Can't create certificate

Moderator: Lillian.W@AST

DrMartinus
Posts: 34
youtube meble na wymiar Warszawa
Joined: Thu Jun 29, 2017 5:07 pm

Can't create certificate

Post by DrMartinus »

Hi, today I was told that my certificate had expired and I couldn't connect to my domain (which I had established with a DDNS service). For two years or so this worked fine with automatic renewal. I do not know why my Asustor NAS stopped doing this. I checked the settings, it was still set to automatic renewal. Nothing else had changed except for the ADM which was automatically updated.
So I tried manually renewal, no luck. Then I realized that Let'sEncrypt probably needs access via port 80, because the certificate was expired and connection would be refused because of that. So I disabled the forced https access in the ADM, but still I get the message like:

Code: Select all

my.do.main is invalid. Please make sure that a connection can be established via port 80. (Ref. 5056)
The wording may not be the original, since I translated the message from German. But I'm sure you get the meaning. "my.do.main" is of course not the real domain name. I disabled the https access in the Web Center. Would I have to do it somewhere else? The DDNS domain service seems to work fine, in the ADM settings I see that it is ok. But when I try to open the web page with Firefox using http: (port 80) it always switches to https: and reports that it can't connect. So what can be wrong? I'm completely clueless on this.
Asustor AS6104T
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Can't create certificate

Post by Nazar78 »

Check if your DDNS is actually pointing to your public IP. I just noticed I have an issue after an IP update, still looking into it, the ADM shows the DDNS is updated but the lookup failed still pointing to my old IPs for both IPv4 and IPv6.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
DrMartinus
Posts: 34
Joined: Thu Jun 29, 2017 5:07 pm

Re: Can't create certificate

Post by DrMartinus »

From all what I can see, the IP address is correct. Still can't connect to the domain via http, only via https, which tells me that it cannot connect.
Asustor AS6104T
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Can't create certificate

Post by Nazar78 »

From what I see, if you use myasustor DDNS, it will use DNS API method, sort of domain TXT records update. But if you use other DDNS provider, it requires HTTP web token method, which the token will be temporarily placed and served in /usr/builtin/etc/certificate/letsencrypt/.well-known/acme-challenge/<token> (Edited: symlinked to) /share/Web/.well-known/acme-challenge/<token>. The process will fail if it cannot reach this URL on your NAS port 80, http://your-ddns.com/.well-known/acme-challenge/<token>.

If you have another web server that overwrites the port 80, the process will fail. This could be anywhere, from the NAS itself (misconfigured web server) or your router (admin page on port 80 or port 80 forwarding from either manual or UPnP). Take a look at the last few lines of this log for hints: /usr/local/AppCentral/letsencrypt/.CertBot/log/letsencrypt.log.
Last edited by Nazar78 on Wed Feb 01, 2023 2:00 am, edited 1 time in total.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
DrMartinus
Posts: 34
Joined: Thu Jun 29, 2017 5:07 pm

Re: Can't create certificate

Post by DrMartinus »

Thank you for taking time to look into this.
Nazar78 wrote:From what I see, if you use myasustor DDNS, it will use DNS API method, sort of domain TXT records update. But if you use other DDNS provider, it requires HTTP web token method, which the token will be temporarily placed and served in /usr/builtin/etc/certificate/letsencrypt/.well-known/acme-challenge/<token> or /share/Web/.well-known/acme-challenge/<token>. The process will fail if it cannot reach this URL on your NAS port 80, http://your-ddns.com/.well-known/acme-challenge/<token>.
No, it's not myasustor DDNS. It's a service from within my country. I had the API issue some while ago, but solved that - the DDNS provides API tokens. Actually, ADM didn't connect to the DDNS otherwise. However, I now checked the locations, there is no token in /usr/builtin/etc/certificate/letsencrypt/.well-known/acme-challenge/ and the folder /share/Web/.well-known does not exist. So I guess this may be the problem. But how to solve it?
Nazar78 wrote:If you have another web server that overwrites the port 80, the process will fail. This could be anywhere, from the NAS itself (misconfigured web server) or your router (admin page on port 80 or port 80 forwarding from either manual or UPnP). Take a look at the last few lines of this log for hints: /usr/local/AppCentral/letsencrypt/.CertBot/log/letsencrypt.log.
No, there is only one webserver running, that's the NAS' one. The CertBot log says it cannot reach the domain: SERVFAIL looking up AAAA for my.do.main - the domain's nameserver may be malfunctioning.
These things are a bit confusing for me. I hope you can help me through it. Unfortunately, I cannot copy text from the log (I use Putty, and somehow copying to the clipboard just doesn't work), so I have to rewrite it here and keep it as short as possible...

Just one more info: on the dashboard of that DDNS provider it says that the last update was 15 days ago. I do not really know if this refers to the last connection from the NAS. The NAS is set to check every 30 minutes, it reports that everything is fine, and the IP address shown in the ADM and on the DDNS dashboard is the same that I get when I lookup my own IP address from my desktop.
Asustor AS6104T
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Can't create certificate

Post by Nazar78 »

No, it's not myasustor DDNS. It's a service from within my country. I had the API issue some while ago, but solved that - the DDNS provides API tokens. Actually, ADM didn't connect to the DDNS otherwise.
Who is your DDNS provider? This could mean the IP update actually failed or something, hence the process won't work.
However, I now checked the locations, there is no token in /usr/builtin/etc/certificate/letsencrypt/.well-known/acme-challenge/ and the folder /share/Web/.well-known does not exist.
As mentioned this token is temporarily created then removed. Shouldn't be the case why it failed.
No, there is only one webserver running, that's the NAS' one. The CertBot log says it cannot reach the domain: SERVFAIL looking up AAAA for my.do.main - the domain's nameserver may be malfunctioning.
AAAA records is IPv6 as opposed to A records that is IPv4. Do you have IPv6? Do a nslookup for your DDNS on both your router DNS and Google DNS 8.8.8.8. Are both the IPs (IPv4/6) correct?
Unfortunately, I cannot copy text from the log (I use Putty, and somehow copying to the clipboard just doesn't work), so I have to rewrite it here and keep it as short as possible...
Right click on the title bar, then Copy All to Clipboard.

As far as I know the Let's Encrypt will favor IPv4 over IPv6. The way both works is also different, in terms of setting up the port 80. Your error log states it seems to be using IPv6 which is strange. I have dual stack both IPv4 and IPv6, both different setups on my chroot Nginx. If you don't need IPv6, try disabling the IPv6 option in the, ADM > Settings > Network, see if it helps.

I can quickly determine the issue but It's quite tough for me to help you troubleshoot unless it's in front of me. The main thing is you need to ensure you can reach your NAS's port 80 via the DDNS. Turn on your WebServer Apache port 80. Then try `curl -Iv your-ddns.com/locale/en-US.js` see what's the reply. That 'I' is capital i. You should see some header stating Server: Apache and Content-Type: application/javascript. Also take note of its resolved IP, IPv6 or IPv4.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
DrMartinus
Posts: 34
Joined: Thu Jun 29, 2017 5:07 pm

Re: Can't create certificate

Post by DrMartinus »

Sorry for not replying earlier, some other things kept me busy.

Here is the output of curl (I changed my domain name to "my.do.main" and the ip-address to "xx.xx.xx.xx"):

Code: Select all

curl -Iv my.do.main/locale/en-US.js
*   Trying xx.xx.xx.xx:80...
* Connected to my.do.main (xx.xx.xx.xx) port 80 (#0)
> HEAD /locale/en-US.js HTTP/1.1
> Host: my.do.main
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Tue, 31 Jan 2023 09:54:07 GMT
Date: Tue, 31 Jan 2023 09:54:07 GMT
< Content-Type: application/javascript; charset=utf-8
Content-Type: application/javascript; charset=utf-8
< Content-Length: 347
Content-Length: 347
< Last-Modified: Thu, 15 Apr 2021 06:45:35 GMT
Last-Modified: Thu, 15 Apr 2021 06:45:35 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "6077e10f-15b"
ETag: "6077e10f-15b"
< Accept-Ranges: bytes
Accept-Ranges: bytes

< 
* Connection #0 to host my.do.main left intact
IPv6 is disabled and was always disabled.
The IP-address derived by curl is the same as shown in the NAS-settings. So it should work, but it doesn't. I just tried.
Asustor AS6104T
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Can't create certificate

Post by Nazar78 »

From what I see Let's Encrypt uses Apache to serve the challenge token, however your output shows Nginx. Usually this should be fine because the challenge token is being placed in the, '/volume1/Web/' (see my previous edit about this path as symlinked) where both (Apache/Nginx) shares the same webroot but if the permission is not correct, the server won't be able to read this path.

I'm not sure as I can't test, my port 80 (via custom nginx chroot) is currently being used for APIs/Apps/Websites, but you can try to switching the Web Server from Nginx to Apache see if it helps. Also do note this works even if the Web Server is not running, apparently the process will trigger the Apache server during the procedure.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
DrMartinus
Posts: 34
Joined: Thu Jun 29, 2017 5:07 pm

Re: Can't create certificate

Post by DrMartinus »

Well, I had apache running before, and after I noticed that the certificate wasn't updated automatically any longer, and I couldn't install a new one manually, I switched to nginx in the hope that would help. It didn't. I have now switched back to Apache, but still the same problem. It just times out, and I cannot access the website domain, because it always switches to https automatically, even though I have disabled forcing https. I restarted the NAS, but that didn't help either.
Asustor AS6104T
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Can't create certificate

Post by Nazar78 »

Is your ADM port default http:8000/https:8001? If not try revert them back to default.

Without troubleshooting your NAS directly I can only assume the DDNS actually points to a different location hence this issue albeit the curl test you did earlier seems to point to the proper NAS path.

I suggest let someone look into your issue like opening a ticket with Asustor Support. I can assist but we're probably in two vast timezones.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Post Reply

Return to “[Official] For AS61XX/62XX Series”