How to update Lets Encrypt Root Certificate


Recommended Posts

Lets Encrypt's root certificate expired on October 1, 2021, which causes the cert renewal or creation to fail with a message "No response from destination server. Please try again later."

 

To Fix follow the following instruction which worked for me on my Xpenology box running DSM 6.2.2-24922

 

1.      Download root cert from LetsEncrypt website: https://letsencrypt.org/certificates/

a.      Download Active Root Cert “Pem” file,

b.      Open with text editor, and copy cert

2.      Log into Synolog box via ssh

3.      Back up CA cert file: cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG

4.      Edit CA cert file : sudo vi /etc/ssl/certs/ca-certificates.crt

5.      “ESC” “G” to go to end of file

6.      “o” to insert new line

7.      Paste new cert into file.

8.      “ESC”, “w”, “q”, “!” to save and close.

 

This will update the root CA cert and should allow you to now install or renew Lets Encrypt certificates

 

Link to post
Share on other sites

Can be scripted, see: 

note: the "add certificates to ca-certifactes" part is relevant.

 

@Dingo  Generate the new certificates using the UI.  Then execut this script to detect which folder holds the files for that particular certificate:

domain=the-domain-the-certificate-is-issued-for.com
for current_domain_cert in /usr/syno/etc/certificate/_archive/*; do
    if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/cert.pem ];then
        openssl x509 -in ${current_domain_cert}/cert.pem -text | grep DNS:${domain} > /dev/null 2>&1
        domain_found=$?
        if [ "${domain_found}" = "0" ]; then
			echo "certificate for ${domain} found in ${current_domain_cert}"
        fi
    fi
done

 

Edited by haydibe
Link to post
Share on other sites

Thank you!

 

I tried to run your script. It ran fine except the cat command which failed with "Permission denied", even with sudo.

Not sure how to run the for loop. Can it be copy and pasted (right click) into ssh (I'm using Putty on Windows)?

 

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

My SABnzbd is also failing with "Server news.usenetserver.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

 

It would be great if someone could post a step-by-step guide on how to resolve the issue with community packages and SABnzbd.

 

I'm using DSM 6.2.3-25426 Update 3

 

Edited by Dingo
Link to post
Share on other sites

Good catch, both scripts assume that you run them s root. Copy/paste should work. 

 

2 hours ago, Dingo said:

My goal is the get the community packages working/available (http://packages.synocommunity.com/) in Package Center.

 

The problem consists of two factors 1) the certicates themself (fixed by the script in the first link if run as root), 2) an openssl library that is able to handle the used algorithms of the new issued Letsencrypt certificates, which at least requires openssl libraries v1.1.0 - DSM6.2.3u3 has 1.0.2-k.  Sorry to disapoint -> there is no way to fix this, except Synology fixes it.

 

 

 

Edited by haydibe
Link to post
Share on other sites

Thank for your reply! It explains very well why things are not working.

I will try to run your script as root (If I can find the correct password).

 

I see that Let's Encrypt issues are on the fix list for Version: 6.2.4-25556 Update 2 (number 10 under Fixed Issues - I hope this will fix the issue).

https://www.synology.com/en-global/releaseNote/DSM?model=DS3615xs#6_2

 

We will have to wait and see if someone in this community can get this update successfully installed and working.

Edited by Dingo
Link to post
Share on other sites

Please do NOT update to 6.2.4 or greater with any of Jun's bootloader -> it is not going to work.

 

You either have to use redpill in it's current state, which is kind of beta-ish and is aimed toward advanced users and developers skilled in linux.

I would advice non advanced users to wait until the beta is official and the approach to build a bootloader image is beginner friendly. 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.