I can import certificate files from Let's Encrypt, but how do I generate/get/find the correct private key?

 

[haydibe]

Can be scripted, see: 

note: the "add certificates to ca-certifactes" part is relevant.

 

@Dingo  Generate the new certificates using the UI.  Then execut this script to detect which folder holds the files for that particular certificate:

domain=the-domain-the-certificate-is-issued-for.com
for current_domain_cert in /usr/syno/etc/certificate/_archive/*; do
    if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ];then
        openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${domain} > /dev/null 2>&1
        domain_found=$?
        if [ "${domain_found}" = "0" ]; then
			echo "certificate for ${domain} found in ${current_domain_cert}"
        fi
    fi
done

 

Edited October 13, 2021 by haydibe

[Dingo]

Thank you!

 

I tried to run your script. It ran fine except the cat command which failed with "Permission denied", even with sudo.

Not sure how to run the for loop. Can it be copy and pasted (right click) into ssh (I'm using Putty on Windows)?

 

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

My SABnzbd is also failing with "Server news.usenetserver.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

 

It would be great if someone could post a step-by-step guide on how to resolve the issue with community packages and SABnzbd.

 

I'm using DSM 6.2.3-25426 Update 3

 

Edited October 14, 2021 by Dingo

[haydibe]

Good catch, both scripts assume that you run them s root. Copy/paste should work. 

 

2 hours ago, Dingo said:

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

 

The problem consists of two factors 1) the certicates themself (fixed by the script in the first link if run as root), 2) an openssl library that is able to handle the used algorithms of the new issued Letsencrypt certificates, which at least requires openssl libraries v1.1.0 - DSM6.2.3u3 has 1.0.2-k.  Sorry to disapoint -> there is no way to fix this, except Synology fixes it.

 

 

 

Edited October 14, 2021 by haydibe

[Dingo]

Thank for your reply! It explains very well why things are not working.

I will try to run your script as root (If I can find the correct password).

 

I see that Let's Encrypt issues are on the fix list for Version: 6.2.4-25556 Update 2 (number 10 under Fixed Issues - I hope this will fix the issue).

https://www.synology.com/en-global/releaseNote/DSM?model=DS3615xs#6_2

 

We will have to wait and see if someone in this community can get this update successfully installed and working.

Edited October 15, 2021 by Dingo

[haydibe]

Please do NOT update to 6.2.4 or greater with any of Jun's bootloader -> it is not going to work.

 

You either have to use redpill in it's current state, which is kind of beta-ish and is aimed toward advanced users and developers skilled in linux.

I would advice non advanced users to wait until the beta is official and the approach to build a bootloader image is beginner friendly. 

[naasking]

 

Quote

You either have to use redpill in it's current state, which is kind of beta-ish and is aimed toward advanced users and developers skilled in linux

 

Presumably the certificate feature on DSM is using some programs like curl to download and validate the certificates. Is it possible to just build new statically linked versions of these tools and replace the stock binaries just to get Let's Encrypt certificates working again on older DSM versions?

[haydibe]

I doubt that replacing curl with a static compiled version will solve much issues, other than maybee with custom scripts that depend on curl. You can prebuild static compiled curl binaries from github right away and test it...

 

Without having identified what exact dependcy an affected application requires, it is hard to figure out what needs to be replaced. ..

 

All 3rd party spk packages should come with updated version of openssl - but those are private to the package. Is it safe to replace the system libraries with those of the packages? I highly doubt that...

 

What might be worth investigating is, if replacing the runtime environment that servs the DSM UI: I guess nginx could be replaced with a static compiled version, but what about synocgid - on of both must be responsible to execute the package manager's certificate cheks...

 

If you feel bold, you can download this cli tool to check the dependencies of a binary:

wget -L https://github.com/haampie/libtree/releases/download/v2.0.0/libtree_x86_64
chmod +x libtree_x86_64
# example usage:
./libtree_x86_64 $(which curl)

 

It will provide an output like this on DSM6.2.3u3:

Quote

haydibe@dsm:~$ ./libtree_x86_64  $(which curl)
curl
└── libcurl.so.4 [default paths]
    ├── libcares.so.2 [default paths]
    ├── libnghttp2.so.14 [default paths]
    ├── libssh2.so.1 [default paths]
    │   ├── libssl.so.1.0.0 [default paths]
    │   │   └── libcrypto.so.1.0.0 [default paths]
    │   └── libcrypto.so.1.0.0 (collapsed) [default paths]
    ├── libssl.so.1.0.0 (collapsed) [default paths]
    ├── libcrypto.so.1.0.0 (collapsed) [default paths]
    ├── liblber-2.4.so.2 [default paths]
    │   ├── libsasl2.so.3 [default paths]
    │   ├── libcrypto.so.1.0.0 (collapsed) [default paths]
    │   ├── libssl.so.1.0.0 (collapsed) [default paths]
    │   ├── libsynocore.so.6 [default paths]
    │   └── libsynosdk.so.6 [default paths]
    ├── libldap-2.4.so.2 [default paths]
    │   ├── liblber-2.4.so.2 (collapsed) [default paths]
    │   ├── libsynocore.so.6 (collapsed) [default paths]
    │   ├── libsynosdk.so.6 (collapsed) [default paths]
    │   ├── libsasl2.so.3 (collapsed) [default paths]
    │   ├── libssl.so.1.0.0 (collapsed) [default paths]
    │   └── libcrypto.so.1.0.0 (collapsed) [default paths]
    └── libsynoproxy.so.6 [default paths]
 

 

Edited October 23, 2021 by haydibe

[merve04]

On 10/14/2021 at 12:59 PM, Dingo said:

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

My SABnzbd is also failing with "Server news.usenetserver.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

 

It would be great if someone could post a step-by-step guide on how to resolve the issue with community packages and SABnzbd.

 

I'm using DSM 6.2.3-25426 Update 3

 

ssh into your dsm, once logged in paste this scrip;

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

 

your synocommunity packages will work again.

Edited October 24, 2021 by merve04

[haydibe]

I don't understand WHY it works, but appearently it does!

 

The Synocommunity repository can be added/accessed from the ui by replacing  /etc/ssl/certs/ca-certificates.crt with the most recent file from https://curl.se/ca/cacert.pem.

 

update:

So apparently the explenation is that the older openssl libs requires ALL certificate chains it verifies to be valid, while newer openssl libs (> v1.1.0) only require at least one certificate chain it verifies to be valid. 

 

What's the difference with the cacert.pem of curl.se?

Unlike the Synology cacert.pem's (regardless wether dsm 6.x or current 7.x) It does not include the expired CA.

Thus, the verification that led to an invalid chain due to the expired CA certificate is not included. 

 

So after all it was not the algorithms that LE used to sign the certificates, but rather a suffering from an openssl implementation detail in combination with outdated CA's.

 

Edited October 25, 2021 by haydibe

[MiracleYueYue]

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Edited October 31, 2021 by MiracleYueYue

[dimi01234]

El 31/10/2021 a las 2:08, MiracleYueYue dijo:

Solo con un comando y todo se hará por ti ... 

Recuerde: su máquina se reiniciará después de ejecutar este comando

 

 

hola buenas noches. ¿Me podrías ayudar? no consigo que me funcione, me dice que no encuentra el directorio

[Dingo]

On 10/24/2021 at 7:37 PM, merve04 said:

ssh into your dsm, once logged in paste this scrip;

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

 

your synocommunity packages will work again.

Thank you so much for this easy fix for the SynoCommunity! It worked great!

[NooL]

Whats the difference between the https://curl.se/ca/cacert.pem that @merve04 references and the https://letsencrypt.org/certs/isrgrootx1.pem that @MiracleYueYue uses? 

 

Thanks  

[hubogoss62]

Dear all!

Thanks a lot for the command lines

I've used those command line and it solves my issue to add synocommunity package to package center

sudo -i

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak1

curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem 

curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

then I reboot

syno-letsencrypt renew-all

 

(last command did not provide (as before) any error line

I hope  let'sencrypt certificate will update automaticaly, DSM interface do not show anything new)

I will reboot tomorrow to see if it helps, HDD are under RAID5 pairing cheks

 

 

 

[NooL]

1 hour ago, hubogoss62 said:

Dear all!

Thanks a lot for the command lines

I've used those command line and it solves my issue to add synocommunity package to package center

sudo -i

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak1

curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem 

curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

then I reboot

syno-letsencrypt renew-all

 

(last command did not provide (as before) any error line

I hope  let'sencrypt certificate will update automaticaly, DSM interface do not show anything new)

I will reboot tomorrow to see if it helps, HDD are under RAID5 pairing cheks

 

 

 

 

Why do you replace the cert twice? 

[siang]

On 10/25/2021 at 3:37 AM, merve04 said:

ssh into your dsm, once logged in paste this scrip;

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

 

your synocommunity packages will work again.

This one works for me, you guys are amazing!

[OldSmurf]

On 10/12/2021 at 6:17 PM, Mustyone said:

Lets Encrypt's root certificate expired on October 1, 2021, which causes the cert renewal or creation to fail with a message "No response from destination server. Please try again later."

 

To Fix follow the following instruction which worked for me on my Xpenology box running DSM 6.2.2-24922

 

1.      Download root cert from LetsEncrypt website: https://letsencrypt.org/certificates/

a.      Download Active Root Cert “Pem” file,

b.      Open with text editor, and copy cert

2.      Log into Synolog box via ssh

3.      Back up CA cert file: cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG

4.      Edit CA cert file : sudo vi /etc/ssl/certs/ca-certificates.crt

5.      “ESC” “G” to go to end of file

6.      “o” to insert new line

7.      Paste new cert into file.

8.      “ESC”, “w”, “q”, “!” to save and close.

 

This will update the root CA cert and should allow you to now install or renew Lets Encrypt certificates

 

Thank you so very much! Worked like a charm :)

[haldi]

On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Quick and Easy, thanks a lot!

[nico38]

It works for v6.1.4-15217 ?

I following instructions but after a reboot I have again the message "No response from destination server. Please try again later."

 

Firewall and 80 & 443 ports open

PiHole disabled

DNS : 8.8.8.8

 

Thank you

[thezepter]

On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

You made my Day ! Thanks !

[moretty]

On 10/31/2021 at 2:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

First of all thanks for the information.
I'm on 6.2.3 and today my certificate expires, use the command but it doesn't work, I have ports 80 and 443.
do you know why it could be?
Thank you

[Ngo Quang Dao]

On 10/31/2021 at 7:08 AM, MiracleYueYue said:

Just with one command and everything will be done for you... 

Remind: Your machine will restart after executing this command

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Awesome! 🤩

[Mentat]

I had DSM 6.2.3 on HP Microserver Gen8 for a sometime and I change Let's encrypt certificate every few months.

 

The story is since 2021, but now it hit me, in 2023!

 

I've tried both versions:

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

 

and

 

sudo -i

mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak1

curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem 

curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt

 

Then reboot, but nothing works.

Plus, I've tried to use wget to check on a Let's encrypt site and I still get errors

 

Quote

wget www.xxxxxx

ERROR: cannot verify www.cakerevolution.ro's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':

 

Edited January 28 by Mentat